Bug 2101 - Unaligned memory access on sparc in UMAC implemetation
Summary: Unaligned memory access on sparc in UMAC implemetation
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 6.0p1
Hardware: SPARC Solaris
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_6_3
  Show dependency treegraph
 
Reported: 2013-05-13 21:52 AEST by Tomas Kuthan
Modified: 2016-08-02 10:40 AEST (History)
3 users (show)

See Also:

Attachments
Bug fix based on Solaris Studio #pragma (294 bytes, application/octet-stream)
2013-05-13 21:52 AEST, Tomas Kuthan 		no flags Details
Bug fix based on union (1.27 KB, patch)
2013-05-13 21:53 AEST, Tomas Kuthan 		no flags Details | Diff
Bug fix based on Solaris Studio #pragma (294 bytes, patch)
2013-05-13 21:56 AEST, Tomas Kuthan 		no flags Details | Diff
Bug fix based on malloc (934 bytes, patch)
2013-05-31 04:58 AEST, Darren Tucker 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tomas Kuthan 2013-05-13 21:52:08 AEST 
Created attachment 2264 [details]
Bug fix based on Solaris Studio #pragma

There is an alignment issue in UMAC implementation, which can cause crash in ssh binary on sparc.

Static variable m is defined in mac.c as an array of chars:
168	static u_char m[EVP_MAX_MD_SIZE];

This array is passed to function umac128_final() in ssh/umac.c, and later cast to 64-bit unsigned integer and accessed in pdf_gen_xor():
264    *((UINT64 *)buf) ^= ((UINT64 *)pc->cache)[ndx];

AFAIK, there is no assurance, that a static char array will be double-word aligned. And indeed, when compiled using Solaris Studio 12.1 cc, the variable address (0x909ac) is only word-aligned:
   58588:       37 00 02 42     sethi  %hi(0x90800), %i3
   5858c:       40 00 18 1a     call  5e5f4 <umac_final>
   58590:       92 06 e1 ac     add  %i3, 0x1ac, %o1    ! 909ac <Bbss.bss>

This later causes a crash in:
pdf_gen_xor+0x68: ldx [0x909ac], %o5

I am proposing two alternatives for the fix (please, see attached):
umac_align-pragma.patch - Solaris Studio specific pragma
umac_align-union.patch - generic approach - union for alignment
Comment 1 Tomas Kuthan 2013-05-13 21:53:44 AEST 
Created attachment 2265 [details]
Bug fix based on union
Comment 2 Tomas Kuthan 2013-05-13 21:56:05 AEST 
Created attachment 2266 [details]
Bug fix based on Solaris Studio #pragma
Comment 3 Darren Tucker 2013-05-31 04:58:19 AEST 
Created attachment 2281 [details]
Bug fix based on malloc

Third option: malloc the memory which guarantees that it'll be suitably aligned.
Comment 4 Damien Miller 2013-05-31 07:56:01 AEST 
My vote goes to the union
Comment 5 Darren Tucker 2013-06-03 10:04:02 AEST 
union variant applied and will be in the 6.3 release.  Thanks.
Comment 6 Damien Miller 2016-08-02 10:40:58 AEST 
Close all resolved bugs after 7.3p1 release