RIN-02 Panic Due to Integer Overflow in Signature Size Calculation

[liam-lai]

Proposed changes

Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request.

Malicious users can create signatures with invalid sizes but with forged numRing and ringSize to bypass the signature size check.

As a result, a panic from a buffer overflow may happen when the implementation tries to deserialize sig.S from the input with a big offset value.

Types of changes

What types of changes does your code introduce to XDC network?
Put an ✅ in the boxes that apply

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation Update (if none of the other choices apply)
• Regular KTLO or any of the maintaince work. e.g code style
• CICD Improvement

Impacted Components

Which part of the codebase this PR will touch base on,

Put an ✅ in the boxes that apply

• Consensus
• Account
• Network
• Geth
• Smart Contract
• External components
• Not sure (Please specify below)

Checklist

Put an ✅ in the boxes once you have confirmed below actions (or provide reasons on not doing so) that

• This PR has sufficient test coverage (unit/integration test) OR I have provided reason in the PR description for not having test coverage
• Provide an end-to-end test plan in the PR description on how to manually test it on the devnet/testnet.
• Tested the backwards compatibility.
• Tested with XDC nodes running this version co-exist with those running the previous version.
• Relevant documentation has been updated as part of this PR
• N/A

[wgr523]

could numRing * ringSize overflow? could numRing * ringSize * 32 overflow?

[liam-lai]

yes it could, their types are both int

[liam-lai]

The value is actually reading from signature

func Deserialize(r []byte) (*RingSignature, error) {
	if len(r) < 16 {
		return nil, errors.New("Failed to deserialize ring signature")
	}
	offset := 0
	sig := new(RingSignature)
	numRing := r[offset : offset+8]
	offset += 8
	size := r[offset : offset+8]
	offset += 8

	size_uint := binary.BigEndian.Uint64(size)
	size_int := int(size_uint)
	sig.Size = size_int

[liam-lai]

I guess if someone manipulate signature that intend to make it overflow, it's doable.

[wgr523]

maybe we should check multiplication overflow too

[gzliudan]

In fact, the function computeSignatureSize should return uint, not int. The below function signature maybe better:

func computeSignatureSize(numRing uint64, ringSize uint64) uint64

When the compute result is overflow, we can return 0.

[liam-lai]

I think -1 is better since the final check is compared length, this quarantine is definitely return error

	if len(r) != computeSignatureSize(sig.NumRing, sig.Size) {
		return nil, fmt.Errorf("incorrect ring size, len r: %d, sig.NumRing: %d sig.Size: %d", len(r), sig.NumRing, sig.Size)
	}

[liam-lai]

maybe we should check multiplication overflow too

@wgr523 I didn't get you

[gzliudan]

Please note in the function func (r *RingSignature) Serialize() ([]byte, error):

8+8+32+32+(32+33)*r.NumRing*r.Size+33*r.NumRing 

can be replaced with computeSignatureSize(r.NumRing, r.Size)

[gzliudan]

Both of numRing and ringSize must greater than zero:

	if numRing <= 0 || ringSize <= 0 {
		return -1
	}

[liam-lai]

It can be zero right? based on the logic

	numRing := r[offset : offset+8]
	offset += 8
	size := r[offset : offset+8]
	offset += 8

	size_uint := binary.BigEndian.Uint64(size)
	size_int := int(size_uint)
	sig.Size = size_int

	size_uint = binary.BigEndian.Uint64(numRing)
	size_int = int(size_uint)
	sig.NumRing = size_int

[gzliudan]

In fact, the function computeSignatureSize should return uint, not int. The below function signature maybe better:

func computeSignatureSize(numRing uint64, ringSize uint64) uint64

When the compute result is overflow, we can return 0.