Skip to content

ARIA CMAC OOB read #9500

@guidovranken

Description

@guidovranken

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16129

#define CF_CHECK_EQ(expr, res) if ( (expr) != (res) ) { goto end; }
#define CF_CHECK_NE(expr, res) if ( (expr) == (res) ) { goto end; }

#include <openssl/cmac.h>

int main(void)
{
    const unsigned char key[2] = { 0 };
    CMAC_CTX* ctx = CMAC_CTX_new();
    const EVP_CIPHER* cipher = NULL;

    /* Initialize */
    {
        CF_CHECK_NE(cipher = EVP_aria_192_gcm(), NULL);
        CF_CHECK_EQ(CMAC_Init(ctx, key, sizeof(key), cipher, NULL), 1);
    }

end:
    return 0;
}

==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000952 at pc 0x000000ee1f20 bp 0x7fffa40c1870 sp 0x7fffa40c1868
--
  | READ of size 1 at 0x603000000952 thread T0
  | SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
  | #0 0xee1f1f in aria_set_encrypt_key openssl/crypto/aria/aria.c:559:13
  | #1 0x111fa7a in aria_gcm_init_key openssl/providers/common/ciphers/gcm_hw.c:277:5
  | #2 0xe6c7dc in CMAC_Init openssl/crypto/cmac/cmac.c:128:14

Metadata

Metadata

Assignees

Labels

issue: bug reportThe issue was opened to report a bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions