Reporting some `bn` bugs
147 views
Skip to first unread message
jy l
Nov 14, 2022, 8:00:35 AM11/14/22
to relic-discuss
Hi developers,
I'm writing to report some bugs we met in the relic API.
First one is in the `bn_grow` function: https://github.com/relic-toolkit/relic/blob/05feb20da8507260c9b3736dc1fd2efe7876d812/src/bn/relic_bn_mem.c#L119
that it seems to have an interger overflow while doing `realloc`, for example when:
`bn_grow(r0, 0x20000000)` it would become `realloc(ptr, "a small number")` and return successfully, and causing some heap overflow in more later calls.
And we happened to trigger it through some other APIs like `bn_gen_prime` or `bn_rand`. Maybe there should be more checks at here?
Another one is also an interger overflow and trival to fix here:
that in `bn_get_prime`, if the `pos` is a negative number, it would pass the error checking and cause some global buffer corruption. Maybe the `pos` should be an unsigned int?
Could you help us verify these issues? Thanks!!
Diego F. Aranha
Nov 14, 2022, 9:01:15 AM11/14/22
to relic-...@googlegroups.com
Hi,
Confirmed, that's why RELIC is listed as "at best alpha-quality software", useful for research purposes only.
There's a bunch of old broken code in there that was written > 15 years ago.
In particular, the dynamic memory part has never been properly hardened or fuzzed.
I've been trying for a few years to remove it completely in favor of stack-allocation only, but keep bumping into walls.
Anyway, can you please start Issues/PRs so we fix at least the low-hanging fruit?
Thank you!
--
Diego F. Aranha
Diego F. Aranha
Associate Professor at Computer Science - Aarhus University, Denmark
Åbogade 34, Building 5335 (Office 318 at Nygaard)
8200 Aarhus N, Denmark
--
---
You received this message because you are subscribed to the Google Groups "relic-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to relic-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/relic-discuss/9f18dac0-f49a-4b64-804c-02ec9dc2ebd7n%40googlegroups.com.
jy l
Nov 15, 2022, 12:49:58 PM11/15/22
to relic-discuss
Sorry for my late reply! Thank you so much for your prompt response!
I didn't start PRs because I thought the my minor patches might not match the whole coding style. And I just checked and saw lots of them got fixed well right?
Thanks again!
Reply all
Reply to author
Forward
0 new messages