[gnutls-devel] [PATCH] Handle zero length plaintext for VIA PadLock functions

Matthias-Christian Ott ott at mirix.org
Tue Dec 30 03:34:03 CET 2014

On 2014-12-30 02:14, Matthias-Christian Ott wrote:
> If the plaintext is shorter than the block size of the used cipher,
> _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
> textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that the
> plaintext length (last parameter) is greater than zero and segfault
> otherwise. The assembler code for both functions is automatically
> generated and imported from OpenSSL, so to ease maintenance the length
> should be validated in the functions that call padlock_ecb_encrypt or
> padlock_cbc_encrypt.

It should be checked whether the resulting memory corruption is
exploitable. The functions execute rep movsl with the src and
destination addresses and a huge length that the attacker cannot
control. I'll leave the assessment to others.

Boundary value analysis and testing or design by contract would have
caught this bug. Perhaps it would be a good idea to systematically test
GnuTLS (testable functions, proper test suite, systematic test design,
coverage metrics) to prevent similar bugs in the future. It took me a
day to track this bug down. If there are more a dozen or more of these
bugs in GnuTLS, such testing would be worthwhile.


More information about the Gnutls-devel mailing list