Dear Maintainer,
I noticed on Trixie that my code using String::Compare::ConstantTime would randomly crash.
In debugging it, I isolated the problem to the patch included in Debian for CVE-2024-13939
seen here: https://sources.debian.org/patches/libstring-compare-constanttime-perl/0.321-3/
The patch constructs a memory address from two different pointers, which, if the high bits
of one pointer does not match the high bits of the other pointer, points to a random
memory location. Reading from that location causes a segfault:
+ unsigned char *s;
+ unsigned char r;
+ uintptr_t mask;
+
+ /* Orchestrate a dummy compare which never matches and whose run-time does
+ * not stand out if a_len != b_len */
+ r = (a_len != b_len);
+ /* Branching-less: s = (r) ? b : a */
+ mask = 0u - r;
+ s = (unsigned char *)(((uintptr_t)b & mask) | ((uintptr_t)a & ~mask));
+
+ for (i = 0; i < b_len; i++) {
+ r |= *s++ ^ *b++;
}
For more details and a reproducer, see:
https://github.com/hoytech/String-Compare-ConstantTime/pull/21/#pullrequestreview-4345646603
Thanks,