Skip to content

crypto/internal/fips140/bigmod: unexpected fault at addMulVVW #78271

Open
#78272
Open
crypto/internal/fips140/bigmod: unexpected fault at addMulVVW#78271
#78272
Labels
BugReportIssues describing a possible bug in the Go implementation.NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog
@wwqgtxx

Description

@wwqgtxx
wwqgtxx
opened on Mar 21, 2026

Go version

go version go1.26.1 linux/amd64

Output of go env in your module/workspace:

AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='0'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm'
GOARM='7'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/home/runner/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/home/runner/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -marm -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1707814329=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/home/runner/work/mihomo/mihomo/go.mod'
GOMODCACHE='/home/runner/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/runner/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/hostedtoolcache/go/1.26.1/x64'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/runner/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/opt/hostedtoolcache/go/1.26.1/x64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.26.1'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

call (*crypto/x509.Certificate).Verify(opts) from (*crypto/tls.Conn).verifyServerCertificate

What did you see happen?

unexpected fault address 0x5780000
fatal error: fault
[signal SIGSEGV: segmentation violation code=0x1 addr=0x5780000 pc=0xe21e64]

goroutine 346 gp=0x52f4288 m=3 mp=0x5061008 [running]:
runtime.throw({0x10d8621, 0x5})
        runtime/panic.go:1229 +0x34 fp=0x5712bd4 sp=0x5712bc0 pc=0xb189c
runtime.sigpanic()
        runtime/signal_unix.go:945 +0x2ac fp=0x5712c04 sp=0x5712bd4 pc=0xb4194
crypto/internal/fips140/bigmod.addMulVVW({0x5780000, 0x80, 0x100}, {0x56e2c00, 0x80, 0x80}, 0xe6d25639)
        crypto/internal/fips140/bigmod/nat.go:906 +0x40 fp=0x5712c0c sp=0x5712c08 pc=0xe21e64
crypto/internal/fips140/bigmod.(*Nat).montgomeryMul(0x5713664, 0x5713664, 0x5713664, 0x51834e0)
        crypto/internal/fips140/bigmod/nat.go:820 +0x19c fp=0x5713310 sp=0x5712c0c pc=0xe21660
crypto/internal/fips140/bigmod.(*Nat).ExpShortVarTime(0x5713664, 0x5713670, 0x10001, 0x51834e0)
        crypto/internal/fips140/bigmod/nat.go:1052 +0x290 fp=0x5713440 sp=0x5713310 pc=0xe23378
crypto/internal/fips140/rsa.encrypt(0x5280428, {0x79da79a, 0x200, 0x866})
        crypto/internal/fips140/rsa/rsa.go:380 +0xe4 fp=0x571367c sp=0x5713440 pc=0xe49130
crypto/internal/fips140/rsa.verifyPKCS1v15(0x5280428, {0x10dc7c2, 0x7}, {0x6d908a0, 0x20, 0x20}, {0x79da79a, 0x200, 0x866})
        crypto/internal/fips140/rsa/pkcs1v15.go:115 +0xd4 fp=0x57136b4 sp=0x571367c pc=0xe43418
crypto/internal/fips140/rsa.VerifyPKCS1v15(0x5280428, {0x10dc7c2, 0x7}, {0x6d908a0, 0x20, 0x20}, {0x79da79a, 0x200, 0x866})
        crypto/internal/fips140/rsa/pkcs1v15.go:98 +0x250 fp=0x57136e4 sp=0x57136b4 pc=0xe432f4
crypto/rsa.VerifyPKCS1v15(0x7953a90, 0x5, {0x6d908a0, 0x20, 0x20}, {0x79da79a, 0x200, 0x866})
        crypto/rsa/fips.go:399 +0x1f0 fp=0x5713724 sp=0x57136e4 pc=0x24b438
crypto/x509.checkSignature(0x4, {0x79da48f, 0x2f7, 0xb71}, {0x79da79a, 0x200, 0x866}, {0xf7ec48, 0x7953a90}, 0x0)
        crypto/x509/x509.go:1022 +0x524 fp=0x57137c8 sp=0x5713724 pc=0x278550
crypto/x509.(*Certificate).CheckSignatureFrom(0x6ecc908, 0x6eccf08)
        crypto/x509/x509.go:947 +0x100 fp=0x57137fc sp=0x57137c8 pc=0x277f04
crypto/x509.(*Certificate).buildChains.func1(0x2, {0x6eccf08, 0x0})
        crypto/x509/verify.go:743 +0x16c fp=0x5713874 sp=0x57137fc pc=0x2729a8
crypto/x509.(*Certificate).buildChains(0x6ecc908, {0x7d55ee8, 0x2, 0x2}, 0x516da40, 0x5713ad8)
        crypto/x509/verify.go:781 +0xf0 fp=0x57138e0 sp=0x5713874 pc=0x2726fc
crypto/x509.(*Certificate).buildChains.func1(0x1, {0x6ecc908, 0x0})
        crypto/x509/verify.go:775 +0x524 fp=0x5713958 sp=0x57138e0 pc=0x272d60
crypto/x509.(*Certificate).buildChains(0x6ecc608, {0x7d55ed0, 0x1, 0x1}, 0x516da40, 0x5713ad8)
        crypto/x509/verify.go:784 +0x164 fp=0x57139c4 sp=0x5713958 pc=0x272770
crypto/x509.(*Certificate).Verify(0x6ecc608, {{0x7f6f428, 0xf}, 0x5274300, 0x5147080, {0xc267b20ed525727f, 0xc292e2bf, 0x1cf2220}, {0x0, 0x0, ...}, ...})
        crypto/x509/verify.go:600 +0x3c0 fp=0x5713ad0 sp=0x57139c4 pc=0x271b20

What did you expect to see?

not panic

Addition

We have only observed this issue on armv7l devices so far, and the device information is as follows:

Linux TUF-AX5400-0368 4.1.52 1 SMP PREEMPT Sat Nov 15 00:43:22 UTC 2025 armv7l ASUSWRT-Merlin

After reviewing the code, it was found that the first parameter passed to addMulVVW was created using the following code:

		// Attempt to use a stack-allocated backing array.
		T := make([]uint, 0, preallocLimbs*2)
		if cap(T) < n*2 {
			T = make([]uint, 0, n*2)
		}
		T = T[:n*2]

and called by:

			c1 := addMulVVW(T[i:n+i], aLimbs, d)

Since the slice is made within the montgomeryMul function, no illegal access issues should occur. Perhaps this is a compiler-related problem?

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugReportIssues describing a possible bug in the Go implementation.NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions