NetBSD Problem Report #55686

From www@netbsd.org  Tue Sep 29 01:48:53 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 90F661A9217
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 29 Sep 2020 01:48:53 +0000 (UTC)
Message-Id: <20200929014852.8E57B1A923F@mollari.NetBSD.org>
Date: Tue, 29 Sep 2020 01:48:52 +0000 (UTC)
From: thorpej@me.com
Reply-To: thorpej@me.com
To: gnats-bugs@NetBSD.org
Subject: unaligned access / segmentation fault in ssh-keygen for ecdsa key on Alpha
X-Send-Pr-Version: www-1.0

>Number:         55686
>Category:       bin
>Synopsis:       unaligned access / segmentation fault in ssh-keygen for ecdsa key on Alpha
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          feedback
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 29 01:50:00 +0000 2020
>Closed-Date:    
>Last-Modified:  Sat Oct 10 00:53:12 +0000 2020
>Originator:     Jason Thorpe
>Release:        9.99.73
>Organization:
RISCy Business
>Environment:
NetBSD alpha-vm 9.99.73 NetBSD 9.99.73 (GENERIC-$Revision: 1.410 $) #6: Mon Sep 28 16:07:03 PDT 2020  thorpej@stinky:/home/nbsd/src/sys/arch/alpha/compile/GENERIC alpha

Running inside Qemu.
>Description:
When generating the ecdsa, ssh-keygen has an unaligned access and crashes:

alpha-vm# /etc/rc.d/sshd start
[ 5820.5003139] pid 1458 (ssh-keygen): unaligned access: va=0x1ffffe617 pc=0x0 ra=0x3fffdc78fd4 sp=0x1ffffe590 op=ldq
[1]   Segmentation fault (core dumped) "${keygen}" -t "${type}" ${bitarg} -f "${f}" -...
Starting sshd.

Unaligned fix-up is enabled:

alpha-vm# sysctl machdep
machdep.root_device = wd0
machdep.unaligned_print = 1
machdep.unaligned_fix = 1
machdep.unaligned_sigbus = 0
machdep.booted_kernel = 
machdep.fp_sync_complete = 0
alpha-vm# 

The pc value is a little suspicious.  More investigation is warranted.
>How-To-Repeat:
See above.
>Fix:
Not (yet) provided.

>Release-Note:

>Audit-Trail:
From: Jason Thorpe <thorpej@me.com>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/55686: unaligned access / segmentation fault in ssh-keygen
 for ecdsa key on Alpha
Date: Mon, 28 Sep 2020 21:58:39 -0700

 >> Category:       bin
 >> Responsible:    bin-bug-people
 >> Synopsis:       unaligned access / segmentation fault in ssh-keygen =
 for ecdsa key on Alpha
 >> Arrival-Date:   Tue Sep 29 01:50:00 +0000 2020


 Fails with just ssh, too.  After rebuilding libcrypto with debug =
 symbols:

 Reading symbols from /usr/bin/ssh...
 (No debugging symbols found in /usr/bin/ssh)
 (gdb) run cvs.netbsd.org
 Starting program: /usr/bin/ssh cvs.netbsd.org
 [ 15923.0119302] pid 1045 (ssh): unaligned access: va=3D0x1ffffbf77 =
 pc=3D0x0 ra=3D0x3fffdb77354 sp=3D0x1ffffbe80 op=3Dldq

 Program received signal SIGSEGV, Segmentation fault.
 0x0000000000000004 in ?? ()
 (gdb) where
 #0  0x0000000000000004 in ?? ()
 warning: Hit beginning of text section without finding enclosing =
 function for address 0x4
 This warning occurs if you are debugging a function without any symbols
 (for example, in a stripped executable).  In that case, you may wish to
 increase the size of the search with the `set heuristic-fence-post' =
 command.

 Otherwise, you told GDB there was a function where there isn't one, or
 (more likely) you have encountered a bug in GDB.
 #1  0x000003fffdb77354 in felem_to_BN (in=3D0x1ffffbfb8, =
 out=3D0x3fffd22ab20)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
 805
 #2  ec_GFp_nistp521_point_get_affine_coordinates (point=3D<optimized =
 out>,=20
     x=3D0x3fffd22ab20, y=3D0x1ffffbfb8, ctx=3D<optimized out>, =
 group=3D<optimized out>)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
 805
 #3  0x000003fffdb77354 in felem_to_BN (in=3D0x3fffd22ab20, out=3D0x0)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
 805
 #4  ec_GFp_nistp521_point_get_affine_coordinates (point=3D<optimized =
 out>,=20
     x=3D0x0, y=3D0x3fffd22ab60, ctx=3D<optimized out>, group=3D<optimized =
 out>)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
 805
 #5  0x000003fffdb9dc3c in EC_POINT_get_affine_coordinates =
 (ctx=3D0x3fffd22ab40,=20
     y=3D0x3fffdb9dce8 <EC_POINT_get_affine_coordinates_GFp+24>, =
 x=3D0x3fffd22ab20,=20
     point=3D0x3fffd28a000, group=3D0x3fffd2cca80)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:853
 #6  EC_POINT_get_affine_coordinates (warning: Hit heuristic-fence-post =
 without finding enclosing function for address 0x3fffde6a150
 group=3D0x3fffd2cca80, point=3D0x3fffd28a000,=20
     x=3D0x3fffd22ab20, y=3D0x3fffdb9dce8 =
 <EC_POINT_get_affine_coordinates_GFp+24>,=20
     ctx=3D0x3fffd22ab40)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:836
 #7  0x000003fffde6a150 in ?? ()
 Backtrace stopped: frame did not save the PC



 Looking at what the RA from the unaligned access message was, it's frame =
 #2 in the backtrace.

 (gdb) list *0x3fffdb77354            =20
 0x3fffdb77354 is in ec_GFp_nistp521_point_get_affine_coordinates =
 (/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:=
 1805).
 1800    =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c: =
 No such file or directory.
 (gdb)=20

 Stack smash?

 -- thorpej

State-Changed-From-To: open->feedback
State-Changed-By: rin@NetBSD.org
State-Changed-When: Sat, 10 Oct 2020 00:53:12 +0000
State-Changed-Why:
Fixed by jakllsch:
http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/openssl/include/open
ssl/opensslconf.h#rev1.8

It works for me. Can you confirm?


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.