Change in libosmocore[master]: gsm: kasumi: Fix dynamic-stack-buffer-overflow on out buffers not mul...

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Thu May 17 12:05:31 UTC 2018


Harald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/9207 )

Change subject: gsm: kasumi: Fix dynamic-stack-buffer-overflow on out buffers not multiple of 64 bits
......................................................................

gsm: kasumi: Fix dynamic-stack-buffer-overflow on out buffers not multiple of 64 bits

Fixes following AddressSanitizer report during gea_test run with gcc
8.1.0:

==8899==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffc5f1719bb at pc 0x7fe574adc5fe bp 0x7ffc5f171460 sp 0x7ffc5f171450
WRITE of size 1 at 0x7ffc5f1719bb thread T0
    #0 0x7fe574adc5fd in osmo_store64be_ext ../../include/osmocom/core/bit64gen.h:75
    #1 0x7fe574adc649 in osmo_store64be ../../include/osmocom/core/bit64gen.h:104
    #2 0x7fe574ade936 in _kasumi_kgcore libosmocore/src/gsm/kasumi.c:186
    #3 0x7fe574ae2532 in gea4 libosmocore/src/gsm/gea.c:44
    #4 0x7fe574ae266c in gea3 libosmocore/src/gsm/gea.c:60
    #5 0x7fe574a9b616 in gprs_cipher_run libosmocore/src/gsm/gprs_cipher_core.c:95
    #6 0x56422d3fb2ee in test_gea libosmocore/tests/gea/gea_test.c:29
    #7 0x56422d3fb506 in main libosmocore/tests/gea/gea_test.c:49
    #8 0x7fe5730f406a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #9 0x56422d3fadf9 in _start (libosmocore/tests/gea/.libs/lt-gea_test+0x1df9)

The kasumi_test is updated to calculate the entire array of bits
according to expected result. Before this commit it worked by writing
the entire last 64bit block, and addressSanitizer cannot catch it
because the allocated buffer is 64bit aligned too.

Change-Id: I7b2a0224a3b5527d5a3ad7e17efc73081b63eac1
---
M src/gsm/kasumi.c
M tests/kasumi/kasumi_test.c
2 files changed, 15 insertions(+), 6 deletions(-)

Approvals:
  Jenkins Builder: Verified
  Harald Welte: Looks good to me, approved



diff --git a/src/gsm/kasumi.c b/src/gsm/kasumi.c
index 7de5cd0..f93c002 100644
--- a/src/gsm/kasumi.c
+++ b/src/gsm/kasumi.c
@@ -159,6 +159,7 @@
 	}
 }
 
+/* if cl is not multiple of 8 (a byte), co needs to be sized on the upper bound so the entire byte can be written. */
 void _kasumi_kgcore(uint8_t CA, uint8_t cb, uint32_t cc, uint8_t cd, const uint8_t *ck, uint8_t *co, uint16_t cl)
 {
 	uint16_t KLi1[8], KLi2[8], KOi1[8], KOi2[8], KOi3[8], KIi1[8], KIi2[8], KIi3[8], i;
@@ -181,8 +182,16 @@
 	_kasumi_key_expand(ck, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);
 
 	/* i is a block counter */
-	for (i = 0; i < cl / 64 + 1; i++) {
+	for (i = 0; i < cl / 64; i++) {
 		BLK = _kasumi(A ^ i ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);
 		osmo_store64be(BLK, co + (i * 8));
 	}
+
+	/* Last 64-byte unaligned round. Take also into account last bits non-byte aligned. */
+	uint8_t bytes_remain = cl/8%8 + (cl%8 ? 1 : 0);
+	if (bytes_remain) {
+		BLK = _kasumi(A ^ (cl / 64) ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);
+		BLK = BLK >> (8-bytes_remain)*8;
+		osmo_store64be_ext(BLK, co + (cl / 64 * 8), bytes_remain);
+	}
 }
diff --git a/tests/kasumi/kasumi_test.c b/tests/kasumi/kasumi_test.c
index f0f173b..963ce77 100644
--- a/tests/kasumi/kasumi_test.c
+++ b/tests/kasumi/kasumi_test.c
@@ -109,27 +109,27 @@
 
 	uint8_t _Key1[] = {0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xBC, 0x00, 0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xBC, 0x00},
 	_gamma1[] = {0x88, 0x9E, 0xEA, 0xAF, 0x9E, 0xD1, 0xBA, 0x1A, 0xBB, 0xD8, 0x43, 0x62, 0x32, 0xE4, 0x57, 0x28, 0xD0, 0x1A, 0xA8, 0x91, 0x33, 0xDA, 0x73, 0xC1, 0x1E, 0xAB, 0x68, 0xB7, 0xD8, 0x9B, 0xC8, 0x41};
-	_kasumi_kgcore(0xF, 0, 0x0024F20F, 0, _Key1, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x0024F20F, 0, _Key1, gamma, 32*8);
 	printf ("KGCORE Test Set 1: %d\n", _compare_mem(gamma, _gamma1, 32));
 
 	uint8_t _Key2[] = {0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48, 0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48},
 	_gamma2[] = {0xFB, 0x4D, 0x5F, 0xBC, 0xEE, 0x13, 0xA3, 0x33, 0x89, 0x28, 0x56, 0x86, 0xE9, 0xA5, 0xC9, 0x42, 0x40, 0xDE, 0x38, 0x15, 0x01, 0x15, 0xF1, 0x5F, 0x8D, 0x9D, 0x98, 0xB9, 0x1A, 0x94, 0xB2, 0x96};
-	_kasumi_kgcore(0xF, 0, 0x00061272, 0, _Key2, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x00061272, 0, _Key2, gamma, 32*8);
 	printf ("KGCORE Test Set 2: %d\n", _compare_mem(gamma, _gamma2, 32));
 
 	uint8_t _Key3[] = {0xEF, 0xA8, 0xB2, 0x22, 0x9E, 0x72, 0x0C, 0x2A, 0xEF, 0xA8, 0xB2, 0x22, 0x9E, 0x72, 0x0C, 0x2A},
 	_gamma3[] = {0x0E, 0x40, 0x15, 0x75, 0x5A, 0x33, 0x64, 0x69, 0xC3, 0xDD, 0x86, 0x80, 0xE3, 0x03, 0x5B, 0xC4, 0x19, 0xA7, 0x8A, 0xD3, 0x86, 0x2C, 0x10, 0x90, 0xC6, 0x8A, 0x39, 0x1F, 0xE8, 0xA6, 0xAD, 0xEB};
-	_kasumi_kgcore(0xF, 0, 0x0033FD3F, 0, _Key3, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x0033FD3F, 0, _Key3, gamma, 32*8);
 	printf ("KGCORE Test Set 3: %d\n", _compare_mem(gamma, _gamma3, 32));
 
 	uint8_t _Key4[] = {0x5A, 0xCB, 0x1D, 0x64, 0x4C, 0x0D, 0x51, 0x20, 0x4E, 0xA5, 0x5A, 0xCB, 0x1D, 0x64, 0x4C, 0x0D},
 	_gamma4[] = {0xE0, 0x95, 0x30, 0x6A, 0xD5, 0x08, 0x6E, 0x2E, 0xAC, 0x7F, 0x31, 0x07, 0xDE, 0x4F, 0xA2, 0x2D, 0xC1, 0xDF, 0xC9, 0x7D, 0x5B, 0xC5, 0x66, 0x1D, 0xD6, 0x09, 0x6F, 0x47, 0x6A, 0xED, 0xC6, 0x4B};
-	_kasumi_kgcore(0xF, 0, 0x00156B26, 0, _Key4, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x00156B26, 0, _Key4, gamma, 32*8);
 	printf ("KGCORE Test Set 4: %d\n", _compare_mem(gamma, _gamma4, 32));
 
 	uint8_t _Key5[] = {0xD3, 0xC5, 0xD5, 0x92, 0x32, 0x7F, 0xB1, 0x1C, 0x40, 0x35, 0xC6, 0x68, 0x0A, 0xF8, 0xC6, 0xD1},
 	_gamma5[] = {0xDC, 0xE6, 0x43, 0x62, 0xAB, 0x5F, 0x89, 0xC1, 0x1E, 0xF0, 0xB3, 0x05, 0x16, 0x65, 0x70, 0xF4, 0x88, 0x9D, 0x55, 0x11, 0xE9, 0xE3, 0x57, 0x5D, 0x06, 0x2B, 0x5C, 0xED, 0x60, 0x39, 0x50, 0x6A};
-	_kasumi_kgcore(0xF, 0, 0x000A59B4, 0, _Key5, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x000A59B4, 0, _Key5, gamma, 32*8);
 	printf ("KGCORE Test Set 5: %d\n", _compare_mem(gamma, _gamma5, 32));
 
 	return 0;

-- 
To view, visit https://gerrit.osmocom.org/9207
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I7b2a0224a3b5527d5a3ad7e17efc73081b63eac1
Gerrit-Change-Number: 9207
Gerrit-PatchSet: 3
Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Max <msuraev at sysmocom.de>
Gerrit-Reviewer: Pau Espin Pedrol <pespin at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180517/50aa4561/attachment.htm>


More information about the gerrit-log mailing list