Bug 1850379

Summary:	perl-CryptX-0.053-14.fc33 FTBFS on 32-bit platforms: t/wycheproof.t crashes with libtommath 1.2.0
Product:	[Fedora] Fedora	Reporter:	Petr Pisar <ppisar>
Component:	perl-CryptX	Assignee:	Petr Pisar <ppisar>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	ppisar
Target Milestone:	---
Target Release:	---
Hardware:	i686
OS:	Unspecified
URL:	https://koji.fedoraproject.org/koji/buildinfo?buildID=1528093
Whiteboard:
Fixed In Version:	perl-CryptX-0.053-15.fc33	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1850650 (view as bug list)		Environment:
Last Closed:	2020-06-25 05:10:27 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1850650
Bug Blocks:

Description Petr Pisar 2020-06-24 07:49:00 UTC

perl-CryptX-0.053-14.fc33 fails to build with Perl 5.32 because t/wycheproof.t test crashes:

t/wycheproof.t ...................... 
Failed 227/762 subtests 
Test Summary Report
-------------------
t/wycheproof.t                    (Wstat: 139 Tests: 535 Failed: 0)
  Non-zero wait status: 139
  Parse errors: Bad plan.  You planned 762 tests but ran 535.

Comment 1 Petr Pisar 2020-06-24 08:03:26 UTC

Upstream removed the test in:

commit cf2422dc467f1e10a8c20cd362f7b3b296c24529
Author: Karel Miko <karel.miko>
Date:   Wed Oct 24 22:27:15 2018 +0200

    exclude wycheproof tests (too big) from dist tarball (via MANIFEST.SKIP)

Comment 2 Petr Pisar 2020-06-24 09:23:39 UTC

Rebuilding fails with the same error even with Perl 5.30 in a standard Rawhide.

Comment 3 Petr Pisar 2020-06-24 14:10:35 UTC

F31 is clear. I suspect an upgrade of libtommath to 1.2.0 in fc33.

Comment 4 Petr Pisar 2020-06-24 14:27:48 UTC

I confirm this is triggered with upgrading libtommath from 1.1.0-1.fc32 to 1.2.0-1.fc33.

Comment 5 Petr Pisar 2020-06-24 15:06:41 UTC

libtommath bisected to this breaking commint:

commit abdb03340255ff6759f2da2d400c50e4601156d6 (HEAD, refs/bisect/bad)
Author: czurnieden <czurnieden>
Date:   Wed Sep 25 00:29:19 2019 +0200

    Refactored functions to read and write binaries and added "maxlen"

It causes t/wycheproof.t test #536 to hang and then segfault. Before the commit:

$ LD_PRELOAD=/tmp/libtommath/.libs/libtommath.so   perl -Iblib/{lib,arch} t/wycheproof.t
[...]
ok 530 - type=DSAVer/SHA224 tcId=32 comment='uint64 overflow in length' expected-result=invalid
ok 531 - type=DSAVer/SHA224 tcId=33 comment='uint64 overflow in length' expected-result=invalid
ok 532 - type=DSAVer/SHA224 tcId=34 comment='length = 2**31 - 1' expected-result=invalid
ok 533 - type=DSAVer/SHA224 tcId=35 comment='length = 2**31 - 1' expected-result=invalid
ok 534 - type=DSAVer/SHA224 tcId=36 comment='length = 2**31 - 1' expected-result=invalid
ok 535 - type=DSAVer/SHA224 tcId=37 comment='length = 2**32 - 1' expected-result=invalid
ok 536 - type=DSAVer/SHA224 tcId=38 comment='length = 2**32 - 1' expected-result=invalid ←
ok 537 - type=DSAVer/SHA224 tcId=39 comment='length = 2**32 - 1' expected-result=invalid
[...]

After the commit:

ok 530 - type=DSAVer/SHA224 tcId=32 comment='uint64 overflow in length' expected-result=invalid
ok 531 - type=DSAVer/SHA224 tcId=33 comment='uint64 overflow in length' expected-result=invalid
ok 532 - type=DSAVer/SHA224 tcId=34 comment='length = 2**31 - 1' expected-result=invalid
ok 533 - type=DSAVer/SHA224 tcId=35 comment='length = 2**31 - 1' expected-result=invalid
ok 534 - type=DSAVer/SHA224 tcId=36 comment='length = 2**31 - 1' expected-result=invalid
ok 535 - type=DSAVer/SHA224 tcId=37 comment='length = 2**32 - 1' expected-result=invalid
Segmentation fault (core dumped)

GDB slows it down up to an unusable pace. /lib/libSegFault.so shows:

*** Segmentation fault
Register dump:

 EAX: 02809000   EBX: b7f1d000   ECX: 00000008   EDX: 02809001
 ESI: ffffffff   EDI: b74dba40   EBP: 027672f8   ESP: bfd3f3a0

 EIP: b7f06d71   EFLAGS: 00010246   

 CS: 0073   DS: 007b   ES: 007b   FS: 0000   GS: 0033   SS: 007b

 Trap: 0000000e   Error: 00000004   OldMask: 00000000
 ESP/signal: bfd3f3a0   CR2: 02809000

 FPUCW: ffff037f   FPUSW: ffff0020   TAG: ffffffff
 IPOFF: b7c57b44   CSSEL: 0000   DATAOFF: 00000000   DATASEL: 0000

 ST(0) 0000 0000000000000000   ST(1) 0000 0000000000000000
 ST(2) 0000 0000000000000000   ST(3) 0000 0000000000000000
 ST(4) 0000 0000000000000000   ST(5) 0000 0000000000000000
 ST(6) 0000 9bc2f43d2b140000   ST(7) 0000 0000000000000000

Backtrace:
/tmp/libtommath/.libs/libtommath.so(mp_from_ubin+0x82)[0xb7f06d71]
/tmp/libtommath/.libs/libtommath.so(mp_read_unsigned_bin+0x25)[0xb7f03f7c]
/lib/libtomcrypt.so.1(+0x61901)[0xb744e901]
/lib/libtomcrypt.so.1(der_decode_integer+0x74)[0xb745da44]
/lib/libtomcrypt.so.1(der_decode_sequence_ex+0x884)[0xb7460274]
/lib/libtomcrypt.so.1(dsa_verify_hash+0xed)[0xb7467ead]
blib/arch/auto/CryptX/CryptX.so(+0x1c585)[0xb7500585]
/lib/libperl.so.5.30(Perl_pp_entersub+0x210)[0xb7c5ee00]
/lib/libperl.so.5.30(Perl_runops_standard+0x3d)[0xb7c5500d]
/lib/libperl.so.5.30(perl_run+0x34b)[0xb7bc2d7b]
perl(+0x1398)[0x494398]
/lib/libc.so.6(__libc_start_main+0xf9)[0xb79d4fa9]
perl(+0x13e5)[0x4943e5]

"ok 536 - type=DSAVer/SHA224 tcId=38 comment='length = 2**32 - 1' expected-result=invalid" corresponds to this JSON input of the Perl test:

        {
          "comment" : "length = 2**32 - 1",
          "message" : "54657374",
          "name" : "RsaSignatureTestVector",
          "padding" : "30353084ffffffff060960864801650304020105000420532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d7a6e0f345e25",
          "result" : "invalid",
          "sig" : "31afd9a0d827755352b16de04de42e98a8c72f08919ed475530a00c762b8a03bde22634dd856a7eede4b4947d780cb3efe55775e16d7f46f209dbcb5569b2d9469cc271aa850f74960f7c741928055925349821e32e1e0fe5a040010a39a4b6a343f7f35c204106b3617e528a99dcaea8a93766adcfe7be31cdb98f7f7f14669",
          "tcId" : 38
        },

I will try to minimize it. It could be a bad usage of libtommath API from the Perl side.

Comment 6 Petr Pisar 2020-06-24 15:41:35 UTC

A sample backtrace when the test runs for a very long time, some time before it crashes:

(gdb) bt
#0  0xb7fb993b in mp_mul_2d (a=0xa6b080, b=8, c=0xa6b080) at bn_mp_mul_2d.c:58
#1  0xb7fb6d52 in mp_from_ubin (a=0xa6b080, b=0xab907e "", size=4294845784) at bn_mp_from_ubin.c:23
#2  0xb7fb3f7c in mp_read_unsigned_bin (a=0xa6b080, 
    b=0xa9b5d8 "\036A\264y\255Wi\005\271`\376\024\352ۑ\260\314\363HCڹ\026\027;\270\311\315\002\035", c=-1) at bn_deprecated.c:243
#3  0xb74fd8a1 in unsigned_read (a=0xa6b080, 
    b=0xa9b5d8 "\036A\264y\255Wi\005\271`\376\024\352ۑ\260\314\363HCڹ\026\027;\270\311\315\002\035", len=4294967295)
    at src/math/ltm_desc.c:201
#4  0xb750d0f5 in der_decode_integer (
    in=0xa9b5d2 "\002\204\377\377\377\377\036A\264y\255Wi\005\271`\376\024\352ۑ\260\314\363HCڹ\026\027;\270\311\315\002\035", inlen=65, 
    num=0xa6b080) at src/pk/asn1/der/integer/der_decode_integer.c:57
#5  0xb750f9a3 in der_decode_sequence_ex (
    in=0xa9b5d0 "0A\002\204\377\377\377\377\036A\264y\255Wi\005\271`\376\024\352ۑ\260\314\363HCڹ\026\027;\270\311\315\002\035", 
    inlen=<optimized out>, list=0xbffff22c, outlen=2, ordered=1) at src/pk/asn1/der/sequence/der_decode_sequence_ex.c:111
#6  0xb75176ad in dsa_verify_hash (
    sig=0xa9b5d0 "0A\002\204\377\377\377\377\036A\264y\255Wi\005\271`\376\024\352ۑ\260\314\363HCڹ\026\027;\270\311\315\002\035", 
    siglen=67, hash=0xacb870 "AI\332\030\252\213\374+\036\070,l&Um\001\251,&\033d6\332\325\343\276", <incomplete sequence \314>, 
    hashlen=28, stat=0xbffff2d0, key=0xa99f6c) at src/pk/dsa/dsa_verify_hash.c:114
#7  0xb75b05b5 in XS_Crypt__PK__DSA__verify (my_perl=0x4051a0, cv=0x8d86b4) at ./inc/CryptX_PK_DSA.xs.inc:334
#8  0xb7d0ee00 in Perl_pp_entersub () from /lib/libperl.so.5.30
#9  0xb7d0500d in Perl_runops_standard () from /lib/libperl.so.5.30
#10 0xb7c72d7b in perl_run () from /lib/libperl.so.5.30
#11 0x00401398 in main ()

The test exhibits 2**32 - 1 (4294967295) length. Here we can see the big number in mp_from_ubin(..,size=4294845784)
and a wrap in bn_deprecated(...,c=-1). Then is a libtomcrypt library with again a big number unsigned_read(...,len=4294967295).

When I read the commit, I can see:

+#ifdef BN_MP_READ_UNSIGNED_BIN_C
+mp_err mp_read_unsigned_bin(mp_int *a, const unsigned char *b, int c)
+{
+   return mp_from_ubin(a, b, (size_t) c);
+}
+#endif

That's suspicious, then then:

@@ -76,7 +76,8 @@ mp_err s_mp_prime_random_ex(mp_int *a, int t, int size, int flags, private_mp_pr
       tmp[bsize-1]             |= maskOR_lsb;
 
       /* read it in */
-      if ((err = mp_read_unsigned_bin(a, tmp, bsize)) != MP_OKAY) {
+      /* TODO: casting only for now until all lengths have been changed to the type "size_t"*/
+      if ((err = mp_from_ubin(a, tmp, (size_t)bsize)) != MP_OKAY) {
          goto error;
       }

Where a comment admits that it's indeed wrong.

I conclude it's a bug libtommath library. I will probably disable the test as it tests as it exhibits libtomcrypt/libtommath internals and that's not interested from perl-CryptX point of view. But I will report it against libtommath to know about that.

Comment 7 Petr Pisar 2020-06-24 16:00:46 UTC

I removed the test.