Reporting some `bn` bugs

107 views
Skip to first unread message

jy l

unread,
Nov 14, 2022, 8:00:35 AM11/14/22
to relic-discuss
Hi developers,

I'm writing to report some bugs we met in the relic API.
that it seems to have an interger overflow while doing `realloc`, for example when:
`bn_grow(r0, 0x20000000)` it would become `realloc(ptr, "a small number")` and return successfully, and causing some heap overflow in more later calls.
And we happened to trigger it through some other APIs like `bn_gen_prime` or `bn_rand`. Maybe there should be more checks at here?

Another one is also an interger overflow and trival to fix here:
that in `bn_get_prime`, if the `pos` is a negative number, it would pass the error checking and cause some global buffer corruption. Maybe the `pos` should be an unsigned int?

Could you help us verify these issues? Thanks!!

Diego F. Aranha

unread,
Nov 14, 2022, 9:01:15 AM11/14/22
to relic-...@googlegroups.com
Hi,

Confirmed, that's why RELIC is listed as "at best alpha-quality software", useful for research purposes only.

There's a bunch of old broken code in there that was written > 15 years ago.
In particular, the dynamic memory part has never been properly hardened or fuzzed.
I've been trying for a few years to remove it completely in favor of stack-allocation only, but keep bumping into walls.

Anyway, can you please start Issues/PRs so we fix at least the low-hanging fruit?

Thank you!
--
Diego F. Aranha
Associate Professor at Computer Science Aarhus University, Denmark

Åbogade 34, Building 5335 (Office 318 at Nygaard)
8200 Aarhus N, Denmark





--

---
You received this message because you are subscribed to the Google Groups "relic-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to relic-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/relic-discuss/9f18dac0-f49a-4b64-804c-02ec9dc2ebd7n%40googlegroups.com.

jy l

unread,
Nov 15, 2022, 12:49:58 PM11/15/22
to relic-discuss
Sorry for my late reply! Thank you so much for your prompt response!
I didn't start PRs because I thought the my minor patches might not match the whole coding style. And I just checked and saw lots of them got fixed well right? 
Thanks again! 
Reply all
Reply to author
Forward
0 new messages