Add advisory for bigint #290
Conversation
I'd not comfortably propose |
|
I think it's probably worth filing two advisories for |
So if you're ok with that, let's leave this as the vulnerability and someone who feels comfortable recommending a different bignum library will create the unmaintained one? |
|
Sounds good |
|
I think the formatting of the UB vuln advisory should be fixed. It contains double newlines and a newline as first line... |
Will fix, mostly because I had to delete all the comments from the sample :) |
| Affected versions of this crate contained multiple Undefined Behaviours | ||
| Triggering Undefined Behavior can produce unknown results and thus isn't safe to use |
There was a problem hiding this comment.
These sentences should end in periods.
It'd also probably be good to be a little more specific about what the problems are.
|
Hi there, maintainer of uint here. If this vulnerability is the same as paritytech/parity-common#380, I want to point out that it's not possible to exploit it in any way, since the misconstructed pointers are never dereferenced. In fact it's typical for C++ code to create such pointers and it's not considered UB there // v.end() is out of bounds
for (std::vector<int>::iterator it = v.begin() ; it != v.end(); ++it) {...}
The bigint crate was deprecated in favor of uint 2 years ago as you can see from its readme. It seems to be used in a couple of hobby zk libs, I wouldn't call it "a bunch of cryptographic libraries". |
|
@ordian any advice for the types of advisories we should file here? Do you think a vulnerability advisory is warranted, or should we just file an informational advisory that |
Thanks for the quick reply! I think an informational advisory suggesting the use of |
FWIW, C and C++ allow pointers to point to one past the last element of the array/object(but not dereference that pointer) but rust gives you 2 options, |
Btw this is not correct; |
|
The problem here was that the code created a pointer to one before the allocated object (fixed in paritytech/parity-common#381). This is UB in C/C++ as well as in Rust.
So this is just not correct I think -- the same code is UB in C++ as well. |
|
@RalfJung https://en.cppreference.com/w/cpp/container/vector/rend, I don't know how it's implemented in practice though. EDIT: Ok, I think you're right. Anyway, this PR is for |
So I maintain my claim that having a pointer to one before an allocation is UB in C/C++. The reverse iterator probably has to do something clever to avoid that UB. |
Good point; I opened #338 to reflect the maintenance state. |
|
Sorry I wasn't really following, should I close this? should I change something?
Ha! I see that the docs also say that, that's weird I remember explicitly that this was another instance of difference between rust and C, but I guess I remembered wrong, ha. |
|
@elichai you have some comments requesting changes, but IMO what makes more sense is to close this PR and issue a deprecation advisory instead (which is what #338 does). YMMV though. |
|
I am not recommending anything, I am just quoting the bigint crate page. |
Hi,
The bigint library(https://github.com/paritytech/bigint) is a copy of very old code(written pre-1.0 in 2014) and contains a bunch of UB, including uninitialized memory, pointers out of bounds etc.
Even the simplest example triggers UB in miri: https://play.rust-lang.org/?version=stable&mode=debug&edition=2015&gist=5f059a27e245cad9f9e49be2b68678c8
(Sadly it seems that there's a bunch of cryptographic libraries depending on this https://crates.io/crates/bigint/reverse_dependencies )