Loading zero-padded negative number results in positive number #4295

guidovranken · 2021-04-02T20:31:50Z

E.g. using mbedtls_mpi_read_string to load "-1" actually loads -1, but loading "-01" loads 1.

This appears to be new behavior. It was detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32828

The revision range: e93095f...d520037

#include <mbedtls/bignum.h>

int main(void)
{
    mbedtls_mpi mpi;
    mbedtls_mpi_init(&mpi);
    if ( mbedtls_mpi_read_string(&mpi, 10, "-01") != 0 ) {
        goto error;
    }
    char out[1024];
    size_t outlen = sizeof(out);
    if ( mbedtls_mpi_write_string(&mpi, 10, out, outlen, &outlen) != 0 ) {
        goto error;
    }
    printf("%s\n", out);
error:
    return 0;
}

The text was updated successfully, but these errors were encountered:

Move the handling of the sign out of the base-specific loops. This both simplifies the code, and corrects an edge case: the code in the non-hexadecimal case depended on mbedtls_mpi_mul_int() preserving the sign bit when multiplying a "negative zero" MPI by an integer, which used to be the case but stopped with PR Mbed-TLS#2512. Fix Mbed-TLS#4295. Thanks to Guido Vranken for reporting the bug. Credit to OSS-Fuzz. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

Move the handling of the sign out of the base-specific loops. This both simplifies the code, and corrects an edge case: the code in the non-hexadecimal case depended on mbedtls_mpi_mul_int() preserving the sign bit when multiplying a "negative zero" MPI by an integer, which used to be the case but stopped with PR Mbed-TLS#2512. Fix Mbed-TLS#4295. Thanks to Guido Vranken for analyzing the cause of the bug. Credit to OSS-Fuzz. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

Move the handling of the sign out of the base-specific loops. This both simplifies the code, and corrects an edge case: the code in the non-hexadecimal case depended on mbedtls_mpi_mul_int() preserving the sign bit when multiplying a "negative zero" MPI by an integer, which used to be the case but stopped with PR #2512. Fix #4295. Thanks to Guido Vranken for analyzing the cause of the bug. Credit to OSS-Fuzz. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

gilles-peskine-arm self-assigned this Apr 3, 2021

gilles-peskine-arm added bug component-crypto Crypto primitives and low-level interfaces Product Backlog labels Apr 3, 2021

gilles-peskine-arm mentioned this issue Apr 3, 2021

Fix ECP arithmetic bug and read of zero-padded negative number #4297

Merged

gilles-peskine-arm added the fix available label Apr 3, 2021

gilles-peskine-arm closed this as completed in #4297 Apr 9, 2021

gilles-peskine-arm added the size-s Estimated task size: small (~2d) label May 4, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Loading zero-padded negative number results in positive number #4295

Loading zero-padded negative number results in positive number #4295

guidovranken commented Apr 2, 2021

Loading zero-padded negative number results in positive number #4295

Loading zero-padded negative number results in positive number #4295

Comments

guidovranken commented Apr 2, 2021