https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207783
Dimitry Andric <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #11 from Dimitry Andric <[email protected]> --- Created attachment 167941 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167941&action=edit Fix bug caused by r296462 If you ask me, this is caused by r296462 [1], specifically the part: > constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF. > [CVE-2016-0702, upstream d6482a8. 5ea08bd, d6d422e, > 8fc8f48 317be63 skipped intentionally as we are not > using the code on FreeBSD. Backport done by jkim@. The problem is that all calls of MOD_EXP_CTIME_COPY_TO_PREBUF() are adjusted to use the 'window' parameter, but it appears the one call to MOD_EXP_CTIME_COPY_FROM_PREBUF() was forgotten: it still uses 'numPowers', which is actually 1 << window! Now MOD_EXP_CTIME_COPY_FROM_PREBUF() itself calls this input parameter 'window', and then proceeds to calculate the xstride as 1 << (window - 2), which in some cases can end up being 2^30. The loop which then goes through 'table' (the buffer) will almost certainly hit bad memory. The fix is to call MOD_EXP_CTIME_COPY_FROM_PREBUF() with 'window' instead. [1] https://svnweb.freebsd.org/changeset/base/296462 -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-amd64 To unsubscribe, send any mail to "[email protected]"
