Fixed uninitialised read UB in Argon2

The index block was declared in the block loop instead of the segment
loop.  Yet it's only initialised one time out of 128 there, so most of
the time we're accessing uninitialised memory.

It still appeared to work because that that block always occupied the
same spot in the stack. Only Clang's memory sanitiser and the TIS
interpreter caught this.

diff --git a/src/monocypher.c b/src/monocypher.c
index 59fc2082f292d7b40376461671511217a7e3cc87..7acd23bcd3aa201ae20a1dafe218653444b6cf5f 100644 (file)
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -799,6 +799,7 @@ void crypto_argon2(u8 *hash, void *work_area,
                        // a separate thread.  All iterations must be done before we
                        // fill the next slice.
                        FOR_T(u32, segment, 0, s->nb_lanes) {
+                               blk index_block;
                                u32 index_ctr = 1;
                                FOR_T (u32, block, pass_offset, segment_size) {
                                        // Current and previous blocks
@@ -810,7 +811,6 @@ void crypto_argon2(u8 *hash, void *work_area,
                                                ? segment_start + lane_size - 1
                                                : segment_start + block - 1;
 
-                                       blk index_block;
                                        u64 index_seed;
                                        if (constant_time) {
                                                if (block == pass_offset || (block % 128) == 0) {