{"schema":"libjg2-1",
"vpath":"/git/",
"avatar":"/git/avatar/",
"alang":"",
"gen_ut":1752655552,
"reponame":"openssl",
"desc":"OpenSSL",
"owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl",
"f":3,
"items": [
{"schema":"libjg2-1",
"cid":"8bd3b6050619a871f2a8b92279e7c64c",
"commit": {"type":"commit",
"time": 1551112343,
"time_ofs": 0,
"oid_tree": { "oid": "9cddfa8deedd0f096c41ce1e90ba14cf2e6dad38", "alias": []},
"oid":{ "oid": "df2cb82ae397ac7e1466f674ecd2309ac6de14e7", "alias": []},
"msg": "Ensure bn_cmp_words can handle the case where n \u003d\u003d 0",
"sig_commit": { "git_time": { "time": 1551112343, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" },
"sig_author": { "git_time": { "time": 1551094112, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }},
"body": "Ensure bn_cmp_words can handle the case where n \u003d\u003d 0\n\nThanks to David Benjamin who reported this, performed the analysis and\nsuggested the patch. I have incorporated some of his analysis in the\ncomments below.\n\nThis issue can cause an out-of-bounds read. It is believed that this was\nnot reachable until the recent \u0022fixed top\u0022 changes. Analysis has so far\nonly identified one code path that can encounter this - although it is\npossible that others may be found. The one code path only impacts 1.0.2 in\ncertain builds. The fuzzer found a path in RSA where iqmp is too large. If\nthe input is all zeros, the RSA CRT logic will multiply a padded zero by\niqmp. Two mitigating factors:\n\n- Private keys which trip this are invalid (iqmp is not reduced mod p).\nOnly systems which take untrusted private keys care.\n- In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp,\nso the bug is only reproducible in 1.0.2 so far.\n\nFortunately, the bug appears to be relatively harmless. The consequences of\nbn_cmp_word's misbehavior are:\n\n- OpenSSL may crash if the buffers are page-aligned and the previous page is\nnon-existent.\n- OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they\nare equal.\n- Side channel concerns.\n\nThe first is indeed a concern and is a DoS bug. The second is fine in this\ncontext. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1)\nin Karatsuba. If a0 \u003d a1, it does not matter whether we use a0 - a1 or\na1 - a0. The third would be worth thinking about, but it is overshadowed\nby the entire Karatsuba implementation not being constant time.\n\nDue to the difficulty of tripping this and the low impact no CVE is felt\nnecessary for this issue.\n\nReviewed-by: Paul Dale \u003cpaul.dale@oracle.com\u003e\nReviewed-by: Viktor Dukhovni \u003cviktor@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/8326)\n\n(cherry picked from commit 576129cd72ae054d246221f111aabf42b9c6d76d)\n"
,
"diff": "diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c\nindex 040c4cd..06f67ed 100644\n--- a/crypto/bn/bn_lib.c\n+++ b/crypto/bn/bn_lib.c\n@@ -695,6 +695,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)\n int i;\n BN_ULONG aa, bb;\n \n+ if (n \u003d\u003d 0)\n+ return 0;\n+\n aa \u003d a[n - 1];\n bb \u003d b[n - 1];\n if (aa !\u003d bb)\n","s":{"c":1752655552,"u": 38881}}
],"g": 39765,"chitpc": 0,"ehitpc": 0,"indexed":0
,
"ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}