-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mpi_write_hlp buffer overflow #2404
Comments
Hi @guidovranken, thanks for your report! However, I'm lacking access to the page you linked. Could you please provide more details here? So far, I don't see how the loop in 91af329#diff-c252711ea8b2703e393502bfe46bff62 would lead to an overflow. Thanks! |
Hi Hanno, your team should have access to the ClusterFuzz interface via It happens with the number is negative: Compile mbed tls and the following file with address sanitizer ( #include <mbedtls/bignum.h>
#include <stdlib.h>
static int bignum_from_string(const char* input, mbedtls_mpi** output)
{
mbedtls_mpi* mpi = NULL;
*output = NULL;
if ( (mpi = malloc(sizeof(*mpi))) == NULL ) {
goto error;
}
mbedtls_mpi_init(mpi);
if ( mbedtls_mpi_read_string(mpi, 10, input) != 0 ) {
goto error;
}
*output = mpi;
return 0;
error:
free(mpi);
return -1;
}
static int string_from_bignum(mbedtls_mpi* mpi, char** output)
{
size_t olen;
int ret;
*output = NULL;
ret = mbedtls_mpi_write_string(mpi, 10, NULL, 0, &olen);
if ( ret != MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ) {
goto error;
}
if ( (*output = malloc(olen)) == NULL ) {
goto error;
}
if ( mbedtls_mpi_write_string(mpi, 10, *output, olen, &olen) != 0 ) {
goto error;
}
return 0;
error:
free(*output);
*output = NULL;
return -1;
}
int main(void)
{
const char* instr = "-1";
mbedtls_mpi* outmpi;
char* outstr;
if ( bignum_from_string(instr, &outmpi) == -1 ) {
return 0;
}
if ( string_from_bignum(outmpi, &outstr) == 0 ) {
free(outstr);
}
mbedtls_mpi_free(outmpi);
return 0;
} |
Hi @guidovranken, thanks, that clarifies things. The bug is not in I'll open a PR with the fix. Thanks again for your report, |
This can only occur for negative numbers. Fixes Mbed-TLS#2404.
ARM Internal Ref: IOTSSL-2760 |
When will you merge the fix? |
This can only occur for negative numbers. Fixes Mbed-TLS#2404.
This can only occur for negative numbers. Fixes Mbed-TLS#2404.
Add "Credit to OSS-Fuzz", in addition to Guido Vranken, for identifying bug Mbed-TLS#2404.
Add "Credit to OSS-Fuzz", in addition to Guido Vranken, for identifying bug Mbed-TLS#2404.
Add "Credit to OSS-Fuzz", in addition to Guido Vranken, for identifying bug Mbed-TLS#2404.
* origin/pr/2555: Give credit to OSS-Fuzz for #2404
* origin/pr/2556: Give credit to OSS-Fuzz for #2404
* origin/pr/2557: Give credit to OSS-Fuzz for #2404
Merge Mbed TLS at f790a6c into Mbed Crypto. Resolve conflicts by performing the following: - Reject changes to README.md - Don't add crypto as a submodule - Remove test/ssl_cert_test from programs/Makefile - Add cipher.nist_kw test to tests/CMakeLists.txt - Reject removal of crypto-specific all.sh tests - Reject update to SSL-specific portion of component_test_valgrind in all.sh - Reject addition of ssl-opt.sh testing to component_test_m32_o1 in all.sh * tls/development: (87 commits) Call mbedtls_cipher_free() to reset a cipher context Don't call mbedtls_cipher_setkey twice Update crypto submodule Minor fixes in get certificate policies oid test Add certificate policy oid x509 extension cpp_dummy_build: Add missing header psa_util.h Clarify comment mangled by an earlier refactoring Add an "out-of-box" component Run ssl-opt.sh on 32-bit runtime Don't use debug level 1 for informational messages Skip uncritical unsupported extensions Give credit to OSS-Fuzz for Mbed-TLS#2404 all.sh: remove component_test_new_ecdh_context Remove crypto-only related components from all.sh Remove ssl_cert_test sample app Make CRT callback tests more robust Rename constant in client2.c Document and test flags in x509_verify Fix style issues and a typo Fix a rebase error ...
* public/mbedtls-2.16: (40 commits) Clarify comment mangled by an earlier refactoring Add an "out-of-box" component Run ssl-opt.sh on 32-bit runtime Fix typo in data_file generator code Give credit to OSS-Fuzz for Mbed-TLS#2404 Remove ssl_cert_test sample app Fix the proxy seed in Travis runs Update library version to 2.16.1 Fix errors in AEAD test function x509.c: Fix potential memory leak in X.509 self test Remove Circle CI script Fix ChangeLog entry ordering Fix typo Add non-regression test for buffer overflow Improve documentation of mbedtls_mpi_write_string() Adapt ChangeLog Fix 1-byte buffer overflow in mbedtls_mpi_write_string() Change Perl to Python in test builds Fix default port number information Silence pylint ...
Google oss-fuzz found a buffer overflow in
mpi_write_hlp
. This is most likely due to 91af329#diff-c252711ea8b2703e393502bfe46bff62The overflow occurs at library/bignum.c:553.
See: https://oss-fuzz.com/testcase-detail/5167698789531648
The text was updated successfully, but these errors were encountered: