mpi_write_hlp buffer overflow

[guidovranken]

Google oss-fuzz found a buffer overflow in mpi_write_hlp. This is most likely due to 91af329#diff-c252711ea8b2703e393502bfe46bff62

The overflow occurs at library/bignum.c:553.

See: https://oss-fuzz.com/testcase-detail/5167698789531648

[hanno-becker]

Hi @guidovranken,

thanks for your report! However, I'm lacking access to the page you linked. Could you please provide more details here? So far, I don't see how the loop in 91af329#diff-c252711ea8b2703e393502bfe46bff62 would lead to an overflow.

Thanks!
Hanno

[guidovranken]

Hi Hanno,

your team should have access to the ClusterFuzz interface via support-mbedtls@arm.com, see also: #2038

It happens with the number is negative:

Compile mbed tls and the following file with address sanitizer (-fsanitize=address) to verify.

#include <mbedtls/bignum.h>
#include <stdlib.h>

static int bignum_from_string(const char* input, mbedtls_mpi** output)
{
    mbedtls_mpi* mpi = NULL;

    *output = NULL;

    if ( (mpi = malloc(sizeof(*mpi))) == NULL ) {
        goto error;
    }

    mbedtls_mpi_init(mpi);

    if ( mbedtls_mpi_read_string(mpi, 10, input) != 0 ) {
        goto error;
    }

    *output = mpi;
    return 0;

error:
    free(mpi);

    return -1;
}

static int string_from_bignum(mbedtls_mpi* mpi, char** output)
{
    size_t olen;
    int ret;

    *output = NULL;

    ret = mbedtls_mpi_write_string(mpi, 10, NULL, 0, &olen);
    if ( ret != MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ) {
        goto error;
    }

    if ( (*output = malloc(olen)) == NULL ) {
        goto error;
    }

    if ( mbedtls_mpi_write_string(mpi, 10, *output, olen, &olen) != 0 ) {
        goto error;
    }

    return 0;
error:
    free(*output);
    *output = NULL;
    return -1;
}

int main(void)
{
    const char* instr = "-1";
    mbedtls_mpi* outmpi;
    char* outstr;
    if ( bignum_from_string(instr, &outmpi) == -1 ) {
        return 0;
    }
    if ( string_from_bignum(outmpi, &outstr) == 0 ) {
        free(outstr);
    }
    mbedtls_mpi_free(outmpi);
    return 0;
}

[hanno-becker]

Hi @guidovranken,

thanks, that clarifies things. The bug is not in mpi_write_hlp(), it's in the caller mbedtls_mpi_write_string():
https://github.com/ARMmbed/mbedtls/blob/f352f75f6bd5734c8f671323dd6ab32472d5da34/library/bignum.c#L604-L605
This increases the output pointer but doesn't decrease buflen. Luckily, it only occurs for negative numbers, and for those it's questionable why they are supported in the first place...

I'll open a PR with the fix.

Thanks again for your report,
Hanno

[ciarmcom]

ARM Internal Ref: IOTSSL-2760

[guidovranken]

When will you merge the fix?