Project bignum-fuzzer is creating confusion for upstream developers #1761
Comments
|
There is a bug, but it's only reproducible on certain cpu types. This result in it being found by oss-fuzz, and later closed by it while the bug didn't get fixed, because it tried to reproduce it on a different CPU type. This same bug has already been found and closed several times. The bug is still not fixed in OpenSSL. |
|
I can make a workaround in in the base project ( https://github.com/guidovranken/bignum-fuzzer ). |
|
Workaround implemented guidovranken/bignum-fuzzer@9ccc337 |
|
As expected, the system has now marked the issue as resolved. This particular bug will not reoccur. Feel free to close this issue if this solution is satisfactory. |
The RSAZ code requires the input be fully-reduced. To be consistent with the other codepaths, move the BN_nnmod logic before the RSAZ check. This fixes an oft-reported fuzzer bug. google/oss-fuzz#1761
|
Here, have a fix. It's pretty uninteresting. OpenSSL just got the order of two things wrong. |
The RSAZ code requires the input be fully-reduced. To be consistent with the other codepaths, move the BN_nnmod logic before the RSAZ check. This fixes an oft-reported fuzzer bug. google/oss-fuzz#1761 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #7187)
The RSAZ code requires the input be fully-reduced. To be consistent with the other codepaths, move the BN_nnmod logic before the RSAZ check. This fixes an oft-reported fuzzer bug. google/oss-fuzz#1761 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #7187) (cherry picked from commit 3afd537)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10063#c3
@kroeckx @guidovranken @kcc - lets try to discuss and resolve any confusion that this project creates. How can this comparison be improved ? What sort of testcase reduction are you looking for ?
Just fyi, that bug is not created as a security bug.
The text was updated successfully, but these errors were encountered: