Skip to content

F-1899 : fix potential heap buffer over-read#220

Draft
miyazakh wants to merge 4 commits intowolfSSL:mainfrom
miyazakh:f-1899_heapbuffer_over-read
Draft

F-1899 : fix potential heap buffer over-read#220
miyazakh wants to merge 4 commits intowolfSSL:mainfrom
miyazakh:f-1899_heapbuffer_over-read

Conversation

@miyazakh
Copy link
Copy Markdown
Contributor

@miyazakh miyazakh commented Apr 8, 2026
edited
Loading

Fix potential heap buffer over-read
Refactor wolfCLU_sign_data_dilithium
Add test coverage

Depend on : #219

Copilot AI review requested due to automatic review settings April 8, 2026 07:24
@miyazakh miyazakh self-assigned this Apr 8, 2026
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses robustness and safety in signing/verification workflows, primarily targeting Dilithium signing error handling to prevent potential heap misuse, and extends regression coverage via shell tests.

Changes:

  • Refactors wolfCLU_sign_data_dilithium to improve cleanup/error-path handling and avoid unsafe buffer usage patterns.
  • Updates ECC sign/verify to hash input data before calling ECDSA primitives.
  • Adds Dilithium negative-path regression tests to ensure failures don’t create output files.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
tests/genkey_sign_ver/genkey-sign-ver-test.sh Adds Dilithium failure-mode tests (invalid output path, wrong key type, corrupted key) and cleans up new artifacts.
src/x509/clu_x509_sign.c Adjusts wolfSSL_BIO_get_fp calls (casts) while loading key material for Chimera cert signing.
src/sign-verify/clu_verify.c Changes ECC verification to hash input data prior to wc_ecc_verify_hash.
src/sign-verify/clu_sign.c Changes ECC signing to hash input data prior to wc_ecc_sign_hash; refactors Dilithium signing for safer handling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/sign-verify/clu_sign.c
Comment on lines 649 to +653
wolfCLU_LogError("Failed to initialize Dilithium Key.\nRET: %d", ret);
#ifdef WOLFSSL_SMALL_STACK
XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return WOLFCLU_FAILURE;
ret = WOLFCLU_FAILURE;
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the wc_dilithium_init() failure path, ret is set to WOLFCLU_FAILURE (which is 0). This function uses ret==0 as the “no error” sentinel, so the code will continue as if initialization succeeded and can end up returning overall success. Capture the init failure into ret (e.g., ret = wc_dilithium_init(...)) and ensure the error value stays non-zero/negative (or return immediately) so subsequent steps and the final return don’t report success.

Copilot uses AI. Check for mistakes.
src/sign-verify/clu_sign.c
Comment on lines +673 to +676
XFSEEK(privKeyFile, 0, SEEK_END);
privFileSz = (int)XFTELL(privKeyFile);
privBuf = (byte*)XMALLOC(privFileSz+1, HEAP_HINT,
DYNAMIC_TYPE_TMP_BUFFER);
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

privFileSz is taken directly from XFTELL() and then used in privFileSz+1 allocation without validating the seek/tell results. If XFTELL() fails (e.g., returns -1) this can underflow/overflow the allocation size and lead to invalid reads. Check XFSEEK/XFTELL return values and validate privFileSz > 0 (and within a reasonable upper bound) before allocating/reading.

Copilot uses AI. Check for mistakes.
src/sign-verify/clu_verify.c
/* verify the hash with Ecc public key */
if (ret == 0) {
ret = wc_ecc_verify_hash(sig, sigSz, hashBuf, digestSz,
&stat, &key);
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wc_ecc_verify_hash() returns 0 even when the signature is invalid (it reports validity via the stat out-param). Right now this call’s result is used as the only success indicator, so an invalid signature can still propagate as overall success. After this call, treat stat != 1 as a verification failure and set a non-success return code so the CLI exits non-zero on invalid signatures.

Suggested change
&stat, &key);
&stat, &key);
if (ret == 0 && stat != 1) {
wolfCLU_LogError("Invalid Signature.");
ret = -1;
}

Copilot uses AI. Check for mistakes.
src/sign-verify/clu_sign.c
Comment on lines +398 to +404
/* hash the input data before signing -- ECDSA signs a digest, not raw
* data. Select a curve-appropriate hash paired with the curve
* strength; ECDSA will truncate the digest as needed. */
keySz = wc_ecc_size(&key);
if (keySz <= 32) {
hashType = WC_HASH_TYPE_SHA256;
}
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR description focuses on Dilithium heap over-read/refactor, but this hunk also changes ECC signing semantics by hashing the input before ECDSA signing (previously the input bytes were passed directly to wc_ecc_sign_hash). Please call out this behavioral change in the PR description/changelog, since it can affect interoperability with signatures generated/verified by previous versions.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@miyazakh miyazakh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@miyazakh @embhorn