[Bug 2101] New: Unaligned memory access on sparc in UMAC implemetation
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon May 13 21:52:08 EST 2013
https://bugzilla.mindrot.org/show_bug.cgi?id=2101
Bug ID: 2101
Summary: Unaligned memory access on sparc in UMAC implemetation
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.0p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: tomas.kuthan at oracle.com
Created attachment 2264
--> https://bugzilla.mindrot.org/attachment.cgi?id=2264&action=edit
Bug fix based on Solaris Studio #pragma
There is an alignment issue in UMAC implementation, which can cause
crash in ssh binary on sparc.
Static variable m is defined in mac.c as an array of chars:
168 static u_char m[EVP_MAX_MD_SIZE];
This array is passed to function umac128_final() in ssh/umac.c, and
later cast to 64-bit unsigned integer and accessed in pdf_gen_xor():
264 *((UINT64 *)buf) ^= ((UINT64 *)pc->cache)[ndx];
AFAIK, there is no assurance, that a static char array will be
double-word aligned. And indeed, when compiled using Solaris Studio
12.1 cc, the variable address (0x909ac) is only word-aligned:
58588: 37 00 02 42 sethi %hi(0x90800), %i3
5858c: 40 00 18 1a call 5e5f4 <umac_final>
58590: 92 06 e1 ac add %i3, 0x1ac, %o1 ! 909ac
<Bbss.bss>
This later causes a crash in:
pdf_gen_xor+0x68: ldx [0x909ac], %o5
I am proposing two alternatives for the fix (please, see attached):
umac_align-pragma.patch - Solaris Studio specific pragma
umac_align-union.patch - generic approach - union for alignment
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list