Potential buffer overread in ctap_encode_der_sig() #94
Comments
|
Scan build complains about it as well: clang version 7.0.1 (Fedora 7.0.1-1.fc29) |
2 tasks
szszszsz
added a commit
to Nitrokey/nitrokey-fido2-firmware
that referenced
this issue
Feb 1, 2019
Take into account leading zeroes in the size to copy, for both R and S ingredients of the signature. Issue was occuring only in cases, when there was a leading zero for the S part. Refactor ctap_encode_der_sig(): - add in_ and out_ prefixes to the function arguments - mark pointers const - clear out buffer Tested via simulated device on: - Fedora 29 - gcc (GCC) 8.2.1 20181215 (Red Hat 8.2.1-6) - libasan 8.2.1 / 6.fc29 (same machine, as in the related issue description) by running ctap_test() Python test in a loop for 20 minutes (dev's counter 400k+). Earlier issue was occuring in first minutes. Not tested on hardware yet. Related: solokeys#94 Signed-off-by: Szczepan Zalega <szczepan@nitrokey.com>
|
It seems that I have found the fix (it is not triggering ASan at least; see linked commit). Tested on the simulated device, later will check on hardware. |
szszszsz
added a commit
to Nitrokey/nitrokey-fido2-firmware
that referenced
this issue
Feb 2, 2019
Take into account leading zeroes in the size to copy, for both R and S ingredients of the signature. Issue was occuring only in cases, when there was a leading zero for the S part. Refactor ctap_encode_der_sig(): - add in_ and out_ prefixes to the function arguments - mark pointers const - clear out buffer Tested via simulated device on: - Fedora 29 - gcc (GCC) 8.2.1 20181215 (Red Hat 8.2.1-6) - libasan 8.2.1 / 6.fc29 (same machine, as in the related issue description) by running ctap_test() Python test in a loop for 20 minutes (dev's counter 400k+). Earlier issue was occuring in first minutes. Tested on Nucleo32 board, by running the ctap_test() 20 times. Related: solokeys#94 Signed-off-by: Szczepan Zalega <szczepan@nitrokey.com>
szszszsz
added a commit
to Nitrokey/nitrokey-fido2-firmware
that referenced
this issue
Feb 2, 2019
Take into account leading zeroes in the size to copy, for both R and S ingredients of the signature. Issue was occuring only in cases, when there was a leading zero for the S part. Refactor ctap_encode_der_sig(): - add in_ and out_ prefixes to the function arguments - mark pointers const - clear out buffer Tested via simulated device on: - Fedora 29 - gcc (GCC) 8.2.1 20181215 (Red Hat 8.2.1-6) - libasan 8.2.1 / 6.fc29 (same machine, as in the related issue description) by running ctap_test() Python test in a loop for 20 minutes (dev's counter 400k+). Earlier issue was occuring in first minutes. Tested on Nucleo32 board, by running the ctap_test() 20 times. Fixes solokeys#94 Signed-off-by: Szczepan Zalega <szczepan@nitrokey.com>
|
Great find! Thank you |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
It looks like memmove reads (writes?) one byte too much, while writing final result of the ctap_encode_der_sig() function. It does not occur always - probably only in case for maximum signature length.
Found, while running simulation binary compiled with
-lasan -fsanitize=address -O1 -g -fno-omit-frame-pointer. I think it was confirmed by Clang'sscan_buildtool as well (to add later).Frequency: sometimes (1/10)
Environment
Reproduction route
tools/ctap_test.py10 timesWith WIP code, from https://github.com/Nitrokey/nitrokey-fido2-firmware/tree/testing:
Logs
ASAN report (click)
References
Edit: add env info
Edit: remove whitespace
Edit: add scenario
The text was updated successfully, but these errors were encountered: