x/crypto/openpgp: ReadMessage(): Panic on invalid input in packet.PublicKeyV3.setFingerPrintAndKeyId() (slice bounds out of range)

Question

x/crypto/openpgp: ReadMessage(): Panic on invalid input in packet.PublicKeyV3.setFingerPrintAndKeyId() (slice bounds out of range)

marete opened this issue 9 years ago · comments

Brian Gitonga Marete commented 9 years ago

The following program panics:

package main

import (
    "bytes"
    "encoding/hex"
    "io"
    "log"
    "os"

    "golang.org/x/crypto/openpgp"
)

// An empty Keyring
type emptyKR struct {
}

func (kr emptyKR) KeysById(id uint64) []openpgp.Key {
    return nil
}

func (kr emptyKR) DecryptionKeys() []openpgp.Key {
    return nil
}

func (kr emptyKR) KeysByIdUsage(uint64, byte) []openpgp.Key {
    return nil
}

var data = "9303000130303030303030303030983002303030303030030000000130"

func main() {
    buf, err := hex.DecodeString(data)
    if err != nil {
        log.Fatalln(err)
    }

    md, err := openpgp.ReadMessage(bytes.NewBuffer(buf), emptyKR{},
        func([]openpgp.Key, bool) ([]byte, error) {
            return []byte("insecure"), nil
        }, nil)

    if err != nil {
        log.Fatalln(err)
    }

    _, err = io.Copy(os.Stdout, md.UnverifiedBody)
    if err != nil {
        log.Fatalln(err)
    }

    if md.SignatureError != nil {
        log.Fatalln("integrity check failed")
    }
}

with the trace:

panic: runtime error: slice bounds out of range

goroutine 1 [running]:
golang.org/x/crypto/openpgp/packet.(*PublicKeyV3).setFingerPrintAndKeyId(0xc208064000)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/public_key_v3.go:85 +0x168
golang.org/x/crypto/openpgp/packet.(*PublicKeyV3).parse(0xc208064000, 0x7fa916c14c58, 0xc208062060, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/public_key_v3.go:75 +0x273
golang.org/x/crypto/openpgp/packet.Read(0x7fa916c14b60, 0xc2080120e0, 0x7fa916c14c80, 0xc208064000, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/packet.go:375 +0x152
golang.org/x/crypto/openpgp/packet.(*Reader).Next(0xc20803c480, 0x0, 0x0, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/packet/reader.go:37 +0x10c
golang.org/x/crypto/openpgp.readSignedMessage(0xc20803c480, 0xc2080600a0, 0x7fa916c14b88, 0x68c0a8, 0xc2080600a0, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/read.go:234 +0xc4
golang.org/x/crypto/openpgp.ReadMessage(0x7fa916c14b60, 0xc2080120e0, 0x7fa916c14b88, 0x68c0a8, 0x5f08c0, 0x0, 0xc208060000, 0x0, 0x0)
    /home/marebri/devel/go/src/golang.org/x/crypto/openpgp/read.go:137 +0x497
main.main()
    /home/marebri/devel/lab/go/crypto/openpgp/issues/3f41f6e4/main.go:40 +0x285

goroutine 2 [runnable]:
runtime.forcegchelper()
    /opt/go/src/runtime/proc.go:90
runtime.goexit()
    /opt/go/src/runtime/asm_amd64.s:2232 +0x1

goroutine 3 [runnable]:
runtime.bgsweep()
    /opt/go/src/runtime/mgc0.go:82
runtime.goexit()
    /opt/go/src/runtime/asm_amd64.s:2232 +0x1

goroutine 4 [runnable]:
runtime.runfinq()
    /opt/go/src/runtime/malloc.go:712
runtime.goexit()
    /opt/go/src/runtime/asm_amd64.s:2232 +0x1

Found using gofuzz. You may assign this issue to me.

Ian Lance Taylor commented 9 years ago

CC @agl

GopherBot · Answer 1 · Mon Jul 27 2015 09:01:28 GMT+0800 (China Standard Time)

CL https://golang.org/cl/12635 mentions this issue.