crypto/rsa: panic in SignPSS #58171

jsha · 2023-01-31T21:16:57Z

Go 1.19.3, reproduces in latest release.

go env Output

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/jsha/.cache/go-build"
GOENV="/home/jsha/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/jsha/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/jsha/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/jsha/go1.19.3"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/jsha/go1.19.3/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19.3"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1443194738=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Parsed a set of private keys from a public dump, and used them to sign some random data as a check for validity. Demonstration program:

https://go.dev/play/p/ytNztif5D8y

What did you expect to see?

Signing success, or an error return value.

What did you see instead?

panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
crypto/rsa.SignPSS({0x4e3da8, 0xc000098020}, 0xc00009a180, 0x4?, {0xc0000c2518, 0x2, 0x2}, 0x60?)
	/usr/local/go-faketime/src/crypto/rsa/pss.go:302 +0x165
main.main()
	/tmp/sandbox287948688/prog.go:19 +0xf0

This seems to come from this line of code. When N is very small, the package tries to create a slice with negative length.

https://cs.opensource.google/go/go/+/refs/tags/go1.19.5:src/crypto/rsa/pss.go;l=305;drc=007d8f4db1f890f0d34018bb418bdc90ad4a8c35

The text was updated successfully, but these errors were encountered:

seankhliao · 2023-01-31T21:27:28Z

cc @golang/security

rolandshoemaker · 2023-01-31T23:49:57Z

Hey 👋.

I believe this was inadvertently fixed by the fix for https://go.dev/issues/54803, which is included in 1.20. Perhaps we should backport that fix to 1.19 as well. Running the playground snippet against the dev branch doesn't fail.

I think it's questionable whether we should consider this a security issue, since it only affects users who are using untrusted, unverified signing keys, which we typically do not treat as an issue, that said it's somewhat marginal. In cases like this feel free to send a message to security@golang.org, so we can triage potential restricted issues.

jsha · 2023-02-01T00:30:07Z

Hiya! 👋🏻

I agree - I don't consider this a security issue. In our use case we're running a manual job, so the panic is not an availability problem.

And great news about the upcoming fix, thanks.

rolandshoemaker · 2023-02-01T19:20:45Z

👍, will close this out. I'm not particularly strongly opinionated on backporting, if you think it's necessary we can have that discussion on #54803.

seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 31, 2023

rolandshoemaker closed this as completed Feb 1, 2023

golang locked and limited conversation to collaborators Feb 1, 2024

gopherbot added the FrozenDueToAge label Feb 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/rsa: panic in SignPSS #58171

crypto/rsa: panic in SignPSS #58171

jsha commented Jan 31, 2023

seankhliao commented Jan 31, 2023

rolandshoemaker commented Jan 31, 2023

jsha commented Feb 1, 2023

rolandshoemaker commented Feb 1, 2023

crypto/rsa: panic in SignPSS #58171

crypto/rsa: panic in SignPSS #58171

Comments

jsha commented Jan 31, 2023

What did you do?

What did you expect to see?

What did you see instead?

seankhliao commented Jan 31, 2023

rolandshoemaker commented Jan 31, 2023

jsha commented Feb 1, 2023

rolandshoemaker commented Feb 1, 2023