[openssl-dev] [openssl.org #4633] EVP self test failure with ARMv8 and Aarch32 flags

Andy Polyakov via RT rt at openssl.org
Sat Jul 30 20:42:37 UTC 2016 

>>> (gdb) r test/evptests.txt
>>> Starting program: /home/jwalton/openssl/test/evp_test test/evptests.txt
>>> [Thread debugging using libthread_db enabled]
>>> Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
>>>
>>> Program received signal SIGBUS, Bus error.
>>> CRYPTO_ccm128_decrypt (ctx=ctx at entry=0x33788,
>>>     inp=inp at entry=0x33649
>>> "\232_\314ʹ\317\004\347)='u\314v\244\210\360B8-\224\233C\267ֻ+\230dxg&",
>>> out=<optimized out>,
>>>     out at entry=0x335d8
>>> "\004\065\331v\004\065\331v)='u\314v\244\210\360B8-\224\233C\267ֻ+\230dxg&",
>>> len=len at entry=0x20) at crypto/modes/ccm128.c:253
>>> 253            ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
>>> (gdb)
>>
>> This line is within #if defined(STRICT_ALIGNMENT), which means that
>> compiler is responsible for aligning data, and SIGBUS means that it
>> failed. And indeed, looking at disassembler output it crashes in vld1.64
>> {d16-d17}, [r6 :64], instruction that requires 64-bit alignment. So
>> compiler generated the instruction, but didn't care to ensure the
>> alignment. There is no other conclusion one can draw but that is indeed
>> a compiler bug. Besides, default ./config works just fine and (once
>> again) I see no compelling reason for not using it.
> 
> I think these are the lines:
> 
> #if defined(STRICT_ALIGNMENT)
>         union {
>             u64 u[2];
>             u8 c[16];
>         } temp;
> #endif
> 
> ...
> 
> #if defined(STRICT_ALIGNMENT)
>         memcpy(temp.c, inp, 16);
>         ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
>         ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
>         ...
> #endif
> 
> I *thought* accessing a union member through its inactive member is
> undefined behavior.

Really? It says "When a value is stored in a member of an object of
union type, the bytes of the object representation that do not
correspond to that member but do correspond to other members take
unspecified values." Referred members fully overlap and there are no
bytes that correspond to one and not another.

> Once 'scratch.c' and 'temp.c' were used, using
> 'temp.c' and 'temp.u' leads to the UB.

But either way union with u64 member has to be aligned, so references to
.u should not cause SIGBUS.


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4633
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list