New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Project bignum-fuzzer is creating confusion for upstream developers #1761
Comments
There is a bug, but it's only reproducible on certain cpu types. This result in it being found by oss-fuzz, and later closed by it while the bug didn't get fixed, because it tried to reproduce it on a different CPU type. This same bug has already been found and closed several times. The bug is still not fixed in OpenSSL. |
I can make a workaround in in the base project ( https://github.com/guidovranken/bignum-fuzzer ). |
Workaround implemented guidovranken/bignum-fuzzer@9ccc337 |
As expected, the system has now marked the issue as resolved. This particular bug will not reoccur. Feel free to close this issue if this solution is satisfactory. |
The RSAZ code requires the input be fully-reduced. To be consistent with the other codepaths, move the BN_nnmod logic before the RSAZ check. This fixes an oft-reported fuzzer bug. google/oss-fuzz#1761
Here, have a fix. It's pretty uninteresting. OpenSSL just got the order of two things wrong. |
The RSAZ code requires the input be fully-reduced. To be consistent with the other codepaths, move the BN_nnmod logic before the RSAZ check. This fixes an oft-reported fuzzer bug. google/oss-fuzz#1761 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #7187)
The RSAZ code requires the input be fully-reduced. To be consistent with the other codepaths, move the BN_nnmod logic before the RSAZ check. This fixes an oft-reported fuzzer bug. google/oss-fuzz#1761 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #7187) (cherry picked from commit 3afd537)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10063#c3
@kroeckx @guidovranken @kcc - lets try to discuss and resolve any confusion that this project creates. How can this comparison be improved ? What sort of testcase reduction are you looking for ?
Just fyi, that bug is not created as a security bug.
The text was updated successfully, but these errors were encountered: