From 3008dde386f9db5fd1702983779fdccf4fbb34fd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Jun 2021 18:55:57 +0200 Subject: [PATCH] Changelog for the fix to mbedtls_mpi_exp_mod(A=0) In Mbed TLS 2.26.0, the bug was hard to trigger, since all methods for parsing a bignum (mbedtls_mpi_read_xxx functions) constructed an mbedtls_mpi object with at least one limb. In the development branch, after the commit "New internal function mbedtls_mpi_resize_clear", this bug could be triggered by a TLS server, by passing invalid custom Diffie-Hellman parameters with G=0 transmitted as a 0-length byte string. Since the behavior change in mbedtls_mpi_read_binary and mbedtls_mpi_read_binary_le (constructing 0 limbs instead of 1 when passed empty input) turned out to have consequences despite being in principle an internal detail, mention it in the changelog. Signed-off-by: Gilles Peskine --- ChangeLog.d/mpi_exp_mod-zero.txt | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ChangeLog.d/mpi_exp_mod-zero.txt diff --git a/ChangeLog.d/mpi_exp_mod-zero.txt b/ChangeLog.d/mpi_exp_mod-zero.txt new file mode 100644 index 000000000..9df9031a9 --- /dev/null +++ b/ChangeLog.d/mpi_exp_mod-zero.txt @@ -0,0 +1,7 @@ +Bugfix + * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with + A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug + could not be triggered by code that constructed A with one of the + mbedtls_mpi_read_xxx functions (including in particular TLS code) since + those always built an mpi object with at least one limb. + Credit to OSS-Fuzz. Fixes #4641.