crypto/hd: DerivePrivateKeyForPath can panic with index out of bounds if the path ends with a slash "/", due to improper check of length #8557

odeke-em · 2021-02-10T09:14:00Z

Summary of Bug

Found by auditing the code for Stargate and preparing to fuzz it, if any path is provided with a trailing slash for example just by simply passing in "m/16/19/" instead of "m/16/19" or even "/", or "m/16//10"

func TestDerivePrivateKeyForPath(t *testing.T) {
        hd.DerivePrivateKeyForPath([32]byte{}, [32]byte{}, "m/5/")
}

results in this panic

--- FAIL: TestDerivePrivateKeyForPath (0.00s)
panic: runtime error: slice bounds out of range [-1:] [recovered]
	panic: runtime error: slice bounds out of range [-1:]

goroutine 36 [running]:
testing.tRunner.func1.2(0x18b9080, 0xc00024bea8)
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1144 +0x332
testing.tRunner.func1(0xc000103080)
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1147 +0x4b6
panic(0x18b9080, 0xc00024bea8)
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/runtime/panic.go:965 +0x1b9
github.com/cosmos/cosmos-sdk/crypto/hd.DerivePrivateKeyForPath(0x0, 0x0, 0x0, 0x0, 0xed2c7f8abb74f3c9, 0x8f0215d93407b907, 0x7a28ae7c374e8027, 0xb869ce287cabd893, 0x191cada, 0x4, ...)
	/Users/emmanuelodeke/go/src/github.com/cosmos/cosmos-sdk/crypto/hd/hdpath.go:192 +0x587
github.com/cosmos/cosmos-sdk/crypto/hd_test.TestDerivePrivateKeyForPath(0xc000103080)
	/Users/emmanuelodeke/go/src/github.com/cosmos/cosmos-sdk/crypto/hd/hdpath_test.go:286 +0x4d
testing.tRunner(0xc000103080, 0x1a80808)
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1194 +0xef
created by testing.(*T).Run
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1239 +0x2b3
exit status 2
FAIL	github.com/cosmos/cosmos-sdk/crypto/hd	0.296s

Version

All versions with this code

Cause

This code

cosmos-sdk/crypto/hd/hdpath.go

Lines 190 to 192 in c54025d

    
           for _, part := range parts { 
        
           	// do we have an apostrophe? 
        
           	harden := part[len(part)-1:] == "'"

assumes that ALL the parts will have a non-empty string, but that's clearly not true, if a path with a trailing slash were passed it, it'd crash.

Remedy

Before that part[len(part)-1] == "'", we need to check that the segment is non-empty. There is 2 fold remedy:

replace "//" with "/"
strip trailing and starting slashes

Let's please backport this change to all releases like Stargate et al.

For Admin Use

Not duplicate issue
Appropriate labels applied
Appropriate contributors tagged
Contributor assigned/self-assigned

The text was updated successfully, but these errors were encountered:

…ng slashes Detected during my audit, right before fuzzing, the code that checked for presence of hyphens per path segment assumed that the part would always be non-empty. However, with paths such as: * m/4/ * /44/ * m/4/// it'd panic with a runtime slice out of bounds. With this new change, we now: * firstly strip the right trailing slash * on finding any empty segments of a path return an error Fixes #8557

…ng slashes (#8607) Detected during my audit, right before fuzzing, the code that checked for presence of hyphens per path segment assumed that the part would always be non-empty. However, with paths such as: * m/4/ * /44/ * m/4/// it'd panic with a runtime slice out of bounds. With this new change, we now: * firstly strip the right trailing slash * on finding any empty segments of a path return an error Fixes #8557

…ng slashes (#8607) Detected during my audit, right before fuzzing, the code that checked for presence of hyphens per path segment assumed that the part would always be non-empty. However, with paths such as: * m/4/ * /44/ * m/4/// it'd panic with a runtime slice out of bounds. With this new change, we now: * firstly strip the right trailing slash * on finding any empty segments of a path return an error Fixes #8557 (cherry picked from commit f970056)

…ng slashes (#8607) (#8608) Detected during my audit, right before fuzzing, the code that checked for presence of hyphens per path segment assumed that the part would always be non-empty. However, with paths such as: * m/4/ * /44/ * m/4/// it'd panic with a runtime slice out of bounds. With this new change, we now: * firstly strip the right trailing slash * on finding any empty segments of a path return an error Fixes #8557 (cherry picked from commit f970056) Co-authored-by: Emmanuel T Odeke <[email protected]>

odeke-em added T:Bug T: Security labels Feb 10, 2021

odeke-em assigned alessio and cwgoes Feb 10, 2021

odeke-em mentioned this issue Feb 17, 2021

crypto/hd: make DerivePrivateKeyForPath error and not panic on trailing slashes #8607

Merged

9 tasks

mergify bot closed this as completed in #8607 Feb 17, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/hd: DerivePrivateKeyForPath can panic with index out of bounds if the path ends with a slash "/", due to improper check of length #8557

crypto/hd: DerivePrivateKeyForPath can panic with index out of bounds if the path ends with a slash "/", due to improper check of length #8557

odeke-em commented Feb 10, 2021

crypto/hd: DerivePrivateKeyForPath can panic with index out of bounds if the path ends with a slash "/", due to improper check of length #8557

crypto/hd: DerivePrivateKeyForPath can panic with index out of bounds if the path ends with a slash "/", due to improper check of length #8557

Comments

odeke-em commented Feb 10, 2021

Summary of Bug

Version

Cause

Remedy

For Admin Use