Signed integer overflow when SipHasher processes inputs >= 2 GB #19930

issue practicalswift opened this issue on September 10, 2020

practicalswift commented at 5:54 AM on September 10, 2020: contributor

Signed integer overflow when SipHasher processes inputs >= 2 GB.

Live demo:

$ src/test/fuzz/simplest_possible_siphash_fuzzer -rss_limit_mb=8000 crash-061a172add013c03beedf57eb2a121a8289696af
crypto/siphash.cpp:56:10: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
$ cat src/test/fuzz/simplest_possible_siphash_fuzzer.cpp
#include <cstdint>
#include <vector>

#include <crypto/siphash.h>

void test_one_input(const std::vector<uint8_t>& buffer)
{
    CSipHasher(0, 0).Write(buffer.data(), buffer.size()).Finalize();
}

Credits to @elichai who submitted a differential SipHasher fuzzer in #19920 and @guidovranken who first spotted the issue. Thanks!

Remember: don't trust -- fuzz! :)

practicalswift added the label Bug on Sep 10, 2020
sipa commented at 7:31 AM on September 10, 2020: member

Not strictly an issue in our codebase, as all uses of CSipHasher are limited in size, but it's trivial to fix: #19931.

Thanks!
fanquake closed this on Sep 14, 2020
sidhujag referenced this in commit 2db3208004 on Sep 15, 2020
PastaPastaPasta referenced this in commit 0b9240c37a on Sep 17, 2021
PastaPastaPasta referenced this in commit 25f21c103f on Sep 24, 2021
kittywhiskers referenced this in commit c30d67d14b on Oct 12, 2021
DrahtBot locked this on Aug 18, 2022

Contributors

practicalswift

sipa

Labels

Bug

Linked (view graph)

#19920 test: Fuzzing siphash against reference implementation [Request for feedback]#19931 Change CSipHasher's count variable to uint8_t