On Fri, Oct 8, 2021 at 12:02 AM Jeffrey Walton <
nolo...@gmail.com> wrote:
>
> On Thu, Oct 7, 2021 at 5:11 AM Tony Stead <
ths...@gmail.com> wrote:
> >
> > I have been using the Integer class for some big number operations and seem to have found a buffer overflow in at least the Integer::And routine, I have not yet inspected any more..
> >
> > ...
> > The issue is casued in the temporary result variable. When result copies t or this in its constructor, it calculates the minimum size required to fit the current number in t or this. If the top order bits of t or this have gone zero it will allocate less bytes than the size of t or this. However the following AndWords routine performs a copy using the size of the original number, either t or this.
> >
> > Changing the value to result.reg.size() appears to fix the issue at least for my use case.
>
> Thanks Tony.
>
> Do you have a reproducer? I'd like to look at it.
>
> We have test cases setup and they are run under the sanitizers. I
> don't recall seeing a finding. We might be missing a test case for it,
> however.
I can't seem to reproduce the issue with our test data. Integer is
testing OK with UBsan, Asan and Valgrind.
Would you be able to provide a reproducer?
Thanks again.
----------
Here's the Valgrind build I am testing.
$ CXXFLAGS="-DDEBUG -g3 -O0" make -j 12
Using testing flags: -DDEBUG -g3 -O0
g++ -fPIC -pthread -pipe -DDEBUG -g3 -O0 -c cryptlib.cpp
g++ -fPIC -pthread -pipe -DDEBUG -g3 -O0 -c cpu.cpp
g++ -fPIC -pthread -pipe -DDEBUG -g3 -O0 -c integer.cpp
...
$ valgrind -- ./cryptest.exe v 9997
==13696== Memcheck, a memory error detector
==13696== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==13696== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==13696== Command: ./cryptest.exe v 9997
==13696==
Using seed: 1633666228
Testing Integer bit operations...
passed: Bitwise AND over 32-bits to 1024-bits
passed: Bitwise OR over 32-bits to 1024-bits
passed: Bitwise XOR over 32-bits to 1024-bits
Seed used was 1633666228
Test started at Fri Oct 8 00:10:28 2021
Test ended at Fri Oct 8 00:10:31 2021
==13696==
==13696== HEAP SUMMARY:
==13696== in use at exit: 0 bytes in 0 blocks
==13696== total heap usage: 451,126 allocs, 451,126 frees,
22,872,284 bytes allocated
==13696==
==13696== All heap blocks were freed -- no leaks are possible
==13696==
==13696== For lists of detected and suppressed errors, rerun with: -s
==13696== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)