File CVE-2016-2194+CVE-2016-2195.patch of Package Botan.4627
From 43462f8d24880c42ce66ea45a76c7611fdab25cd Mon Sep 17 00:00:00 2001
From: Jack Lloyd <lloyd@randombit.net>
Date: Mon, 1 Feb 2016 07:35:38 -0500
Subject: [PATCH 1/2] Fix ressol and point multiplication bugs
Infinite loop during modular square root with invalid inputs.
CVE-2016-2194
Heap overflow in ECC point. CVE-2016-2195
Update version to 1.10.11
---
botan_version.py | 2 +-
doc/log.txt | 11 +++++++++++
src/math/ec_gfp/point_gfp.cpp | 12 ++++++++++--
src/math/mp/mp_karat.cpp | 5 +++++
src/math/numbertheory/ressol.cpp | 6 +++---
5 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/src/math/ec_gfp/point_gfp.cpp b/src/math/ec_gfp/point_gfp.cpp
index 7ac6b4141..afd3b9d32 100644
--- a/src/math/ec_gfp/point_gfp.cpp
+++ b/src/math/ec_gfp/point_gfp.cpp
@@ -11,6 +11,7 @@
#include <botan/numthry.h>
#include <botan/reducer.h>
#include <botan/internal/mp_core.h>
+#include <botan/internal/assert.h>
namespace Botan {
@@ -25,6 +26,10 @@ PointGFp::PointGFp(const CurveGFp& curve) :
PointGFp::PointGFp(const CurveGFp& curve, const BigInt& x, const BigInt& y) :
curve(curve), ws(2 * (curve.get_p_words() + 2))
{
+ if(x <= 0 || x >= curve.get_p())
+ throw Invalid_Argument("Invalid PointGFp x");
+ if(x <= 0 || x >= curve.get_p())
+ throw Invalid_Argument("Invalid PointGFp y");
coord_x = monty_mult(x, curve.get_r2());
coord_y = monty_mult(y, curve.get_r2());
coord_z = monty_mult(1, curve.get_r2());
@@ -68,15 +73,18 @@ void PointGFp::monty_sqr(BigInt& z, const BigInt& x) const
}
const BigInt& p = curve.get_p();
- const size_t p_size = curve.get_p_words();
const word p_dash = curve.get_p_dash();
+ const size_t p_size = curve.get_p_words();
+
+ const size_t x_sw = x.sig_words();
+ BOTAN_ASSERT(x_sw <= p_size, "x value in range");
SecureVector<word>& z_reg = z.get_reg();
z_reg.resize(2*p_size+1);
zeroise(z_reg);
bigint_monty_sqr(&z_reg[0], z_reg.size(),
- x.data(), x.size(), x.sig_words(),
+ x.data(), x.size(), x_sw,
p.data(), p_size, p_dash,
&ws[0]);
}
diff --git a/src/math/mp/mp_karat.cpp b/src/math/mp/mp_karat.cpp
index 945b3b61a..b25d60637 100644
--- a/src/math/mp/mp_karat.cpp
+++ b/src/math/mp/mp_karat.cpp
@@ -7,6 +7,7 @@
#include <botan/internal/mp_core.h>
#include <botan/internal/mp_asmi.h>
+#include <botan/internal/assert.h>
#include <botan/mem_ops.h>
namespace Botan {
@@ -249,6 +250,8 @@ void bigint_mul(word z[], size_t z_size, word workspace[],
const word x[], size_t x_size, size_t x_sw,
const word y[], size_t y_size, size_t y_sw)
{
+ BOTAN_ASSERT(z_size > x_sw && z_size > y_sw && z_size - x_sw >= y_sw, "Sufficient output size");
+
if(x_sw == 1)
{
bigint_linmul3(z, y, y_sw, x[0]);
@@ -303,6 +306,8 @@ void bigint_mul(word z[], size_t z_size, word workspace[],
void bigint_sqr(word z[], size_t z_size, word workspace[],
const word x[], size_t x_size, size_t x_sw)
{
+ BOTAN_ASSERT(z_size/2 >= x_sw, "Sufficient output size");
+
if(x_sw == 1)
{
bigint_linmul3(z, x, x_sw, x[0]);
diff --git a/src/math/numbertheory/ressol.cpp b/src/math/numbertheory/ressol.cpp
index 2e01406f8..adacd27f7 100644
--- a/src/math/numbertheory/ressol.cpp
+++ b/src/math/numbertheory/ressol.cpp
@@ -63,10 +63,10 @@ BigInt ressol(const BigInt& a, const BigInt& p)
{
q = mod_p.square(q);
++i;
- }
- if(s <= i)
- return -BigInt(1);
+ if(i >= s)
+ return -BigInt(1);
+ }
c = power_mod(c, BigInt(BigInt::Power2, s-i-1), p);
r = mod_p.multiply(r, c);
--
2.12.0
