openssh bugs - May 2013 - [Bug 2101] New: Unaligned memory access on sparc in UMAC implemetation

https://bugzilla.mindrot.org/show_bug.cgi?id=2101

            Bug ID: 2101
           Summary: Unaligned memory access on sparc in UMAC implemetation
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.0p1
          Hardware: Sparc
                OS: Solaris
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: tomas.kuthan at oracle.com

Created attachment 2264
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2264&action=edit
Bug fix based on Solaris Studio #pragma

There is an alignment issue in UMAC implementation, which can cause
crash in ssh binary on sparc.

Static variable m is defined in mac.c as an array of chars:
168    static u_char m[EVP_MAX_MD_SIZE];

This array is passed to function umac128_final() in ssh/umac.c, and
later cast to 64-bit unsigned integer and accessed in pdf_gen_xor():
264    *((UINT64 *)buf) ^= ((UINT64 *)pc->cache)[ndx];

AFAIK, there is no assurance, that a static char array will be
double-word aligned. And indeed, when compiled using Solaris Studio
12.1 cc, the variable address (0x909ac) is only word-aligned:
   58588:       37 00 02 42     sethi  %hi(0x90800), %i3
   5858c:       40 00 18 1a     call  5e5f4 <umac_final>
   58590:       92 06 e1 ac     add  %i3, 0x1ac, %o1    ! 909ac
<Bbss.bss>

This later causes a crash in:
pdf_gen_xor+0x68: ldx [0x909ac], %o5

I am proposing two alternatives for the fix (please, see attached):
umac_align-pragma.patch - Solaris Studio specific pragma
umac_align-union.patch - generic approach - union for alignment

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2101

--- Comment #1 from Tomas Kuthan <tomas.kuthan at oracle.com> ---
Created attachment 2265
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2265&action=edit
Bug fix based on union

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2101

Tomas Kuthan <tomas.kuthan at oracle.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2264|0                           |1
        is obsolete|                            |

--- Comment #2 from Tomas Kuthan <tomas.kuthan at oracle.com> ---
Created attachment 2266
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2266&action=edit
Bug fix based on Solaris Studio #pragma

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2101

Tomas Kuthan <tomas.kuthan at oracle.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tomas.kuthan at oracle.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2101

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #3 from Darren Tucker <dtucker at zip.com.au> ---
Created attachment 2281
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2281&action=edit
Bug fix based on malloc

Third option: malloc the memory which guarantees that it'll be suitably
aligned.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2101

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2076

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2101

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
My vote goes to the union

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2101

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Darren Tucker <dtucker at zip.com.au> ---
union variant applied and will be in the 6.3 release.  Thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2101

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.