Re: Thanks to Debian OpenSSL developers

To: Bodo Moeller <bmoeller@acm.org>
Cc: Steffen Schulz <pepe@cbg.dyndns.org>, debian-security@lists.debian.org
Subject: Re: Thanks to Debian OpenSSL developers
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Sat, 17 May 2008 07:09:16 +0200
Message-id: <[🔎] 87fxshseir.fsf@frosties.localdomain>
In-reply-to: <[🔎] 20080517023627.GB5824@tau.invalid> (Bodo Moeller's message of "Sat, 17 May 2008 04:36:27 +0200")
References: <[🔎] 20080515195857.GB12524@guido.ipng.hennecke-net.org> <[🔎] 20080515213859.GB27104@cbg.dyndns.org> <[🔎] 20080517023627.GB5824@tau.invalid>

Bodo Moeller <bmoeller@acm.org> writes:

> This much, by the way, should be very clear to anyone who has read the
> OpenSSL PRNG's source code comments ;-)  Anyone who'd look at the
> calling code responsible for the Valgrind warning would have found
> a comment regarding this peculiar behavior.  An attempt to understand
> what is going on locally based on just a single line, however, clearly
> is doomed.  But even looking just at the single function would have
> shown that the modified version of ssleay_rand_add() doesn't ever
> dereference or pass the "buf" pointer; this should strike as odd even
> if you don't read any of the comments.

And that is exactly why I can't understand how this patch was ever
made nor commented as good on the openssl ML.

It might (and everyone having done security audits knows it is) be
hard to understand the implications of commenting out that line and
grasp the catastrophic effect it has without hindsight. But just
looking at the problem the patch was ment to address and that one
function it is clear that the patch is wrong.

Before you could judge if commenting that line is harmfull or not you
would have to trace every single instance of the function being called
and decide if the buf passed as argument is uninitialized there. Only
when you checked all invocations and prooved to yourself that they all
pass an uninitialized buffer would commenting out that line be an
option. But if you identified all the callers then why not fix them?

You never solve an uninitialized variable problem in a function that
gets that variable as argument. You fix the caller of that function.

> Of course, mistakes can always happen anyway, and to anyone.  The
> motto "never fix a bug you don't understand" will only help you out if
> you are aware that you don't understand the bug -- not if you think
> you understand, but actually misunderstand.

I totaly get how you get off by one errors or + and - swapped or
similar. But this mis-fix was already wrong on how it was attempting
to solve the issue in questions. That's why I don't get how at least 2
people messed up like that.

That it also has such a catastrophic effect doesn't even play into
that. To see the effect you have to understand a lot about the code,
intention and algorithms involed. And like most security issues that
is rather complicated and mistake prone. So let me repeated it. I'm
not appaled that nobody saw the effect. I'm shocked that nobody saw
that the way the patch tries to fix uninitialized memory access is
totaly wrong.

> Bodo

MfG
        Goswin

Reply to:

References:
- Thanks to Debian OpenSSL developers
  - From: Guido Hennecke <debian-security-10-2003@debian.dyndns.org>
- Re: Thanks to Debian OpenSSL developers
  - From: Steffen Schulz <pepe@cbg.dyndns.org>
- Re: Thanks to Debian OpenSSL developers
  - From: Bodo Moeller <bmoeller@acm.org>

Prev by Date: Re: Thanks to Debian OpenSSL developers
Next by Date: Re: ssh-vulnkey and authorized_keys
Previous by thread: Re: Thanks to Debian OpenSSL developers
Next by thread: Re: Thanks to Debian OpenSSL developers
Index(es):
- Date
- Thread