Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extranonce2 size not checked properly #258

Open
veox opened this issue Jun 12, 2014 · 1 comment
Open

Extranonce2 size not checked properly #258

veox opened this issue Jun 12, 2014 · 1 comment
Labels
Milestone

Comments

@veox
Copy link
Contributor

veox commented Jun 12, 2014

Reported by Mick Ayzenberg of DejaVu Security.

When retesting against the current master branch of sgminer I discovered another vulnerability.

Setting n2size to a value greater than 8 causes the memcpy in gen_stratum_work to copy data from the stack beyond that allocated for nonce2le (sgminer.c:5988). In my test environment I observed that setting n2size to a large value such as 65000 causes a segfault. This occurs because the memcpy hits non-readable memory above the stack and the application crashes.

My recommendation is to set the acceptable bounds of n2size to greater than 0 and less than 9 when it is set (util.c:2407). I do not imagine this will cause any issues with pool compatibility since this limit is already enforced later in the code when sending accepted shares (sgminer.c:5534).

The file and line number references are from git master.

I tend to disagree here, since allowing large extranonces is useful for stratum proxies running huge farms, and for the future, to allow fast miners.

It has to be limited to prevent segfaults, but not to 8 bytes.

@veox veox added the bug label Jun 12, 2014
@veox veox added this to the 5.0 milestone Jun 12, 2014
@mrbrdo
Copy link
Contributor

mrbrdo commented Jul 28, 2014

@veox I remember you once said some of this stuff is already fixed now, is this also fixed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants