From dab4db0217898007496ef9639a6d3f33d6c3873a Mon Sep 17 00:00:00 2001
From: Pau Espin Pedrol <pespin@sysmocom.de>
Date: Wed, 16 May 2018 20:15:20 +0200
Subject: gsm: kasumi: Fix dynamic-stack-buffer-overflow on out buffers not
 multiple of 64 bits

Fixes following AddressSanitizer report during gea_test run with gcc
8.1.0:

==8899==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffc5f1719bb at pc 0x7fe574adc5fe bp 0x7ffc5f171460 sp 0x7ffc5f171450
WRITE of size 1 at 0x7ffc5f1719bb thread T0
    #0 0x7fe574adc5fd in osmo_store64be_ext ../../include/osmocom/core/bit64gen.h:75
    #1 0x7fe574adc649 in osmo_store64be ../../include/osmocom/core/bit64gen.h:104
    #2 0x7fe574ade936 in _kasumi_kgcore libosmocore/src/gsm/kasumi.c:186
    #3 0x7fe574ae2532 in gea4 libosmocore/src/gsm/gea.c:44
    #4 0x7fe574ae266c in gea3 libosmocore/src/gsm/gea.c:60
    #5 0x7fe574a9b616 in gprs_cipher_run libosmocore/src/gsm/gprs_cipher_core.c:95
    #6 0x56422d3fb2ee in test_gea libosmocore/tests/gea/gea_test.c:29
    #7 0x56422d3fb506 in main libosmocore/tests/gea/gea_test.c:49
    #8 0x7fe5730f406a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #9 0x56422d3fadf9 in _start (libosmocore/tests/gea/.libs/lt-gea_test+0x1df9)

The kasumi_test is updated to calculate the entire array of bits
according to expected result. Before this commit it worked by writing
the entire last 64bit block, and addressSanitizer cannot catch it
because the allocated buffer is 64bit aligned too.

Change-Id: I7b2a0224a3b5527d5a3ad7e17efc73081b63eac1
---
 tests/kasumi/kasumi_test.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'tests/kasumi')

diff --git a/tests/kasumi/kasumi_test.c b/tests/kasumi/kasumi_test.c
index f0f173ba..963ce77d 100644
--- a/tests/kasumi/kasumi_test.c
+++ b/tests/kasumi/kasumi_test.c
@@ -109,27 +109,27 @@ int main(int argc, char **argv)
 
 	uint8_t _Key1[] = {0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xBC, 0x00, 0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xBC, 0x00},
 	_gamma1[] = {0x88, 0x9E, 0xEA, 0xAF, 0x9E, 0xD1, 0xBA, 0x1A, 0xBB, 0xD8, 0x43, 0x62, 0x32, 0xE4, 0x57, 0x28, 0xD0, 0x1A, 0xA8, 0x91, 0x33, 0xDA, 0x73, 0xC1, 0x1E, 0xAB, 0x68, 0xB7, 0xD8, 0x9B, 0xC8, 0x41};
-	_kasumi_kgcore(0xF, 0, 0x0024F20F, 0, _Key1, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x0024F20F, 0, _Key1, gamma, 32*8);
 	printf ("KGCORE Test Set 1: %d\n", _compare_mem(gamma, _gamma1, 32));
 
 	uint8_t _Key2[] = {0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48, 0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48},
 	_gamma2[] = {0xFB, 0x4D, 0x5F, 0xBC, 0xEE, 0x13, 0xA3, 0x33, 0x89, 0x28, 0x56, 0x86, 0xE9, 0xA5, 0xC9, 0x42, 0x40, 0xDE, 0x38, 0x15, 0x01, 0x15, 0xF1, 0x5F, 0x8D, 0x9D, 0x98, 0xB9, 0x1A, 0x94, 0xB2, 0x96};
-	_kasumi_kgcore(0xF, 0, 0x00061272, 0, _Key2, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x00061272, 0, _Key2, gamma, 32*8);
 	printf ("KGCORE Test Set 2: %d\n", _compare_mem(gamma, _gamma2, 32));
 
 	uint8_t _Key3[] = {0xEF, 0xA8, 0xB2, 0x22, 0x9E, 0x72, 0x0C, 0x2A, 0xEF, 0xA8, 0xB2, 0x22, 0x9E, 0x72, 0x0C, 0x2A},
 	_gamma3[] = {0x0E, 0x40, 0x15, 0x75, 0x5A, 0x33, 0x64, 0x69, 0xC3, 0xDD, 0x86, 0x80, 0xE3, 0x03, 0x5B, 0xC4, 0x19, 0xA7, 0x8A, 0xD3, 0x86, 0x2C, 0x10, 0x90, 0xC6, 0x8A, 0x39, 0x1F, 0xE8, 0xA6, 0xAD, 0xEB};
-	_kasumi_kgcore(0xF, 0, 0x0033FD3F, 0, _Key3, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x0033FD3F, 0, _Key3, gamma, 32*8);
 	printf ("KGCORE Test Set 3: %d\n", _compare_mem(gamma, _gamma3, 32));
 
 	uint8_t _Key4[] = {0x5A, 0xCB, 0x1D, 0x64, 0x4C, 0x0D, 0x51, 0x20, 0x4E, 0xA5, 0x5A, 0xCB, 0x1D, 0x64, 0x4C, 0x0D},
 	_gamma4[] = {0xE0, 0x95, 0x30, 0x6A, 0xD5, 0x08, 0x6E, 0x2E, 0xAC, 0x7F, 0x31, 0x07, 0xDE, 0x4F, 0xA2, 0x2D, 0xC1, 0xDF, 0xC9, 0x7D, 0x5B, 0xC5, 0x66, 0x1D, 0xD6, 0x09, 0x6F, 0x47, 0x6A, 0xED, 0xC6, 0x4B};
-	_kasumi_kgcore(0xF, 0, 0x00156B26, 0, _Key4, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x00156B26, 0, _Key4, gamma, 32*8);
 	printf ("KGCORE Test Set 4: %d\n", _compare_mem(gamma, _gamma4, 32));
 
 	uint8_t _Key5[] = {0xD3, 0xC5, 0xD5, 0x92, 0x32, 0x7F, 0xB1, 0x1C, 0x40, 0x35, 0xC6, 0x68, 0x0A, 0xF8, 0xC6, 0xD1},
 	_gamma5[] = {0xDC, 0xE6, 0x43, 0x62, 0xAB, 0x5F, 0x89, 0xC1, 0x1E, 0xF0, 0xB3, 0x05, 0x16, 0x65, 0x70, 0xF4, 0x88, 0x9D, 0x55, 0x11, 0xE9, 0xE3, 0x57, 0x5D, 0x06, 0x2B, 0x5C, 0xED, 0x60, 0x39, 0x50, 0x6A};
-	_kasumi_kgcore(0xF, 0, 0x000A59B4, 0, _Key5, gamma, 228);
+	_kasumi_kgcore(0xF, 0, 0x000A59B4, 0, _Key5, gamma, 32*8);
 	printf ("KGCORE Test Set 5: %d\n", _compare_mem(gamma, _gamma5, 32));
 
 	return 0;
-- 
cgit v1.2.3