When retesting against the current master branch of sgminer I discovered another vulnerability.
Setting n2size to a value greater than 8 causes the memcpy in gen_stratum_work to copy data from the stack beyond that allocated for nonce2le (sgminer.c:5988). In my test environment I observed that setting n2size to a large value such as 65000 causes a segfault. This occurs because the memcpy hits non-readable memory above the stack and the application crashes.
My recommendation is to set the acceptable bounds of n2size to greater than 0 and less than 9 when it is set (util.c:2407). I do not imagine this will cause any issues with pool compatibility since this limit is already enforced later in the code when sending accepted shares (sgminer.c:5534).
The file and line number references are from git master.
I tend to disagree here, since allowing large extranonces is useful for stratum proxies running huge farms, and for the future, to allow fast miners.
It has to be limited to prevent segfaults, but not to 8 bytes.
The text was updated successfully, but these errors were encountered:
Reported by Mick Ayzenberg of DejaVu Security.
The file and line number references are from git master.
I tend to disagree here, since allowing large extranonces is useful for stratum proxies running huge farms, and for the future, to allow fast miners.
It has to be limited to prevent segfaults, but not to 8 bytes.
The text was updated successfully, but these errors were encountered: