Page MenuHome GnuPG
Create Task
Maniphest T1700

A NULL pointer may be dereferenced in file "cipher/elgamal.c" inside function "generate_using_x" on line 387
Closed, ResolvedPublic
Actions

Description

File:cipher/elgamal.c
function : generate_using_x
Line of error:387

libgcrypt version 1.5.4 code:

p = _gcry_generate_elg_prime ( 0, nbits, qbits, g, ret_factors );

  mpi_sub_ui (p_min1, p, 1);

-> Here p is being allocated value by function '_gcry_generate_elg_prime'
which has a very high probability of returning value NULL. So 'p' which may have
a NULL value is being dereferenced ,a line below, at line 387 during call
'mpi_sub_ui (p_min1, p, 1);'

-> So an assert (gcry_assert) can be used to check 'p' for not being 'NULL' .

Modified Code:

p = _gcry_generate_elg_prime ( 0, nbits, qbits, g, ret_factors );

  gcry_assert (p);
  mpi_sub_ui (p_min1, p, 1);

I am adding a patch for the above mentioned bug's resolution.

Details

Version
1.5.4

Related Objects

Event Timeline

sacrishi set Version to 1.5.4.Aug 21 2014, 8:36 AM
sacrishi added projects: libgcrypt, Bug Report.
sacrishi added a subscriber: sacrishi.

D215: 464_elgamal.patch

sacrishi added a subscriber: werner.Aug 21 2014, 8:36 AM
sacrishi added a subscriber: aheinecke.Aug 21 2014, 10:39 AM
werner added a comment.Aug 21 2014, 11:11 AM

Thanks for looking at this. However, please do not file separate bug reports
for similar problems. This is just too much overhead. Frankly, I 'd would
appreciate that such audit results are send to the mailing list.

The suggested fix is not suitable because this function or its callers returns
an error code and should just do this. An assert is only to be used to make
sure that nothing unexpected happens. You have shown that this may indeed
happen (by using wrong call args or a malloc failure) and thus this needs more
work. Given that such NULL dereference are not a critical security problems,
this won't be fixed for old Libgcrypt versions as 1.5. Instead I will apply a
fix to master (1.7) and backport it to stable (1.6).

werner mentioned this in T1699: A NULL pointer may be dereferenced in file "cipher/dsa.c" inside function "generate " on line 320.Mar 30 2017, 7:13 PM
werner added a comment.Aug 21 2014, 11:39 AM

Fixed in master.

werner added a project: Restricted Project.Aug 21 2014, 11:39 AM
werner closed this task as Resolved.Aug 21 2014, 12:53 PM
werner removed a project: Restricted Project.