Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/openpgp: ReadMessage(): Panic on invalid input in packet.PublicKeyV3.setFingerPrintAndKeyId() (slice bounds out of range) #11504

Closed
marete opened this issue Jul 1, 2015 · 2 comments
Closed

x/crypto/openpgp: ReadMessage(): Panic on invalid input in packet.PublicKeyV3.setFingerPrintAndKeyId() (slice bounds out of range) #11504

marete opened this issue Jul 1, 2015 · 2 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@marete
Copy link
Contributor

marete commented Jul 1, 2015

The following program panics:

package main

import (
    "bytes"
    "encoding/hex"
    "io"
    "log"
    "os"

    "golang.org/x/crypto/openpgp"
)

// An empty Keyring
type emptyKR struct {
}

func (kr emptyKR) KeysById(id uint64) []openpgp.Key {
    return nil
}

func (kr emptyKR) DecryptionKeys() []openpgp.Key {
    return nil
}

func (kr emptyKR) KeysByIdUsage(uint64, byte) []openpgp.Key {
    return nil
}

var data = "9303000130303030303030303030983002303030303030030000000130"

func main() {
    buf, err := hex.DecodeString(data)
    if err != nil {
        log.Fatalln(err)
    }

    md, err := openpgp.ReadMessage(bytes.NewBuffer(buf), emptyKR{},
        func([]openpgp.Key, bool) ([]byte, error) {
            return []byte("insecure"), nil
        }, nil)

    if err != nil {
        log.Fatalln(err)
    }

    _, err = io.Copy(os.Stdout, md.UnverifiedBody)
    if err != nil {
        log.Fatalln(err)
    }

    if md.SignatureError != nil {
        log.Fatalln("integrity check failed")
    }
}

with the trace:

panic: runtime error: slice bounds out of range

goroutine 1 [running]:
golang.org/x/crypto/openpgp/packet.(*PublicKeyV3).setFingerPrintAndKeyId(0xc208064000)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/public_key_v3.go:85 +0x168
golang.org/x/crypto/openpgp/packet.(*PublicKeyV3).parse(0xc208064000, 0x7fa916c14c58, 0xc208062060, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/public_key_v3.go:75 +0x273
golang.org/x/crypto/openpgp/packet.Read(0x7fa916c14b60, 0xc2080120e0, 0x7fa916c14c80, 0xc208064000, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/packet.go:375 +0x152
golang.org/x/crypto/openpgp/packet.(*Reader).Next(0xc20803c480, 0x0, 0x0, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/reader.go:37 +0x10c
golang.org/x/crypto/openpgp.readSignedMessage(0xc20803c480, 0xc2080600a0, 0x7fa916c14b88, 0x68c0a8, 0xc2080600a0, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/read.go:234 +0xc4
golang.org/x/crypto/openpgp.ReadMessage(0x7fa916c14b60, 0xc2080120e0, 0x7fa916c14b88, 0x68c0a8, 0x5f08c0, 0x0, 0xc208060000, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/read.go:137 +0x497
main.main()
    /home/marebri/devel/lab/go/crypto/openpgp/issues/3f41f6e4/main.go:40 +0x285

goroutine 2 [runnable]:
runtime.forcegchelper()
    /opt/go/src/runtime/proc.go:90
runtime.goexit()
    /opt/go/src/runtime/asm_amd64.s:2232 +0x1

goroutine 3 [runnable]:
runtime.bgsweep()
    /opt/go/src/runtime/mgc0.go:82
runtime.goexit()
    /opt/go/src/runtime/asm_amd64.s:2232 +0x1

goroutine 4 [runnable]:
runtime.runfinq()
    /opt/go/src/runtime/malloc.go:712
runtime.goexit()
    /opt/go/src/runtime/asm_amd64.s:2232 +0x1

Found using gofuzz. You may assign this issue to me.
@marete marete changed the title x/crypto/openpgp: Panic on invalid input in packet.PublicKeyV3.setFingerPrintAndKeyId() (slice bounds out of range) x/crypto/openpgp: ReadMessage(): Panic on invalid input in packet.PublicKeyV3.setFingerPrintAndKeyId() (slice bounds out of range) Jul 1, 2015
@ianlancetaylor ianlancetaylor added this to the Unreleased milestone Jul 10, 2015
@ianlancetaylor
Copy link
Contributor

CC @agl

@gopherbot
Copy link

CL https://golang.org/cl/12635 mentions this issue.

benburkert pushed a commit to benburkert/openpgp that referenced this issue Feb 29, 2016
@marete @agl
openpgp: Fix panic on v3 public keys with too-short modulus.
4783a8a 
Found using gofuzz.

Fixes golang/go#11504

Change-Id: I49cf01e75e37c5d87dad58c5349161d79d0b72f5
Reviewed-on: https://go-review.googlesource.com/12635
Reviewed-by: Adam Langley <agl@golang.org>
@golang golang locked and limited conversation to collaborators Aug 5, 2016
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 28, 2022
@marete @agl
openpgp: Fix panic on v3 public keys with too-short modulus.
8e2f128 
Found using gofuzz.

Fixes golang/go#11504

Change-Id: I49cf01e75e37c5d87dad58c5349161d79d0b72f5
Reviewed-on: https://go-review.googlesource.com/12635
Reviewed-by: Adam Langley <agl@golang.org>
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 29, 2022
@marete @c-expert-zigbee
openpgp: Fix panic on v3 public keys with too-short modulus.
c9190f9 
Found using gofuzz.

Fixes golang/go#11504

Change-Id: I49cf01e75e37c5d87dad58c5349161d79d0b72f5
Reviewed-on: https://go-review.googlesource.com/12635
Reviewed-by: Adam Langley <agl@golang.org>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
@marete @agl
openpgp: Fix panic on v3 public keys with too-short modulus.
de15bb1 
Found using gofuzz.

Fixes golang/go#11504

Change-Id: I49cf01e75e37c5d87dad58c5349161d79d0b72f5
Reviewed-on: https://go-review.googlesource.com/12635
Reviewed-by: Adam Langley <agl@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@marete @ianlancetaylor @gopherbot