View Issue Details

IDProjectCategoryView StatusLast Update
0008798GNUnetutil librarypublic2024-06-08 12:03
Reporterulfvonbelow Assigned Toschanzen  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Platformx86-64OSGuix SystemOS Versiona1d711c92e
Product VersionGit master 
Fixed in Version0.21.2 
Summary0008798: zero-size variable array declaration in GNUNET_CRYPTO_symmetric_encrypt
DescriptionThis showed up in the tests of libgnunetchat:

==================================== 3/4 =====================================
test: test_gnunet_chat_file
start time: 19:07:44
duration: 0.44s
result: exit status 0
command: LD_LIBRARY_PATH=/tmp/guix-build-libgnunetchat-0.3.1.drv-0/build/ MALLOC_PERTURB_=86 /tmp/guix-build-libgnunetchat-0.3.1.drv-0/build/tests/test_gnunet_chat_file.test
----------------------------------- stdout -----------------------------------
Running suite(s): File
100%: Checks: 1, Failures: 0, Errors: 0
----------------------------------- stderr -----------------------------------
crypto_symmetric.c:140:8: runtime error: variable length array bound evaluates to non-positive value 0
    #0 0x7ffff6fae5b6 in GNUNET_CRYPTO_symmetric_encrypt /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/crypto_symmetric.c:140
    #1 0x7ffff5b54eb5 in GNUNET_FS_tree_encoder_next /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/service/fs/fs_tree.c:374
    #2 0x7ffff5b21543 in publish_content /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/service/fs/fs_publish.c:685
    #3 0x7ffff707f791 in GNUNET_MQ_handle_message /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/mq.c:242
    #4 0x7ffff707fe13 in GNUNET_MQ_inject_message /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/mq.c:192
    #5 0x7ffff6fc248d in recv_message /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/client.c:347
    #6 0x7ffff707bf76 in GNUNET_MST_from_buffer /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/mst.c:222
    #7 0x7ffff6fc2c29 in receive_ready /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/client.c:447
    #8 0x7ffff70c86a3 in GNUNET_SCHEDULER_do_work /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/scheduler.c:2137
    #9 0x7ffff70cb919 in select_loop /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/scheduler.c:2436
    #10 0x7ffff70cb919 in GNUNET_SCHEDULER_run /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/scheduler.c:738
    #11 0x7ffff70aaedb in GNUNET_PROGRAM_run2 /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/program.c:381
    #12 0x7ffff70ac470 in GNUNET_PROGRAM_run /tmp/guix-build-gnunet-0.21.1.drv-0/gnunet-0.21.1/src/lib/util/program.c:408
    #13 0x4030b6 in test_gnunet_chat_file_send_fn ../source/tests/test_gnunet_chat_file.c:215
    #14 0x7ffff7e7e11c in tcase_run_tfun_fork /tmp/guix-build-check-0.15.2.drv-0/check-0.15.2/src/check_run.c:497
    #15 0x7ffff7e7e11c in srunner_iterate_tcase_tfuns /tmp/guix-build-check-0.15.2.drv-0/check-0.15.2/src/check_run.c:256
    #16 0x7ffff7e7e11c in srunner_run_tcase /tmp/guix-build-check-0.15.2.drv-0/check-0.15.2/src/check_run.c:402
    #17 0x7ffff7e7e11c in srunner_iterate_suites /tmp/guix-build-check-0.15.2.drv-0/check-0.15.2/src/check_run.c:222
    #18 0x7ffff7e7e11c in srunner_run_tagged /tmp/guix-build-check-0.15.2.drv-0/check-0.15.2/src/check_run.c:814
    #19 0x4022f3 in main ../source/tests/test_gnunet_chat_file.c:221
    #20 0x7ffff622c236 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #21 0x7ffff622c2f1 in __libc_start_main_impl ../csu/libc-start.c:392
    #22 0x402360 in _start (/tmp/guix-build-libgnunetchat-0.3.1.drv-0/build/tests/test_gnunet_chat_file.test+0x402360)

==============================================================================

A zero-length variable-length array is undefined behavior, so it gets reported by UBSan.
Steps To Reproduce1. Build and install gnunet with --enable-sanitizer
2. Build libgnunetchat and run its test suite
3. Observe complaint by UBSan
Additional InformationThis is exactly what the GNUNET_NZL macro was made for, so a patch that uses it is attached.

Note that I'm not sure that it's wise to use a stack allocation here in the first place, unless there's some sort of guarantee that GNUNET_CRYPTO_symmetric_encrypt will only be called with relatively small block sizes.
TagsNo tags attached.
Attached Files
0001-util-ensure-nonzero-stack-allocation-in-G_C_symmetri.patch (807 bytes)   
From be1daa3d01194b8ca15a536f1a813efdcb5e04bb Mon Sep 17 00:00:00 2001
From: ulfvonbelow <striness@tilde.club>
Date: Fri, 3 May 2024 14:13:23 -0500
Subject: [PATCH] util: ensure nonzero stack allocation in
 G_C_symmetric_encrypt.

---
 src/lib/util/crypto_symmetric.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/util/crypto_symmetric.c b/src/lib/util/crypto_symmetric.c
index a9217febd..c08b84c17 100644
--- a/src/lib/util/crypto_symmetric.c
+++ b/src/lib/util/crypto_symmetric.c
@@ -137,7 +137,7 @@ GNUNET_CRYPTO_symmetric_encrypt (const void *block,
                                  void *result)
 {
   gcry_cipher_hd_t handle;
-  char tmp[size];
+  char tmp[GNUNET_NZL(size)];
 
   if (GNUNET_OK != setup_cipher_aes (&handle, sessionkey, iv))
     return -1;
-- 
2.41.0

Activities

schanzen

2024-05-05 14:18

administrator   ~0022351

applied

schanzen

2024-06-08 12:03

administrator   ~0022550

0.21.2 released

Issue History

Date Modified Username Field Change
2024-05-04 23:09 ulfvonbelow New Issue
2024-05-04 23:09 ulfvonbelow File Added: 0001-util-ensure-nonzero-stack-allocation-in-G_C_symmetri.patch
2024-05-05 14:18 schanzen Assigned To => schanzen
2024-05-05 14:18 schanzen Status new => resolved
2024-05-05 14:18 schanzen Resolution open => fixed
2024-05-05 14:18 schanzen Fixed in Version => 0.21.2
2024-05-05 14:18 schanzen Note Added: 0022351
2024-06-08 12:03 schanzen Note Added: 0022550
2024-06-08 12:03 schanzen Status resolved => closed