AESNI code accesses memory beyond buffer end

Bug #1327081 reported by Legrandin on 2014-06-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

In the current AESNI.c code I read this:

static void aes_key_setup_enc(__m128i rk[], const u8* cipherKey, int keylen)
case 24:
            /* 192 bit key setup */
            __m128i temp[2];
            rk[0] = _mm_loadu_si128((const __m128i*) cipherKey);
            rk[1] = _mm_loadu_si128((const __m128i*) (cipherKey+16));

static void block_init(block_state* self, unsigned char* key, int keylen)
            aes_key_setup_enc(self->ek, key, keylen);

In case of AES192, the key will be 24 bytes long.
The second _mm_loadu_si128 instruction will load 16 bytes from the location (cipherKey+16).
That means it will read in 8 bytes beyond the key buffer. That may lead to a crash.

It is also worth noting that the very same bug is contained in Figure 25 of the Intel document here:

The rest of AESNI.c strongly resembles that code too.

It is appropriate to mention that AESNI.c code was copied or at least derived from that source.
I leave it up to you to sort out the licensing topic.

At a first glance, the Intel document does not seem to grant rights compatible with a public domain implementation.

Legrandin (gooksankoo) on 2014-06-06
information type: Private Security → Public
Jwagner-5 (jwagner-5) wrote :

The code seems to have been removed:

$ find -iname "*aes*"

Also note that comments on github (where this has project moved) and the commit history on github suggest that this project is no longer active.

(Commenting here to save people time to figure this out.)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers