[openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Mon Feb 25 16:44:09 UTC 2019
The branch OpenSSL_1_1_1-stable has been updated
via df2cb82ae397ac7e1466f674ecd2309ac6de14e7 (commit)
from 4af54c9b9933336d1c48f3012aca92262c36d3a8 (commit)
- Log -----------------------------------------------------------------
commit df2cb82ae397ac7e1466f674ecd2309ac6de14e7
Author: Matt Caswell <matt at openssl.org>
Date: Mon Feb 25 11:28:32 2019 +0000
Ensure bn_cmp_words can handle the case where n == 0
Thanks to David Benjamin who reported this, performed the analysis and
suggested the patch. I have incorporated some of his analysis in the
comments below.
This issue can cause an out-of-bounds read. It is believed that this was
not reachable until the recent "fixed top" changes. Analysis has so far
only identified one code path that can encounter this - although it is
possible that others may be found. The one code path only impacts 1.0.2 in
certain builds. The fuzzer found a path in RSA where iqmp is too large. If
the input is all zeros, the RSA CRT logic will multiply a padded zero by
iqmp. Two mitigating factors:
- Private keys which trip this are invalid (iqmp is not reduced mod p).
Only systems which take untrusted private keys care.
- In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp,
so the bug is only reproducible in 1.0.2 so far.
Fortunately, the bug appears to be relatively harmless. The consequences of
bn_cmp_word's misbehavior are:
- OpenSSL may crash if the buffers are page-aligned and the previous page is
non-existent.
- OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they
are equal.
- Side channel concerns.
The first is indeed a concern and is a DoS bug. The second is fine in this
context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1)
in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or
a1 - a0. The third would be worth thinking about, but it is overshadowed
by the entire Karatsuba implementation not being constant time.
Due to the difficulty of tripping this and the low impact no CVE is felt
necessary for this issue.
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8326)
(cherry picked from commit 576129cd72ae054d246221f111aabf42b9c6d76d)
-----------------------------------------------------------------------
Summary of changes:
crypto/bn/bn_lib.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 040c4cd..06f67ed 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -695,6 +695,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
int i;
BN_ULONG aa, bb;
+ if (n == 0)
+ return 0;
+
aa = a[n - 1];
bb = b[n - 1];
if (aa != bb)
More information about the openssl-commits
mailing list