Skip to content

Commit

Permalink
fuzz failure 5-3: Nim inclusive stops :/
Browse files Browse the repository at this point in the history
  • Loading branch information
mratsim committed Sep 8, 2023
1 parent 1ad8499 commit 02a87f9
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -168,14 +168,14 @@ func powMod_vartime*(
let qWords = qBits.wordsRequired()
let pWords = pBits.wordsRequired()

var qBuf = allocStackArray(SecretWord, M.len)
var a1Buf = allocStackArray(SecretWord, M.len)
var qBuf = allocStackArray(SecretWord, qWords)
var a1Buf = allocStackArray(SecretWord, qWords)
var a2Buf = allocStackArray(SecretWord, pWords)
var yBuf = allocStackArray(SecretWord, pWords)
var qInv2kBuf = allocStackArray(SecretWord, pWords)

template q: untyped = qBuf.toOpenArray(0, M.len-1) # TODO use qWords instead of M.len
template a1: untyped = a1Buf.toOpenArray(0, M.len-1)
template q: untyped = qBuf.toOpenArray(0, qWords-1)
template a1: untyped = a1Buf.toOpenArray(0, qWords-1)
template a2: untyped = a2Buf.toOpenArray(0, pWords-1)
template y: untyped = yBuf.toOpenArray(0, pWords-1)
template qInv2k: untyped = qInv2kBuf.toOpenArray(0, pWords-1)
Expand Down
31 changes: 31 additions & 0 deletions tests/t_ethereum_evm_modexp.nim
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,37 @@ suite "EVM ModExp precompile (EIP-198)":
doAssert status == cttEVM_Success
doAssert r[0] == 0, ". Result was " & $r[0]

test "Audit #5-3 - temp buffer extra unintialized word":
let input = [

# Length of base (1)
uint8 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,

# Length of exponent (2)
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,

# Length of modulus (9)
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09,

# Base
0x02,

# Exponent
0x02, 0x65,

# Modulus
0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x98
]

var r = newSeq[byte](9)
let status = r.eth_evm_modexp(input)
doAssert status == cttEVM_Success
doAssert r == @[byte 0, 0, 1, 45, 106, 227, 225, 162, 136], ". Result was " & $r

test "Audit #8 - off-by-1 buffer overflow - ptr + length exclusive vs openArray(lo, hi) inclusive":
let input = [
# Length of base (24)
Expand Down

0 comments on commit 02a87f9

Please sign in to comment.