Bitcoin: Signed integer overflow when SipHasher processes inputs >= 2 GB

Created on 10 Sep 2020  路  1Comment  路  Source: bitcoin/bitcoin

Signed integer overflow when SipHasher processes inputs >= 2 GB.

Live demo:

$ src/test/fuzz/simplest_possible_siphash_fuzzer -rss_limit_mb=8000 crash-061a172add013c03beedf57eb2a121a8289696af
crypto/siphash.cpp:56:10: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
$ cat src/test/fuzz/simplest_possible_siphash_fuzzer.cpp
#include <cstdint>
#include <vector>

#include <crypto/siphash.h>

void test_one_input(const std::vector<uint8_t>& buffer)
{
    CSipHasher(0, 0).Write(buffer.data(), buffer.size()).Finalize();
}

Credits to @elichai who submitted a differential SipHasher fuzzer in #19920 and @guidovranken who first spotted the issue. Thanks!

Remember: don't trust -- fuzz! :)

Bug
Source
picture practicalswift
👍2

Most helpful comment

Not strictly an issue in our codebase, as all uses of CSipHasher are limited in size, but it's trivial to fix: #19931.

Thanks!

picture sipa on 10 Sep 2020
👍3

>All comments

Not strictly an issue in our codebase, as all uses of CSipHasher are limited in size, but it's trivial to fix: #19931.

Thanks!

sipa picture sipa on 10 Sep 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

CodersBrothers picture CodersBrothers  路  3Comments
JustinTArthur picture JustinTArthur  路  3Comments
ChefJ picture ChefJ  路  3Comments
theStack picture theStack  路  3Comments
MattyAB picture MattyAB  路  3Comments