Unsafe structure `blake2b_param` initialization
Opened this issue · 1 comments
YihaoPeng commented
Line 56 in b9900ff
blake2b_param P[1];
P->digest_length = HASHOUT;
P->key_length = 0;
P->fanout = 1;
P->depth = 1;
P->leaf_length = 0;
P->node_offset = 0;
P->node_depth = 0;
P->inner_length = 0;
memset(P->reserved, 0, sizeof(P->reserved));
memset(P->salt, 0, sizeof(P->salt));
memcpy(P->personal, (const uint8_t *)personal, 16);
The problem is that blake2b_param doesn't have to be 11 members, sometimes it can be 12:
https://github.com/BLAKE2/BLAKE2/blob/320c325437539ae91091ce62efec1913cd8093c2/ref/blake2.h#L108
This non-SSE version of the blake2 implementation has 12 members in blake2b_param:
BLAKE2_PACKED(struct blake2b_param__
{
uint8_t digest_length; /* 1 */
uint8_t key_length; /* 2 */
uint8_t fanout; /* 3 */
uint8_t depth; /* 4 */
uint32_t leaf_length; /* 8 */
uint32_t node_offset; /* 12 */
uint32_t xof_length; /* 16 */
uint8_t node_depth; /* 17 */
uint8_t inner_length; /* 18 */
uint8_t reserved[14]; /* 32 */
uint8_t salt[BLAKE2B_SALTBYTES]; /* 48 */
uint8_t personal[BLAKE2B_PERSONALBYTES]; /* 64 */
});
So, when I ported the code to a device that didn't support SSE, I experienced an "unexplained result error" in release build (because of uninitialized xof_length has the random value). The debug build is completely correct.
I spent two days debugging and finally found the problem here. I think the following code will be safer:
blake2b_param P[1];
memset(P, 0, sizeof(blake2b_param));
P->digest_length = HASHOUT;
P->fanout = 1;
P->depth = 1;
memcpy(P->personal, (const uint8_t *)personals, 16);
YihaoPeng commented
I have created the same issue in tromp/equihash#20