[Bug 207783] OpenSSH client segfaults in 9.3-RELEASE-p37

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207783

Dimitry Andric <dim at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dim at FreeBSD.org

--- Comment #11 from Dimitry Andric <dim at FreeBSD.org> ---
Created attachment 167941
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167941&action=edit
Fix bug caused by r296462

If you ask me, this is caused by r296462 [1], specifically the part:

> constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF.
> [CVE-2016-0702, upstream d6482a8. 5ea08bd, d6d422e,
> 8fc8f48 317be63 skipped intentionally as we are not
> using the code on FreeBSD.  Backport done by jkim at .

The problem is that all calls of MOD_EXP_CTIME_COPY_TO_PREBUF() are adjusted to
use the 'window' parameter, but it appears the one call to
MOD_EXP_CTIME_COPY_FROM_PREBUF() was forgotten: it still uses 'numPowers',
which is actually 1 << window!

Now MOD_EXP_CTIME_COPY_FROM_PREBUF() itself calls this input parameter
'window', and then proceeds to calculate the xstride as 1 << (window - 2),
which in some cases can end up being 2^30.  The loop which then goes through
'table' (the buffer) will almost certainly hit bad memory.

The fix is to call MOD_EXP_CTIME_COPY_FROM_PREBUF() with 'window' instead.

[1] https://svnweb.freebsd.org/changeset/base/296462

-- 
You are receiving this mail because:
You are on the CC list for the bug.