Fix using of uninitialized buffer "t" #2942
Conversation
There was a problem hiding this comment.
Hello, @svpcom, and thanks for the contribution!
Unfortunately, bzero that you've used is Unix-specific, and we're targeting multiple other platforms. You could consider using mbedtls_platform_zeroize instead, but could you please elaborate first about the details of this fix?
When exactly is t used as an uninitialized buffer? What are the preconditions?
Thanks in advance.
|
In /*
* Compute T = T(1) | T(2) | T(3) | ... | T(N)
* Where T(N) is defined in RFC 5869 Section 2.3
*/
for( i = 1; i <= n; i++ )
{HMAC read data from uninitialized ret = mbedtls_md_hmac_update( &ctx, t, t_len );So |
| @@ -93,7 +93,7 @@ int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk, | |||
| int ret = 0; | |||
| mbedtls_md_context_t ctx; | |||
| unsigned char t[MBEDTLS_MD_MAX_SIZE]; | |||
| bzero(t, sizeof(t)); | |||
| mbedtls_platform_zeroize(t, sizeof(t)); | |||
There was a problem hiding this comment.
memset() should be fine here, since t doesn't contain secrets at this point.
|
For the mbedtls-2.16 and mbedtls-2.7 branches, we need a contributor license agreement (CLA) in order to take onboard your fix. If this is a personal contribution, the easiest way to do this is if you create an mbed account and accept this click through agreement. Alternatively, you can find a slightly different agreement to sign here, which can be signed and returned to us, and is applicable if you don't want to create an mbed account or alternatively if this is a corporate contribution. Thanks! |
Patater
added
CLA requested
component-crypto
|
@svpcom, looking at the first iteration, Thanks to @yanesca for also taking a look at this. |
|
Hi @svpcom. It seems this PR stalled since earlier reviewers think there is not an issue here. If you still think there's an issue then please comment otherwise we will close. Also note that we now require a "Signed-off-by:" line in contributions so if you want to want to submit a reworked PR, please apply this. Thanks, Dan. |
t is never used uninitialized, since the first loop iteration reads 0 bytes of it and then writes hash_len bytes, and subsequent iterations read and write hash_len bytes. However this is somewhat fragile, and it would be legitimate for a static analyzer to be unsure. Initialize t explicitly, to make the code clearer and more robust, at negligible cost. Reported by Vasily Evseenko in Mbed-TLS#2942 with a slightly different fix. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
Thank you for reporting this! As Andrzej notes, there's no bug: the part of |
Status
READY
Requires Backporting
Yes
Which branch?
All branches
Migrations
NO
Additional comments
Security fix