From 6260b707170ec21c88b627ad8ef31072b92f79e2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 27 Jan 2021 22:30:43 +0100 Subject: [PATCH] mbedtls_mpi_sub_abs: fix buffer overflow in error case Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating |A| - |B| where |B| is larger than |A| and has more limbs (so the function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Fix #4042 Signed-off-by: Gilles Peskine --- ChangeLog.d/mpi_sub_abs.txt | 7 +++++++ library/bignum.c | 6 ++++++ 2 files changed, 13 insertions(+) create mode 100644 ChangeLog.d/mpi_sub_abs.txt diff --git a/ChangeLog.d/mpi_sub_abs.txt b/ChangeLog.d/mpi_sub_abs.txt new file mode 100644 index 000000000..9f34ee74b --- /dev/null +++ b/ChangeLog.d/mpi_sub_abs.txt @@ -0,0 +1,7 @@ +Security + * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating + |A| - |B| where |B| is larger than |A| and has more limbs (so the + function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only + applications calling mbedtls_mpi_sub_abs() directly are affected: + all calls inside the library were safe since this function is + only called with |A| >= |B|. Reported by Guido Vranken in #4042. diff --git a/library/bignum.c b/library/bignum.c index 2feb727d8..f133f6c13 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1354,6 +1354,12 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi for( n = B->n; n > 0; n-- ) if( B->p[n - 1] != 0 ) break; + if( n > A->n ) + { + /* B >= (2^ciL)^n > A */ + ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE; + goto cleanup; + } carry = mpi_sub_hlp( n, X->p, B->p ); if( carry != 0 )