Asserts considered harmful (or GMP spills its sensitive information)
Marco Bodrato
bodrato at mail.dm.unipi.it
Thu Jan 3 22:15:51 UTC 2019
Ciao,
I'm not sending to oss-security... They does not seem to be interested.
Il Gio, 3 Gennaio 2019 9:42 pm, Jeffrey Walton ha scritto:
> On Thu, Jan 3, 2019 at 2:55 PM Marco Bodrato <bodrato at mail.dm.unipi.it>
> wrote:
>> This absolutely is NOT a "small example", it requires to build two
>> entire libraries!
> Well, if you can let us know how to reduce it further then we would be
> delighted to hear it.
I did, and I sent my analysis elsewhere.
Unfortunately, the topic here is not "delighting users" :-D
It is GMP bugs! And since your not "small" example does not show a GMP bug
(a behaviour of the library in contrast with the one expected reading
documentation), it would be off topic here.
> I thought it did a good job because it did not muck with your system,
You fired a bug for the wrong library...
The job could be done better, don't you agree? :-D
>> Can we suggest you to read the GMP manual on how to build the library?
>> GMP works fine on many ARM configurations we test and there are lots of
> Here's what I witness on a BananaPi and a couple of other boards. Can
[...]
> bananapi:~$ ./test-gmp.sh
What's "./test-gmp.sh"? It is not a script we provide. If that script does
not work, please report the failure to the author of that script. :-)
I'd suggest:
$ ./configure && make && make check
Then please read https://gmplib.org/manual/Installing-GMP.html if you need
more options.
>> On GMP side, we can only specify even more explicitly in the
>> documentation of that function the need for non-zero sized arguments.
> Returning a failure from mpn_sec_powm would be a most welcomed
> improvement.
Functions in the mpn_ layer are low-level functions. If a developer decide
to use those functions, she/he have the responsibility to correctly use
them.
Otherwise, the developers can decide to use the mpz_ layer or even more
complex wrappers.
Wish-lists of "welcomed improvements" is off topic on this list.
On GMP side, the bug report is closed.
Ĝis,
m
--
http://bodrato.it/papers/
More information about the gmp-bugs
mailing list