From 02a87f96411a8ca22bc1841ceef394fb9c0dcd25 Mon Sep 17 00:00:00 2001 From: Mamy Ratsimbazafy Date: Fri, 8 Sep 2023 23:57:47 +0200 Subject: [PATCH] fuzz failure 5-3: Nim inclusive stops :/ --- .../arithmetic/bigints_views.nim | 8 ++--- tests/t_ethereum_evm_modexp.nim | 31 +++++++++++++++++++ 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/constantine/math_arbitrary_precision/arithmetic/bigints_views.nim b/constantine/math_arbitrary_precision/arithmetic/bigints_views.nim index 9569b3c0..592f5f5a 100644 --- a/constantine/math_arbitrary_precision/arithmetic/bigints_views.nim +++ b/constantine/math_arbitrary_precision/arithmetic/bigints_views.nim @@ -168,14 +168,14 @@ func powMod_vartime*( let qWords = qBits.wordsRequired() let pWords = pBits.wordsRequired() - var qBuf = allocStackArray(SecretWord, M.len) - var a1Buf = allocStackArray(SecretWord, M.len) + var qBuf = allocStackArray(SecretWord, qWords) + var a1Buf = allocStackArray(SecretWord, qWords) var a2Buf = allocStackArray(SecretWord, pWords) var yBuf = allocStackArray(SecretWord, pWords) var qInv2kBuf = allocStackArray(SecretWord, pWords) - template q: untyped = qBuf.toOpenArray(0, M.len-1) # TODO use qWords instead of M.len - template a1: untyped = a1Buf.toOpenArray(0, M.len-1) + template q: untyped = qBuf.toOpenArray(0, qWords-1) + template a1: untyped = a1Buf.toOpenArray(0, qWords-1) template a2: untyped = a2Buf.toOpenArray(0, pWords-1) template y: untyped = yBuf.toOpenArray(0, pWords-1) template qInv2k: untyped = qInv2kBuf.toOpenArray(0, pWords-1) diff --git a/tests/t_ethereum_evm_modexp.nim b/tests/t_ethereum_evm_modexp.nim index 4f134815..c93dc052 100644 --- a/tests/t_ethereum_evm_modexp.nim +++ b/tests/t_ethereum_evm_modexp.nim @@ -73,6 +73,37 @@ suite "EVM ModExp precompile (EIP-198)": doAssert status == cttEVM_Success doAssert r[0] == 0, ". Result was " & $r[0] + test "Audit #5-3 - temp buffer extra unintialized word": + let input = [ + + # Length of base (1) + uint8 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + + # Length of exponent (2) + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, + + # Length of modulus (9) + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, + + # Base + 0x02, + + # Exponent + 0x02, 0x65, + + # Modulus + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x98 + ] + + var r = newSeq[byte](9) + let status = r.eth_evm_modexp(input) + doAssert status == cttEVM_Success + doAssert r == @[byte 0, 0, 1, 45, 106, 227, 225, 162, 136], ". Result was " & $r + test "Audit #8 - off-by-1 buffer overflow - ptr + length exclusive vs openArray(lo, hi) inclusive": let input = [ # Length of base (24)