Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/blowfish: panic: runtime error: index out of range [0] with length 0 #56908

Open
catenacyber opened this issue Nov 22, 2022 · 3 comments
Open

x/crypto/blowfish: panic: runtime error: index out of range [0] with length 0 #56908

catenacyber opened this issue Nov 22, 2022 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@catenacyber
Copy link
Contributor

What version of Go are you using (go version)?

$ go version
go version go1.19 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/root/.go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/root/.go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/src/ngolo-fuzzing/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2481516251=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Run https://go.dev/play/p/QMNkWgpIag1

What did you expect to see?

The program finishing and printing Hello

What did you see instead?

panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
golang.org/x/crypto/blowfish.ExpandKey({0xc0000a4f58?, 0xc0000a4f70?, 0x405359?}, 0x0?)
	/tmp/gopath936803848/pkg/mod/golang.org/x/crypto@v0.3.0/blowfish/block.go:34 +0x285
main.main()
	/tmp/sandbox3374802724/prog.go:13 +0x5b

Program exited.

Found by https://github.com/catenacyber/ngolo-fuzzing

Is this relevant ?
(Should not panic and do nothing if the slice is empty)
@cherrymui cherrymui changed the title golang.org/x/crypto/blowfish: panic: runtime error: index out of range [0] with length 0 x/crypto/blowfish: panic: runtime error: index out of range [0] with length 0 Nov 22, 2022
@cherrymui cherrymui added this to the Unreleased milestone Nov 22, 2022
@cherrymui cherrymui added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 22, 2022
@cherrymui
Copy link
Member

cc @golang/security

@rolandshoemaker
Copy link
Member

x/crypto/blowfish is a painfully low level package which will panic in a handful of ways if you hold it incorrectly, it would ideally be an internal package only used for bcrypt, but for backwards compatibility reasons that is not really possible.

Given there are no error returns, and often doing nothing may actually be more dangerous than panicking, the only real fix is probably to introduce purposeful panics which catch these issues before they happen, 🤷.

@catenacyber
Copy link
Contributor Author

Thanks for the answer.

An explicit panic with a string instead of index out of range is fine for me :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@rolandshoemaker @cherrymui @catenacyber