Re: bin/55686: unaligned access / segmentation fault in ssh-keygen for ecdsa key on Alpha

[Jason Thorpe <thorpej%me.com@localhost>]

The following reply was made to PR bin/55686; it has been noted by GNATS.

From: Jason Thorpe <thorpej%me.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/55686: unaligned access / segmentation fault in ssh-keygen
 for ecdsa key on Alpha
Date: Mon, 28 Sep 2020 21:58:39 -0700

 >> Category:       bin
 >> Responsible:    bin-bug-people
 >> Synopsis:       unaligned access / segmentation fault in ssh-keygen =
 for ecdsa key on Alpha
 >> Arrival-Date:   Tue Sep 29 01:50:00 +0000 2020
 
 
 Fails with just ssh, too.  After rebuilding libcrypto with debug =
 symbols:
 
 Reading symbols from /usr/bin/ssh...
 (No debugging symbols found in /usr/bin/ssh)
 (gdb) run cvs.netbsd.org
 Starting program: /usr/bin/ssh cvs.netbsd.org
 [ 15923.0119302] pid 1045 (ssh): unaligned access: va=3D0x1ffffbf77 =
 pc=3D0x0 ra=3D0x3fffdb77354 sp=3D0x1ffffbe80 op=3Dldq
 
 Program received signal SIGSEGV, Segmentation fault.
 0x0000000000000004 in ?? ()
 (gdb) where
 #0  0x0000000000000004 in ?? ()
 warning: Hit beginning of text section without finding enclosing =
 function for address 0x4
 This warning occurs if you are debugging a function without any symbols
 (for example, in a stripped executable).  In that case, you may wish to
 increase the size of the search with the `set heuristic-fence-post' =
 command.
 
 Otherwise, you told GDB there was a function where there isn't one, or
 (more likely) you have encountered a bug in GDB.
 #1  0x000003fffdb77354 in felem_to_BN (in=3D0x1ffffbfb8, =
 out=3D0x3fffd22ab20)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
 805
 #2  ec_GFp_nistp521_point_get_affine_coordinates (point=3D<optimized =
 out>,=20
     x=3D0x3fffd22ab20, y=3D0x1ffffbfb8, ctx=3D<optimized out>, =
 group=3D<optimized out>)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
 805
 #3  0x000003fffdb77354 in felem_to_BN (in=3D0x3fffd22ab20, out=3D0x0)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
 805
 #4  ec_GFp_nistp521_point_get_affine_coordinates (point=3D<optimized =
 out>,=20
     x=3D0x0, y=3D0x3fffd22ab60, ctx=3D<optimized out>, group=3D<optimized =
 out>)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:1=
 805
 #5  0x000003fffdb9dc3c in EC_POINT_get_affine_coordinates =
 (ctx=3D0x3fffd22ab40,=20
     y=3D0x3fffdb9dce8 <EC_POINT_get_affine_coordinates_GFp+24>, =
 x=3D0x3fffd22ab20,=20
     point=3D0x3fffd28a000, group=3D0x3fffd2cca80)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:853
 #6  EC_POINT_get_affine_coordinates (warning: Hit heuristic-fence-post =
 without finding enclosing function for address 0x3fffde6a150
 group=3D0x3fffd2cca80, point=3D0x3fffd28a000,=20
     x=3D0x3fffd22ab20, y=3D0x3fffdb9dce8 =
 <EC_POINT_get_affine_coordinates_GFp+24>,=20
     ctx=3D0x3fffd22ab40)
     at =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c:836
 #7  0x000003fffde6a150 in ?? ()
 Backtrace stopped: frame did not save the PC
 
 
 
 Looking at what the RA from the unaligned access message was, it's frame =
 #2 in the backtrace.
 
 (gdb) list *0x3fffdb77354            =20
 0x3fffdb77354 is in ec_GFp_nistp521_point_get_affine_coordinates =
 (/home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c:=
 1805).
 1800    =
 /home/nbsd/src/crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c: =
 No such file or directory.
 (gdb)=20
 
 Stack smash?
 
 -- thorpej