-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix using of uninitialized buffer "t" #2942
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello, @svpcom, and thanks for the contribution!
Unfortunately, bzero
that you've used is Unix-specific, and we're targeting multiple other platforms. You could consider using mbedtls_platform_zeroize
instead, but could you please elaborate first about the details of this fix?
When exactly is t
used as an uninitialized buffer? What are the preconditions?
Thanks in advance.
In /*
* Compute T = T(1) | T(2) | T(3) | ... | T(N)
* Where T(N) is defined in RFC 5869 Section 2.3
*/
for( i = 1; i <= n; i++ )
{ HMAC read data from uninitialized ret = mbedtls_md_hmac_update( &ctx, t, t_len ); So |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please add a regression test? We test with ASan and would expect a failure there if we provide the right test case.
@@ -93,7 +93,7 @@ int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk, | |||
int ret = 0; | |||
mbedtls_md_context_t ctx; | |||
unsigned char t[MBEDTLS_MD_MAX_SIZE]; | |||
bzero(t, sizeof(t)); | |||
mbedtls_platform_zeroize(t, sizeof(t)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
memset()
should be fine here, since t
doesn't contain secrets at this point.
For the mbedtls-2.16 and mbedtls-2.7 branches, we need a contributor license agreement (CLA) in order to take onboard your fix. If this is a personal contribution, the easiest way to do this is if you create an mbed account and accept this click through agreement. Alternatively, you can find a slightly different agreement to sign here, which can be signed and returned to us, and is applicable if you don't want to create an mbed account or alternatively if this is a corporate contribution. Thanks! |
@svpcom, looking at the first iteration, Thanks to @yanesca for also taking a look at this. |
Hi @svpcom. It seems this PR stalled since earlier reviewers think there is not an issue here. If you still think there's an issue then please comment otherwise we will close. Also note that we now require a "Signed-off-by:" line in contributions so if you want to want to submit a reworked PR, please apply this. Thanks, Dan. |
t is never used uninitialized, since the first loop iteration reads 0 bytes of it and then writes hash_len bytes, and subsequent iterations read and write hash_len bytes. However this is somewhat fragile, and it would be legitimate for a static analyzer to be unsure. Initialize t explicitly, to make the code clearer and more robust, at negligible cost. Reported by Vasily Evseenko in Mbed-TLS#2942 with a slightly different fix. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Thank you for reporting this! As Andrzej notes, there's no bug: the part of |
Status
READY
Requires Backporting
Yes
Which branch?
All branches
Migrations
NO
Additional comments
Security fix