-
Notifications
You must be signed in to change notification settings - Fork 444
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix out of bounds read in slarrv #625
Fix out of bounds read in slarrv #625
Conversation
fc96b97
to
02d4a9d
Compare
It looks right to but it might make sense to move this check to Lines 353 to 355 in 44ecb6a
This issue was found in JuliaLang/LinearAlgebra.jl#873, i.e. the original call was from This PR only fixes the |
Codecov Report
@@ Coverage Diff @@
## master JuliaLang/julia#625 +/- ##
=======================================
Coverage 0.00% 0.00%
=======================================
Files 1894 1894
Lines 184021 184021
=======================================
Misses 184021 184021
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me (with the change suggested by andreasnoack, to move the exit to the start of the function where we already check for N.LE.0 )
I agree with @martin-frbg and @andreasnoack. Could you do this slightly modification, @Keno? Thanks a lot. |
This was originally reported as https://github.com/JuliaLang/julia/issues/42415. I've tracked this down to an our of bounds read on the following line: https://github.com/Reference-LAPACK/lapack/blob/44ecb6a5ff821b1cbb39f8cc2166cb098e060b4d/SRC/slarrv.f#L423 In the crashing example, `M` is `0`, causing `slarrv` to read uninitialized memory from the work array. I believe the `0` for `M` is correct and indeed, the documentation above supports that `M` may be zero: https://github.com/Reference-LAPACK/lapack/blob/44ecb6a5ff821b1cbb39f8cc2166cb098e060b4d/SRC/slarrv.f#L113-L116 I believe it may be sufficient to early-out this function as suggested in this PR. However, I have limited context for the full routine here, so I would appreciate a sanity check.
02d4a9d
to
0631b6b
Compare
I updated the PR. |
Thanks!! I've just merged it. |
Thanks @Keno. Excellent! |
…ang/julia#42415, ref Reference-LAPACK/lapack#625)
…ang/julia#42415, ref Reference-LAPACK/lapack#625)
…ang/julia#42415, ref Reference-LAPACK/lapack#625)
…ang/julia#42415, ref Reference-LAPACK/lapack#625)
…ang/julia#42415, ref Reference-LAPACK/lapack#625)
We got an info that VulnDB is flagging this fix as a security issue. The relevant VulnDB link should be: https://vulndb.cyberriskanalytics.com/vulnerabilities/270365 and should include the following description:
Note that it's flagging OpenBLAS as affected, not lapack directly, but the relevant file is the lapack code bundled in OpenBLAS. However, this information is part of the VulnDB subscriber-only content and I do not have access to it, we only got this information indirectly. AFAICT, there was no CVE assigned for the issue. I'd like to ask if you have any concerns with getting a CVE assigned here as the issue is already getting flagged as a vulnerability. Any thoughts on how likely this issue may be triggered in a real-world use cases via untrusted inputs to a non-malicious applications? |
It is an out of bounds read, so it does qualify as the kind of vulnerability CVEs are issued for if someone wanted to write that up and submit it. Not sure how likely it is that someone is taking untrusted matrices and running a symmetric tridiag eigensolve on them, which is a bit of a niche thing to do, but if you are, crafting a malicious input is pretty easy. |
Thank you! CVE-2021-4048 was assigned. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4048 |
This was originally reported as JuliaLang/LinearAlgebra.jl#873.
I've tracked this down to an out of bounds read on the following line:
lapack/SRC/slarrv.f
Line 423 in 44ecb6a
In the crashing example,
M
is0
, causingslarrv
to read uninitializedmemory from the work array. I believe the
0
forM
is correct and indeed,the documentation above supports that
M
may be zero:lapack/SRC/slarrv.f
Lines 113 to 116 in 44ecb6a
I believe it may be sufficient to early-out this function as suggested
in this PR. However, I have limited context for the full routine here,
so I would appreciate a sanity check.