From a27b89c835fdb41c4488e8339690ef450bcf9615 Mon Sep 17 00:00:00 2001 From: Loup Vaillant Date: Sat, 31 Dec 2022 22:33:50 +0100 Subject: [PATCH] Fixed uninitialised read UB in Argon2 The index block was declared in the block loop instead of the segment loop. Yet it's only initialised one time out of 128 there, so most of the time we're accessing uninitialised memory. It still appeared to work because that that block always occupied the same spot in the stack. Only Clang's memory sanitiser and the TIS interpreter caught this. --- src/monocypher.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monocypher.c b/src/monocypher.c index 59fc208..7acd23b 100644 --- a/src/monocypher.c +++ b/src/monocypher.c @@ -799,6 +799,7 @@ void crypto_argon2(u8 *hash, void *work_area, // a separate thread. All iterations must be done before we // fill the next slice. FOR_T(u32, segment, 0, s->nb_lanes) { + blk index_block; u32 index_ctr = 1; FOR_T (u32, block, pass_offset, segment_size) { // Current and previous blocks @@ -810,7 +811,6 @@ void crypto_argon2(u8 *hash, void *work_area, ? segment_start + lane_size - 1 : segment_start + block - 1; - blk index_block; u64 index_seed; if (constant_time) { if (block == pass_offset || (block % 128) == 0) { -- 2.47.3