NetBSD Problem Report #55686
From www@netbsd.org Tue Sep 29 01:48:53 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 90F661A9217
for <gnats-bugs@gnats.NetBSD.org>; Tue, 29 Sep 2020 01:48:53 +0000 (UTC)
Message-Id: <20200929014852.8E57B1A923F@mollari.NetBSD.org>
Date: Tue, 29 Sep 2020 01:48:52 +0000 (UTC)
From: thorpej@me.com
Reply-To: thorpej@me.com
To: gnats-bugs@NetBSD.org
Subject: unaligned access / segmentation fault in ssh-keygen for ecdsa key on Alpha
X-Send-Pr-Version: www-1.0
>Number: 55686
>Category: bin
>Synopsis: unaligned access / segmentation fault in ssh-keygen for ecdsa key on Alpha
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: feedback
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Sep 29 01:50:00 +0000 2020
>Closed-Date:
>Last-Modified: Sat Oct 10 00:53:12 +0000 2020
>Originator: Jason Thorpe
>Release: 9.99.73
>Organization:
RISCy Business
>Environment:
NetBSD alpha-vm 9.99.73 NetBSD 9.99.73 (GENERIC-$Revision: 1.410 $) #6: Mon Sep 28 16:07:03 PDT 2020 thorpej@stinky:/home/nbsd/src/sys/arch/alpha/compile/GENERIC alpha
Running inside Qemu.
>Description:
When generating the ecdsa, ssh-keygen has an unaligned access and crashes:
alpha-vm# /etc/rc.d/sshd start
[ 5820.5003139] pid 1458 (ssh-keygen): unaligned access: va=0x1ffffe617 pc=0x0 ra=0x3fffdc78fd4 sp=0x1ffffe590 op=ldq
[1] Segmentation fault (core dumped) "${keygen}" -t "${type}" ${bitarg} -f "${f}" -...
Starting sshd.
Unaligned fix-up is enabled:
alpha-vm# sysctl machdep
machdep.root_device = wd0
machdep.unaligned_print = 1
machdep.unaligned_fix = 1
machdep.unaligned_sigbus = 0
machdep.booted_kernel =
machdep.fp_sync_complete = 0
alpha-vm#
The pc value is a little suspicious. More investigation is warranted.
>How-To-Repeat:
See above.
>Fix:
Not (yet) provided.
>Release-Note:
>Audit-Trail:
From: Jason Thorpe <thorpej@me.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/55686: unaligned access / segmentation fault in ssh-keygen
for ecdsa key on Alpha
Date: Mon, 28 Sep 2020 21:58:39 -0700
>> Category: bin
>> Responsible: bin-bug-people
>> Synopsis: unaligned access / segmentation fault in ssh-keygen =
for ecdsa key on Alpha
>> Arrival-Date: Tue Sep 29 01:50:00 +0000 2020
Fails with just ssh, too. After rebuilding libcrypto with debug =
symbols:
Reading symbols from /usr/bin/ssh...
(No debugging symbols found in /usr/bin/ssh)
(gdb) run cvs.netbsd.org
Starting program: /usr/bin/ssh cvs.netbsd.org
[ 15923.0119302] pid 1045 (ssh): unaligned access: va=3D0x1ffffbf77 =
pc=3D0x0 ra=3D0x3fffdb77354 sp=3D0x1ffffbe80 op=3Dldq
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000004 in ?? ()
(gdb) where
#0 0x0000000000000004 in ?? ()
warning: Hit beginning of text section without finding enclosing =
function for address 0x4
This warning occurs if you are debugging a function without any symbols
(for example, in a stripped executable). In that case, you may wish to
increase the size of the search with the `set heuristic-fence-post' =
command.
Otherwise, you told GDB there was a function where there isn't one, or
(more likely) you have encountered a bug in GDB.
#1 0x000003fffdb77354 in felem_to_BN (in=3D0x1ffffbfb8, =
out=3D0x3fffd22ab20)
at =
/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
805
#2 ec_GFp_nistp521_point_get_affine_coordinates (point=3D<optimized =
out>,=20
x=3D0x3fffd22ab20, y=3D0x1ffffbfb8, ctx=3D<optimized out>, =
group=3D<optimized out>)
at =
/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
805
#3 0x000003fffdb77354 in felem_to_BN (in=3D0x3fffd22ab20, out=3D0x0)
at =
/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
805
#4 ec_GFp_nistp521_point_get_affine_coordinates (point=3D<optimized =
out>,=20
x=3D0x0, y=3D0x3fffd22ab60, ctx=3D<optimized out>, group=3D<optimized =
out>)
at =
/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
805
#5 0x000003fffdb9dc3c in EC_POINT_get_affine_coordinates =
(ctx=3D0x3fffd22ab40,=20
y=3D0x3fffdb9dce8 <EC_POINT_get_affine_coordinates_GFp+24>, =
x=3D0x3fffd22ab20,=20
point=3D0x3fffd28a000, group=3D0x3fffd2cca80)
at =
/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:853
#6 EC_POINT_get_affine_coordinates (warning: Hit heuristic-fence-post =
without finding enclosing function for address 0x3fffde6a150
group=3D0x3fffd2cca80, point=3D0x3fffd28a000,=20
x=3D0x3fffd22ab20, y=3D0x3fffdb9dce8 =
<EC_POINT_get_affine_coordinates_GFp+24>,=20
ctx=3D0x3fffd22ab40)
at =
/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:836
#7 0x000003fffde6a150 in ?? ()
Backtrace stopped: frame did not save the PC
Looking at what the RA from the unaligned access message was, it's frame =
#2 in the backtrace.
(gdb) list *0x3fffdb77354 =20
0x3fffdb77354 is in ec_GFp_nistp521_point_get_affine_coordinates =
(/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:=
1805).
1800 =
/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c: =
No such file or directory.
(gdb)=20
Stack smash?
-- thorpej
State-Changed-From-To: open->feedback
State-Changed-By: rin@NetBSD.org
State-Changed-When: Sat, 10 Oct 2020 00:53:12 +0000
State-Changed-Why:
Fixed by jakllsch:
http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/openssl/include/open
ssl/opensslconf.h#rev1.8
It works for me. Can you confirm?
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.