crash in BN_mod_exp_mont_consttime under memory stress

[bernd-edlinger]

I have seen this several times, but have no clue what is the reason
It happens in the tls server with openssl-1.0.2 branch when all my other
patches are installed. So far I have no clue what is happening here.

==24146==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c 
==24146==The signal is caused by a READ memory access.
==24146==Hint: address points to the zero page.
    #0 0x208cd99 in BN_copy crypto/bn/bn_lib.c:496
    #1 0x220884a in BN_mod_exp_mont_consttime crypto/bn/bn_exp.c:1101
    #2 0x220940b in BN_mod_exp_mont crypto/bn/bn_exp.c:415
    #3 0x209af61 in compute_key crypto/dh/dh_key.c:248
    #4 0x200cf78 in ssl3_get_client_key_exchange ssl/s3_srvr.c:2407
    #5 0x20128c4 in ssl3_accept ssl/s3_srvr.c:603
    #6 0x2037edf in ssl3_read_bytes ssl/s3_pkt.c:1213
    #7 0x202a3e5 in ssl3_read_internal ssl/s3_lib.c:4459
    #8 0x202a3e5 in ssl3_read ssl/s3_lib.c:4483

[bernd-edlinger]

It might be more simple than I thought initially,
BN_CTX_get could have returned NULL in compute_key:

--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -223,6 +223,8 @@ static int compute_key(unsigned char *key, const BIGNUM *pub
         goto err;
     BN_CTX_start(ctx);
     tmp = BN_CTX_get(ctx);
+    if (tmp == NULL)
+        goto err;
 
     if (dh->priv_key == NULL) {
         DHerr(DH_F_COMPUTE_KEY, DH_R_NO_PRIVATE_VALUE);

[bernd-edlinger]

OK, fixed on all branches...
master: 7928ee4
1.1.0: 75249be
1.0.2: 8957add