yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-02-02 22:41:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential buffer overflow in mpi_read_string()

Browse source 
Found by Guido Vranken.

Two possible integer overflows (during << 2 or addition in BITS_TO_LIMB())
could result in far too few memory to be allocated, then overflowing the
buffer in the subsequent for loop.

Both integer overflows happen when slen is close to or greater than
SIZE_T_MAX >> 2 (ie 2^30 on a 32 bit system).

Note: one could also avoid those overflows by changing BITS_TO_LIMB(s << 2) to
CHARS_TO_LIMB(s >> 1) but the solution implemented looks more robust with
respect to future code changes.
This commit is contained in:
Manuel Pégourié-Gonnard 2015-09-28 13:48:04 +02:00
parent 73011bba95
commit 9b75305d6a
2 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
ChangeLog
View file

@ -6,6 +6,11 @@ Security
* Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
Found by Guido Vranken. Not triggerable remotely.
* Fix potential buffer overflow in mbedtls_mpi_read_string().
Found by Guido Vranken. Not exploitable remotely in the context of TLS,
but might be in other uses. On 32 bit machines, requires reading a string
of close to or larger than 1GB to exploit; on 64 bit machines, would require
reading a string of close to or larger than 2^62 bytes.
= Version 1.2.16 released 2015-09-17

9
library/bignum.c
View file

@ -34,6 +34,7 @@
#include "polarssl/bignum.h"
#include "polarssl/bn_mul.h"
#include <limits.h>
#include <stdlib.h>
/* Implementation that should never be optimized out by the compiler */
@ -47,9 +48,10 @@ static void polarssl_zeroize( void *v, size_t n ) {
/*
* Convert between bits/chars and number of limbs
* Divide first in order to avoid potential overflows
*/
#define BITS_TO_LIMBS(i) (((i) + biL - 1) / biL)
#define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
#define BITS_TO_LIMBS(i) ( (i) / biL + ( (i) % biL != 0 ) )
#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
/*
* Initialize one MPI
@ -287,6 +289,9 @@ int mpi_read_string( mpi *X, int radix, const char *s )
if( radix == 16 )
{
if( slen > SIZE_T_MAX >> 2 )
return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
n = BITS_TO_LIMBS( slen << 2 );
MPI_CHK( mpi_grow( X, n ) );