Buffer overrun in secblock.h
19 views
Skip to first unread message
marcellegannon
Feb 29, 2012, 11:02:28 PM2/29/12
to Crypto++ Users
There's a bug in secblock.h in the handling of an aligned buffer. The
buffer is able to be aligned anywhere in 16 bytes, but the array has
only 8 extra allocated. This bug is only tripped when the memory falls
such that more than 8 bytes of realignment are required. It trips the
assert at line 197 of secblock.h as m_allocated gets overwritten.
line 220:
T* GetAlignedArray() {return (CRYPTOPP_BOOL_ALIGN16_ENABLED &&
T_Align16) ? (T*)(((byte *)m_array) + (0-(size_t)m_array)%16) :
m_array;}
line 221:
CRYPTOPP_ALIGN_DATA(8) T m_array[(CRYPTOPP_BOOL_ALIGN16_ENABLED &&
T_Align16) ? S+8/sizeof(T) : S];
Fix: change line 221 to:
CRYPTOPP_ALIGN_DATA(8) T m_array[(CRYPTOPP_BOOL_ALIGN16_ENABLED &&
T_Align16) ? S+16/sizeof(T) : S];
buffer is able to be aligned anywhere in 16 bytes, but the array has
only 8 extra allocated. This bug is only tripped when the memory falls
such that more than 8 bytes of realignment are required. It trips the
assert at line 197 of secblock.h as m_allocated gets overwritten.
line 220:
T* GetAlignedArray() {return (CRYPTOPP_BOOL_ALIGN16_ENABLED &&
T_Align16) ? (T*)(((byte *)m_array) + (0-(size_t)m_array)%16) :
m_array;}
line 221:
CRYPTOPP_ALIGN_DATA(8) T m_array[(CRYPTOPP_BOOL_ALIGN16_ENABLED &&
T_Align16) ? S+8/sizeof(T) : S];
Fix: change line 221 to:
CRYPTOPP_ALIGN_DATA(8) T m_array[(CRYPTOPP_BOOL_ALIGN16_ENABLED &&
T_Align16) ? S+16/sizeof(T) : S];
Wei Dai
Mar 4, 2012, 2:41:49 PM3/4/12
to Crypto++ Users
The CRYPTOPP_ALIGN_DATA(8) is supposed to ensure that the allocated
buffer is already aligned on a 8-byte boundary, so that at most 8
bytes of adjustment is needed. Apparently it's not working. What OS/
compiler are you using?
buffer is already aligned on a 8-byte boundary, so that at most 8
bytes of adjustment is needed. Apparently it's not working. What OS/
compiler are you using?
Reply all
Reply to author
Forward
0 new messages