Merge pull request #4096 from gilles-peskine-arm/mpi_sub_abs-buffer_overflow-development
Fix buffer overflow in mbedtls_mpi_sub_abs negative case
This commit is contained in:
commit
bbd2bfb666
3 changed files with 29 additions and 4 deletions
7
ChangeLog.d/mpi_sub_abs.txt
Normal file
7
ChangeLog.d/mpi_sub_abs.txt
Normal file
|
@ -0,0 +1,7 @@
|
|||
Security
|
||||
* Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|
||||
|A| - |B| where |B| is larger than |A| and has more limbs (so the
|
||||
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
|
||||
applications calling mbedtls_mpi_sub_abs() directly are affected:
|
||||
all calls inside the library were safe since this function is
|
||||
only called with |A| >= |B|. Reported by Guido Vranken in #4042.
|
|
@ -1401,6 +1401,12 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
|
|||
for( n = B->n; n > 0; n-- )
|
||||
if( B->p[n - 1] != 0 )
|
||||
break;
|
||||
if( n > A->n )
|
||||
{
|
||||
/* B >= (2^ciL)^n > A */
|
||||
ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
carry = mpi_sub_hlp( n, X->p, B->p );
|
||||
if( carry != 0 )
|
||||
|
|
|
@ -484,18 +484,30 @@ mbedtls_mpi_add_int:10:"20395687835640197740576586692903457728019399331434826309
|
|||
Test mbedtls_mpi_add_int #2
|
||||
mbedtls_mpi_add_int:10:"2039568783564019774057658669290345772801939933143482630947726464532830627227012776329":-9871232:10:"2039568783564019774057658669290345772801939933143482630947726464532830627227002905097"
|
||||
|
||||
Base test mbedtls_mpi_sub_abs #1 (Test with larger second input)
|
||||
Base test mbedtls_mpi_sub_abs #1 (|B| > |A|)
|
||||
mbedtls_mpi_sub_abs:10:"5":10:"7":10:"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
|
||||
|
||||
Base test mbedtls_mpi_sub_abs #2 (Test with larger second input)
|
||||
Base test mbedtls_mpi_sub_abs #2 (|B| > |A|)
|
||||
mbedtls_mpi_sub_abs:10:"-5":10:"-7":10:"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
|
||||
|
||||
Base test mbedtls_mpi_sub_abs #3 (Test with larger second input)
|
||||
Base test mbedtls_mpi_sub_abs #3 (|B| > |A|)
|
||||
mbedtls_mpi_sub_abs:10:"-5":10:"7":10:"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
|
||||
|
||||
Base test mbedtls_mpi_sub_abs #4 (Test with larger second input)
|
||||
Base test mbedtls_mpi_sub_abs #4 (|B| > |A|)
|
||||
mbedtls_mpi_sub_abs:10:"5":10:"-7":10:"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
|
||||
|
||||
Base test mbedtls_mpi_sub_abs #1 (|B| >> |A| with more limbs)
|
||||
mbedtls_mpi_sub_abs:10:"5":16:"123456789abcdef01":10:"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
|
||||
|
||||
Base test mbedtls_mpi_sub_abs #2 (|B| >> |A| with more limbs)
|
||||
mbedtls_mpi_sub_abs:10:"-5":16:"-123456789abcdef01":10:"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
|
||||
|
||||
Base test mbedtls_mpi_sub_abs #3 (|B| >> |A| with more limbs)
|
||||
mbedtls_mpi_sub_abs:10:"-5":16:"123456789abcdef01":10:"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
|
||||
|
||||
Base test mbedtls_mpi_sub_abs #4 (|B| >> |A| with more limbs)
|
||||
mbedtls_mpi_sub_abs:10:"5":16:"-123456789abcdef01":10:"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
|
||||
|
||||
Base test mbedtls_mpi_sub_abs #1
|
||||
mbedtls_mpi_sub_abs:10:"7":10:"5":10:"2":0
|
||||
|
||||
|
|
Loading…
Reference in a new issue