Skip to content

x/crypto/openpgp: ReadMessage(): Panic on invalid input in packet.PublicKeyV3.setFingerPrintAndKeyId() (slice bounds out of range) #11504

New issue
New issue
Closed
Closed
x/crypto/openpgp: ReadMessage(): Panic on invalid input in packet.PublicKeyV3.setFingerPrintAndKeyId() (slice bounds out of range)#11504
Labels
FrozenDueToAge
Milestone
 
Unreleased
@marete

Description

@marete
marete
opened on Jul 1, 2015

The following program panics:

package main

import (
    "bytes"
    "encoding/hex"
    "io"
    "log"
    "os"

    "golang.org/x/crypto/openpgp"
)

// An empty Keyring
type emptyKR struct {
}

func (kr emptyKR) KeysById(id uint64) []openpgp.Key {
    return nil
}

func (kr emptyKR) DecryptionKeys() []openpgp.Key {
    return nil
}

func (kr emptyKR) KeysByIdUsage(uint64, byte) []openpgp.Key {
    return nil
}

var data = "9303000130303030303030303030983002303030303030030000000130"

func main() {
    buf, err := hex.DecodeString(data)
    if err != nil {
        log.Fatalln(err)
    }

    md, err := openpgp.ReadMessage(bytes.NewBuffer(buf), emptyKR{},
        func([]openpgp.Key, bool) ([]byte, error) {
            return []byte("insecure"), nil
        }, nil)

    if err != nil {
        log.Fatalln(err)
    }

    _, err = io.Copy(os.Stdout, md.UnverifiedBody)
    if err != nil {
        log.Fatalln(err)
    }

    if md.SignatureError != nil {
        log.Fatalln("integrity check failed")
    }
}

with the trace:

panic: runtime error: slice bounds out of range

goroutine 1 [running]:
golang.org/x/crypto/openpgp/packet.(*PublicKeyV3).setFingerPrintAndKeyId(0xc208064000)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/public_key_v3.go:85 +0x168
golang.org/x/crypto/openpgp/packet.(*PublicKeyV3).parse(0xc208064000, 0x7fa916c14c58, 0xc208062060, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/public_key_v3.go:75 +0x273
golang.org/x/crypto/openpgp/packet.Read(0x7fa916c14b60, 0xc2080120e0, 0x7fa916c14c80, 0xc208064000, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/packet.go:375 +0x152
golang.org/x/crypto/openpgp/packet.(*Reader).Next(0xc20803c480, 0x0, 0x0, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/reader.go:37 +0x10c
golang.org/x/crypto/openpgp.readSignedMessage(0xc20803c480, 0xc2080600a0, 0x7fa916c14b88, 0x68c0a8, 0xc2080600a0, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/read.go:234 +0xc4
golang.org/x/crypto/openpgp.ReadMessage(0x7fa916c14b60, 0xc2080120e0, 0x7fa916c14b88, 0x68c0a8, 0x5f08c0, 0x0, 0xc208060000, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/read.go:137 +0x497
main.main()
    /home/marebri/devel/lab/go/crypto/openpgp/issues/3f41f6e4/main.go:40 +0x285

goroutine 2 [runnable]:
runtime.forcegchelper()
    /opt/go/src/runtime/proc.go:90
runtime.goexit()
    /opt/go/src/runtime/asm_amd64.s:2232 +0x1

goroutine 3 [runnable]:
runtime.bgsweep()
    /opt/go/src/runtime/mgc0.go:82
runtime.goexit()
    /opt/go/src/runtime/asm_amd64.s:2232 +0x1

goroutine 4 [runnable]:
runtime.runfinq()
    /opt/go/src/runtime/malloc.go:712
runtime.goexit()
    /opt/go/src/runtime/asm_amd64.s:2232 +0x1

Found using gofuzz. You may assign this issue to me.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAge

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions