Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secp256k1_rangeproof_genrand insufficient validation of signed argument #51

Closed
juli opened this issue Aug 28, 2015 · 1 comment
Closed

secp256k1_rangeproof_genrand insufficient validation of signed argument #51

juli opened this issue Aug 28, 2015 · 1 comment
Labels
security

Comments

@juli
Copy link

juli commented Aug 28, 2015
edited
Loading

The signed argument len of the secp256k1_rangeproof_genrand function must not be greater than 10 but its sign is not verified.. A negative len value will result in an unbounded copy operation to the rngseed buffer on the stack. Exploitable code paths were not identified.

See elements/src/secp256k1/src/modules/rangeproof/rangeproof_impl.h line 149 9d91a9f

secp256k1_rangeproof_genrand(secp256k1_scalar_t *sec, secp256k1_scalar_t *s, 
unsigned char *message, int *rsizes, int rings, const unsigned char *nonce,
const unsigned char *commit, const unsigned char *proof, int len) {
    unsigned char tmp[32];
    unsigned char rngseed[32 + 33 + 10];
    [...]
    VERIFY_CHECK(len <= 10);
    memcpy(rngseed, nonce, 32);
    memcpy(rngseed + 32, commit, 33);
    memcpy(rngseed + 65, proof, len);
@apoelstra
Copy link
Member

This function is not exposed in the public API, and is only ever called internally with constants and the result of sizeof operators. Not an issue.

delta1 pushed a commit to delta1/elements that referenced this issue Apr 28, 2023
Squashed 'src/crc32c/' changes from b5ef9be675..0d624261ef
1d44513 
0d624261ef Merge bitcoin-core/crc32c-subtree#2: Merge upstream
cac7ca830b Merge commit 'fa5ade41ee480003d9c5af6f43567ba22e4e17e6' into bitcoin-fork
fa5ade41ee Fix compilation warnings on ARM64 with old GCC versions. (ElementsProject#52)
db08d22129 Updated Travis-CI configuration. (ElementsProject#51)
e31619a5b7 Fix GitHub links. (ElementsProject#50)
7fa4c263e8 Update Travis CI config. (ElementsProject#49)
a3d9e6d1a4 Updated third_party/ and Travis CI config. (ElementsProject#48)

git-subtree-dir: src/crc32c
git-subtree-split: 0d624261ef83ab08c953c196540ed18f355add4c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@juli @martindale @apoelstra