commit 5260ce27edaaa43e4df193b146e0881d238ff7ae
author Paul Elliott <paul.elliott@arm.com> Mon May 09 18:15:54 2022 +0100
committer Paul Elliott <paul.elliott@arm.com> Thu May 19 18:23:24 2022 +0100
tree cc18ee93a5e79b2cbe26f772702dd90cdde05325
parent a745c7d4398b22ceae1ce21bfbcb2fa2f7fab4d3

Fix uninitialised memory access in constant time functions

Fix an issue reported by Coverity whereby some constant time functions
called from the ssl decrypt code could potentially access uninitialised
memory.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>

library/constant_time.c

diff --git a/library/constant_time.c b/library/constant_time.c
index a6451bb..0b409b3 100644
--- a/library/constant_time.c
+++ b/library/constant_time.c
@@ -514,6 +514,12 @@
     PSA_CHK( psa_hash_update( &operation, add_data, add_data_len ) );
     PSA_CHK( psa_hash_update( &operation, data, min_data_len ) );
 
+    /* Fill the hash buffer in advance with something that is
+     * not a valid hash (barring an attack on the hash and
+     * deliberately-crafted input), in case the caller doesn't
+     * check the return status properly. */
+    memset( output, '!', hash_size );
+
     /* For each possible length, compute the hash up to that point */
     for( offset = min_data_len; offset <= max_data_len; offset++ )
     {
@@ -609,6 +615,12 @@
     MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
     MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
 
+    /* Fill the hash buffer in advance with something that is
+     * not a valid hash (barring an attack on the hash and
+     * deliberately-crafted input), in case the caller doesn't
+     * check the return status properly. */
+    memset( output, '!', hash_size );
+
     /* For each possible length, compute the hash up to that point */
     for( offset = min_data_len; offset <= max_data_len; offset++ )
     {