Page MenuHome GnuPG
Create Task
Maniphest T1713

Zero-length MPIs result in non-termination
Closed, ResolvedPublic
Actions

Description

Zero-bit MPIs are not properly handled in some cases; this bug causes GPG to busy-loop
indefinitely. Prompt review would be appreciated.

Call-stack:

mpihelp_rshift (in gpg) 1103
mpihelp_add_n (in gpg) 693
mpi_rshift (in gpg) 222
mpi_invm (in gpg) 127
mpi_add (in gpg) 116
mpi_test_bit (in gpg) 71

The tarball contains the files necessary to replicate; replicate.sh contains the
command line invocation of GnuPG.

This bug was found by Michał Zalewski's american-fuzzy-lop; it has been replicated with
the version of GnuPG packaged with Ubuntu 14.04 x86/x86_64, as well as against versions
built directly from GnuPG 1.4.18 source tarballs on Ubuntu 14.04 x86/x86_64 and OSX.

Details

Version
1.4.18

Related Objects

Event Timeline

coruus set Version to 1.4.18.Sep 10 2014, 7:10 PM
coruus added projects: gnupg, Bug Report.
coruus added a subscriber: coruus.

503_zerobitmpi.tgz9 KBDownload

werner added a subscriber: werner.Sep 11 2014, 4:14 PM

[please do such work on master and not on an old stable branch. It is much
easier to backport stuff than to forward port it.]

werner lowered the priority of this task from High to Normal.Sep 11 2014, 4:14 PM
werner added a comment.Sep 11 2014, 5:09 PM

It turned out that the other branches are not affected because mpi_invm has
already been fixed in Libgcrypt. Please disregard my comment of trying the
master version only ;-).

Fixed with commit cd53cdb to be released with 1.4.19. Thanks.

werner closed this task as Resolved.Sep 11 2014, 5:09 PM
werner claimed this task.
coruus reopened this task as Open.Sep 11 2014, 5:23 PM

505_unnamed1 KBDownload

coruus added a comment.Sep 11 2014, 5:23 PM

Sure; will include GnuPG 2 in future. The instrumentation process is more
difficult becaus of its structure.

On Thursday, September 11, 2014, Werner Koch via BTS <gnupg@bugs.g10code.com>
wrote:

Werner Koch <wk@gnupg.org <javascript:;>> added the comment:

[please do such work on master and not on an old stable branch. It is much
easier to backport stuff than to forward port it.]

status: unread -> chatting

g10 Code's BTS <gnupg@bugs.g10code.com <javascript:;>>
<T1713>

werner closed this task as Resolved.Sep 12 2014, 12:26 PM

I understand.