[openssl.org #1641] [Patch] uninitialized variable in bn_mont.c

Tue, 12 Feb 2008 00:02:09 -0800 

Hi,

Valgrind reported an "jump depending on uninitialized value" in openssl 
when establishing an ssl connection.

The valgrind backtrace is the following:
==1537==    at 0x4A911DC: BN_div (bn_div.c:190)
==1537==    by 0x4A9C02C: BN_MONT_CTX_set (bn_mont.c:417)
==1537==    by 0x4A9C270: BN_MONT_CTX_set_locked (bn_mont.c:476)
==1537==    by 0x4AA0240: RSA_eay_mod_exp (rsa_eay.c:736)
==1537==    by 0x4AA0C00: RSA_eay_private_decrypt (rsa_eay.c:547)
==1537==    by 0x4AA1FD4: RSA_private_decrypt (rsa_lib.c:294)
==1537==    by 0x4A035E4: ssl3_get_client_key_exchange (s3_srvr.c:1771)
==1537==    by 0x4A04EC4: ssl3_accept (s3_srvr.c:449)
==1537==    by 0x4A15C30: SSL_accept (ssl_lib.c:850)
==1537==    by 0x4A0C238: ssl23_get_client_hello (s23_srvr.c:568)
==1537==    by 0x4A0C3D0: ssl23_accept (s23_srvr.c:203)


I've tracked down the problem to an uninitialized variable in bn_mont.c 
(openssl 0.9.8g):
- in bn_mont.c: "BIGNUM tmod;" is declared and defined on the stack, a 
couple of members are set:
------------------------
                tmod.d=buf;
                tmod.top = buf[0] != 0 ? 1 : 0;
                tmod.dmax=2;
                tmod.neg=0;
------------------------
- in bn_mont.c:417 BN_div(... &tmod...) is called
- in bn_div.c:190 the flags of "num" are checked, but they were never 
initialized
- this means, that the behavior of the jump in BN_div() which depends on 
the flags of tmod is undefined
- it does not look like a security problem, because the worst what could 
happen is:
If the user does not set the BN_FLG_CONSTTIME bit (which is the case 
when the flags are uninitialized), the "BN_div_no_branch" function is 
used (which is even more "secure").
On the opposite, if BN_FLG_CONSTTIME was explicitly set, then even if 
the variable was uninitialized before, this would be be set and the 
"secure" function would be used.

Nevertheless it is a bug which should be fixed. I've checked a couple of 
the different versions as well as the MAIN branch and it looks like that 
the problem is everywhere.

The following patch seems to fix the problem:

Index: crypto/bn/bn_mont.c
===================================================================
--- crypto/bn/bn_mont.c
+++ crypto/bn/bn_mont.c
@@ -390,6 +390,7 @@
 #ifdef MONT_WORD
                {
                BIGNUM tmod;
+               BN_init(&tmod);
                BN_ULONG buf[2];

                mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;



Best regards,
Christian

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to