<p>Harald Welte <strong>merged</strong> this change.</p><p><a href="https://gerrit.osmocom.org/9207">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Jenkins Builder: Verified
Harald Welte: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">gsm: kasumi: Fix dynamic-stack-buffer-overflow on out buffers not multiple of 64 bits<br><br>Fixes following AddressSanitizer report during gea_test run with gcc<br>8.1.0:<br><br>==8899==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffc5f1719bb at pc 0x7fe574adc5fe bp 0x7ffc5f171460 sp 0x7ffc5f171450<br>WRITE of size 1 at 0x7ffc5f1719bb thread T0<br> #0 0x7fe574adc5fd in osmo_store64be_ext ../../include/osmocom/core/bit64gen.h:75<br> #1 0x7fe574adc649 in osmo_store64be ../../include/osmocom/core/bit64gen.h:104<br> #2 0x7fe574ade936 in _kasumi_kgcore libosmocore/src/gsm/kasumi.c:186<br> #3 0x7fe574ae2532 in gea4 libosmocore/src/gsm/gea.c:44<br> #4 0x7fe574ae266c in gea3 libosmocore/src/gsm/gea.c:60<br> #5 0x7fe574a9b616 in gprs_cipher_run libosmocore/src/gsm/gprs_cipher_core.c:95<br> #6 0x56422d3fb2ee in test_gea libosmocore/tests/gea/gea_test.c:29<br> #7 0x56422d3fb506 in main libosmocore/tests/gea/gea_test.c:49<br> #8 0x7fe5730f406a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)<br> #9 0x56422d3fadf9 in _start (libosmocore/tests/gea/.libs/lt-gea_test+0x1df9)<br><br>The kasumi_test is updated to calculate the entire array of bits<br>according to expected result. Before this commit it worked by writing<br>the entire last 64bit block, and addressSanitizer cannot catch it<br>because the allocated buffer is 64bit aligned too.<br><br>Change-Id: I7b2a0224a3b5527d5a3ad7e17efc73081b63eac1<br>---<br>M src/gsm/kasumi.c<br>M tests/kasumi/kasumi_test.c<br>2 files changed, 15 insertions(+), 6 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/gsm/kasumi.c b/src/gsm/kasumi.c</span><br><span>index 7de5cd0..f93c002 100644</span><br><span>--- a/src/gsm/kasumi.c</span><br><span>+++ b/src/gsm/kasumi.c</span><br><span>@@ -159,6 +159,7 @@</span><br><span> }</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/* if cl is not multiple of 8 (a byte), co needs to be sized on the upper bound so the entire byte can be written. */</span><br><span> void _kasumi_kgcore(uint8_t CA, uint8_t cb, uint32_t cc, uint8_t cd, const uint8_t *ck, uint8_t *co, uint16_t cl)</span><br><span> {</span><br><span> uint16_t KLi1[8], KLi2[8], KOi1[8], KOi2[8], KOi3[8], KIi1[8], KIi2[8], KIi3[8], i;</span><br><span>@@ -181,8 +182,16 @@</span><br><span> _kasumi_key_expand(ck, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);</span><br><span> </span><br><span> /* i is a block counter */</span><br><span style="color: hsl(0, 100%, 40%);">- for (i = 0; i < cl / 64 + 1; i++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i < cl / 64; i++) {</span><br><span> BLK = _kasumi(A ^ i ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);</span><br><span> osmo_store64be(BLK, co + (i * 8));</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Last 64-byte unaligned round. Take also into account last bits non-byte aligned. */</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t bytes_remain = cl/8%8 + (cl%8 ? 1 : 0);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (bytes_remain) {</span><br><span style="color: hsl(120, 100%, 40%);">+ BLK = _kasumi(A ^ (cl / 64) ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3);</span><br><span style="color: hsl(120, 100%, 40%);">+ BLK = BLK >> (8-bytes_remain)*8;</span><br><span style="color: hsl(120, 100%, 40%);">+ osmo_store64be_ext(BLK, co + (cl / 64 * 8), bytes_remain);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> }</span><br><span>diff --git a/tests/kasumi/kasumi_test.c b/tests/kasumi/kasumi_test.c</span><br><span>index f0f173b..963ce77 100644</span><br><span>--- a/tests/kasumi/kasumi_test.c</span><br><span>+++ b/tests/kasumi/kasumi_test.c</span><br><span>@@ -109,27 +109,27 @@</span><br><span> </span><br><span> uint8_t _Key1[] = {0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xBC, 0x00, 0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xBC, 0x00},</span><br><span> _gamma1[] = {0x88, 0x9E, 0xEA, 0xAF, 0x9E, 0xD1, 0xBA, 0x1A, 0xBB, 0xD8, 0x43, 0x62, 0x32, 0xE4, 0x57, 0x28, 0xD0, 0x1A, 0xA8, 0x91, 0x33, 0xDA, 0x73, 0xC1, 0x1E, 0xAB, 0x68, 0xB7, 0xD8, 0x9B, 0xC8, 0x41};</span><br><span style="color: hsl(0, 100%, 40%);">- _kasumi_kgcore(0xF, 0, 0x0024F20F, 0, _Key1, gamma, 228);</span><br><span style="color: hsl(120, 100%, 40%);">+ _kasumi_kgcore(0xF, 0, 0x0024F20F, 0, _Key1, gamma, 32*8);</span><br><span> printf ("KGCORE Test Set 1: %d\n", _compare_mem(gamma, _gamma1, 32));</span><br><span> </span><br><span> uint8_t _Key2[] = {0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48, 0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48},</span><br><span> _gamma2[] = {0xFB, 0x4D, 0x5F, 0xBC, 0xEE, 0x13, 0xA3, 0x33, 0x89, 0x28, 0x56, 0x86, 0xE9, 0xA5, 0xC9, 0x42, 0x40, 0xDE, 0x38, 0x15, 0x01, 0x15, 0xF1, 0x5F, 0x8D, 0x9D, 0x98, 0xB9, 0x1A, 0x94, 0xB2, 0x96};</span><br><span style="color: hsl(0, 100%, 40%);">- _kasumi_kgcore(0xF, 0, 0x00061272, 0, _Key2, gamma, 228);</span><br><span style="color: hsl(120, 100%, 40%);">+ _kasumi_kgcore(0xF, 0, 0x00061272, 0, _Key2, gamma, 32*8);</span><br><span> printf ("KGCORE Test Set 2: %d\n", _compare_mem(gamma, _gamma2, 32));</span><br><span> </span><br><span> uint8_t _Key3[] = {0xEF, 0xA8, 0xB2, 0x22, 0x9E, 0x72, 0x0C, 0x2A, 0xEF, 0xA8, 0xB2, 0x22, 0x9E, 0x72, 0x0C, 0x2A},</span><br><span> _gamma3[] = {0x0E, 0x40, 0x15, 0x75, 0x5A, 0x33, 0x64, 0x69, 0xC3, 0xDD, 0x86, 0x80, 0xE3, 0x03, 0x5B, 0xC4, 0x19, 0xA7, 0x8A, 0xD3, 0x86, 0x2C, 0x10, 0x90, 0xC6, 0x8A, 0x39, 0x1F, 0xE8, 0xA6, 0xAD, 0xEB};</span><br><span style="color: hsl(0, 100%, 40%);">- _kasumi_kgcore(0xF, 0, 0x0033FD3F, 0, _Key3, gamma, 228);</span><br><span style="color: hsl(120, 100%, 40%);">+ _kasumi_kgcore(0xF, 0, 0x0033FD3F, 0, _Key3, gamma, 32*8);</span><br><span> printf ("KGCORE Test Set 3: %d\n", _compare_mem(gamma, _gamma3, 32));</span><br><span> </span><br><span> uint8_t _Key4[] = {0x5A, 0xCB, 0x1D, 0x64, 0x4C, 0x0D, 0x51, 0x20, 0x4E, 0xA5, 0x5A, 0xCB, 0x1D, 0x64, 0x4C, 0x0D},</span><br><span> _gamma4[] = {0xE0, 0x95, 0x30, 0x6A, 0xD5, 0x08, 0x6E, 0x2E, 0xAC, 0x7F, 0x31, 0x07, 0xDE, 0x4F, 0xA2, 0x2D, 0xC1, 0xDF, 0xC9, 0x7D, 0x5B, 0xC5, 0x66, 0x1D, 0xD6, 0x09, 0x6F, 0x47, 0x6A, 0xED, 0xC6, 0x4B};</span><br><span style="color: hsl(0, 100%, 40%);">- _kasumi_kgcore(0xF, 0, 0x00156B26, 0, _Key4, gamma, 228);</span><br><span style="color: hsl(120, 100%, 40%);">+ _kasumi_kgcore(0xF, 0, 0x00156B26, 0, _Key4, gamma, 32*8);</span><br><span> printf ("KGCORE Test Set 4: %d\n", _compare_mem(gamma, _gamma4, 32));</span><br><span> </span><br><span> uint8_t _Key5[] = {0xD3, 0xC5, 0xD5, 0x92, 0x32, 0x7F, 0xB1, 0x1C, 0x40, 0x35, 0xC6, 0x68, 0x0A, 0xF8, 0xC6, 0xD1},</span><br><span> _gamma5[] = {0xDC, 0xE6, 0x43, 0x62, 0xAB, 0x5F, 0x89, 0xC1, 0x1E, 0xF0, 0xB3, 0x05, 0x16, 0x65, 0x70, 0xF4, 0x88, 0x9D, 0x55, 0x11, 0xE9, 0xE3, 0x57, 0x5D, 0x06, 0x2B, 0x5C, 0xED, 0x60, 0x39, 0x50, 0x6A};</span><br><span style="color: hsl(0, 100%, 40%);">- _kasumi_kgcore(0xF, 0, 0x000A59B4, 0, _Key5, gamma, 228);</span><br><span style="color: hsl(120, 100%, 40%);">+ _kasumi_kgcore(0xF, 0, 0x000A59B4, 0, _Key5, gamma, 32*8);</span><br><span> printf ("KGCORE Test Set 5: %d\n", _compare_mem(gamma, _gamma5, 32));</span><br><span> </span><br><span> return 0;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/9207">change 9207</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/9207"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: libosmocore </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I7b2a0224a3b5527d5a3ad7e17efc73081b63eac1 </div>
<div style="display:none"> Gerrit-Change-Number: 9207 </div>
<div style="display:none"> Gerrit-PatchSet: 3 </div>
<div style="display:none"> Gerrit-Owner: Pau Espin Pedrol <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Harald Welte <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: Max <msuraev@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Pau Espin Pedrol <pespin@sysmocom.de> </div>