Use of uninitialised value in CryptoPP::Rijndael_Enc_AdvancedProcessBlocks

[Nikratio]

Hello,

When running a different module under Valgrind, I noticed that CryptoPP seems to use uninitialized values at a few points:

==8726== Use of uninitialised value of size 4
==8726==    at 0x65D6325: CryptoPP::Rijndael_Enc_AdvancedProcessBlocks(void*, unsigned int const*) (in /usr/lib/libcrypto++.so.8.0.0)
==8726==    by 0x65D651D: CryptoPP::Rijndael::Enc::AdvancedProcessBlocks(unsigned char const*, unsigned char const*, unsigned char*, unsigned int, unsigned int) const (in /usr/lib/libcrypto++.so.8.0.0)
==8726==    by 0x65B1341: CryptoPP::CTR_ModePolicy::OperateKeystream(CryptoPP::KeystreamOperation, unsigned char*, unsigned char const*, unsigned int) (in /usr/lib/libcrypto++.so.8.0.0)
==8726==    by 0x62EE05E: CryptoPP::CTR_ModePolicy::WriteKeystream(unsigned char*, unsigned int) (modes.h:151)
==8726==    by 0x650B48E: CryptoPP::AdditiveCipherTemplate<CryptoPP::AbstractPolicyHolder<CryptoPP::AdditiveCipherAbstractPolicy, CryptoPP::CTR_ModePolicy> >::ProcessData(unsigned char*, unsigned char const*, unsigned int) (in /usr/lib/libcrypto++.so.8.0.0)
==8726==    by 0x62EDA5D: AES_process(AES*, _object*) (aesmodule.cpp:77)
==8726==    by 0x80F92A8: call_function (ceval.c:3738)
==8726==    by 0x80F4ACA: PyEval_EvalFrameEx (ceval.c:2412)
==8726==    by 0x80F7214: PyEval_EvalCodeEx (ceval.c:3000)
==8726==    by 0x80F99F3: fast_function (ceval.c:3846)
==8726==    by 0x80F964C: call_function (ceval.c:3771)
==8726==    by 0x80F4ACA: PyEval_EvalFrameEx (ceval.c:2412)

[zooko]

Is it possible that the data or the key really are uninitialised?

Another possibility would be if your version of Crypto++ doesn't have this patch: ​http://bazaar.launchpad.net/~zooko/cryptopp/trunk/revision/455 from 2009-09-17.

Can you please submit a minimal test that demonstrates this bug when run under valgrind, either a program that I can build and execute with:

make && valgrind $PROGNAME or else a unit test that I can execute with make && valgrind python setup.py test.

[Nikratio]

Here you go:

$ valgrind python-dbg contrib/test.py 
==19162== Memcheck, a memory error detector
==19162== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==19162== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==19162== Command: python-dbg contrib/test.py
==19162== 
==19162== Use of uninitialised value of size 4
==19162==    at 0x5121325: CryptoPP::Rijndael_Enc_AdvancedProcessBlocks(void*, unsigned int const*) (in /usr/lib/libcrypto++.so.8.0.0)
==19162==    by 0x512151D: CryptoPP::Rijndael::Enc::AdvancedProcessBlocks(unsigned char const*, unsigned char const*, unsigned char*, unsigned int, unsigned int) const (in /usr/lib/libcrypto++.so.8.0.0)
==19162==    by 0x50FC341: CryptoPP::CTR_ModePolicy::OperateKeystream(CryptoPP::KeystreamOperation, unsigned char*, unsigned char const*, unsigned int) (in /usr/lib/libcrypto++.so.8.0.0)
==19162==    by 0x4E2405E: CryptoPP::CTR_ModePolicy::WriteKeystream(unsigned char*, unsigned int) (modes.h:151)
==19162==    by 0x505648E: CryptoPP::AdditiveCipherTemplate<CryptoPP::AbstractPolicyHolder<CryptoPP::AdditiveCipherAbstractPolicy, CryptoPP::CTR_ModePolicy> >::ProcessData(unsigned char*, unsigned char const*, unsigned int) (in /usr/lib/libcrypto++.so.8.0.0)
==19162==    by 0x4E23A5D: AES_process(AES*, _object*) (aesmodule.cpp:77)
==19162==    by 0x80F92A8: call_function (ceval.c:3738)
==19162==    by 0x80F4ACA: PyEval_EvalFrameEx (ceval.c:2412)
==19162==    by 0x80F98F3: fast_function (ceval.c:3836)
==19162==    by 0x80F964C: call_function (ceval.c:3771)
==19162==    by 0x80F4ACA: PyEval_EvalFrameEx (ceval.c:2412)
==19162==    by 0x80F7214: PyEval_EvalCodeEx (ceval.c:3000)
==19162== 
[19593 refs]
==19162== 
==19162== HEAP SUMMARY:
==19162==     in use at exit: 565,451 bytes in 5,895 blocks
==19162==   total heap usage: 51,971 allocs, 46,076 frees, 5,439,309 bytes allocated
==19162== 
==19162== LEAK SUMMARY:
==19162==    definitely lost: 0 bytes in 0 blocks
==19162==    indirectly lost: 0 bytes in 0 blocks
==19162==      possibly lost: 544,863 bytes in 5,576 blocks
==19162==    still reachable: 20,588 bytes in 319 blocks
==19162==         suppressed: 0 bytes in 0 blocks
==19162== Rerun with --leak-check=full to see details of leaked memory
==19162== 
==19162== For counts of detected and suppressed errors, rerun with: -v
==19162== Use --track-origins=yes to see where uninitialised values come from
==19162== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 50 from 11)

$ cat contrib/test.py 
import hmac
import pycryptopp
import hashlib
import struct

def encrypt(buf, passphrase, nonce):
    
    key = hashlib.sha256(passphrase + nonce).digest()
    cipher = pycryptopp.cipher.aes.AES(key)
    hmac_ = hmac.new(key, digestmod=hashlib.sha256)

    hmac_.update(buf)
    buf = cipher.process(buf)
    hash_ = cipher.process(hmac_.digest())

    return b''.join(
                    (struct.pack(b'<B', len(nonce)),
                    nonce, hash_, buf))
        
encrypt('foobar', 'passphrase', 'nonce')

[Nikratio]

The Crypto++ version is 5.6.0, python-pycryptopp is 0.5.17.

[zooko]

Hm, I'm pretty busy but this could be a serious bug. Is anyone else available to look at it?

[zooko]

Okay, I'll look at this.

[zooko]

Could not reproduce with:

$ PYTHONPATH= python -c 'import pycryptopp;print pycryptopp.__version__;print pycryptopp._pycryptopp.cryptopp_version'
0.5.25-r761
(560, 'pycryptopp-0.5.25-r761')

[zooko]

Also could not reproduce with pycryptopp-0.5.17. Will add your test to the buildbot...

[zooko]

Okay I added your test to the test suite and am running it on the buildbots. See the buildbots for results. I can't reproduce it, and the version of pycryptopp you were using is a bit old. Please try to reproduce it with the latest version and report back. I'm assigning this ticket to you, so please close it when you are done with it, or assign it back to me if you want more help from me.

[Nikratio]

I'll try with the newest version. Where can I find the results from the buildbots?

[Nikratio]

I'm able to reproduce the problem with:

pycryptopp-0.5.23
pycryptopp-0.5.26
pycryptopp-0.5.27
pycryptopp-0.5.28

(all retrieved with darcs get --lazy --tag [tagname] ​http://tahoe-lafs.org/source/pycryptopp/trunk).

Example:

$ python-dbg -c 'import pycryptopp;print pycryptopp.__version__;print pycryptopp._pycryptopp.cryptopp_version'
0.5.28
(560, 'pycryptopp-0.5.28')
[16808 refs]

$ valgrind python-dbg test.py 
==17075== Memcheck, a memory error detector
==17075== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==17075== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==17075== Command: python-dbg test.py
==17075== 
==17075== Use of uninitialised value of size 4
==17075==    at 0x4FD67F9: CryptoPP::Rijndael_Enc_AdvancedProcessBlocks(void*, unsigned int const*) (rijndael.cpp:900)
==17075==    by 0x500EEE3: CryptoPP::CTR_ModePolicy::OperateKeystream(CryptoPP::KeystreamOperation, unsigned char*, unsigned char const*, unsigned int) (modes.cpp:118)
==17075==    by 0x4F7CFDF: CryptoPP::CTR_ModePolicy::WriteKeystream(unsigned char*, unsigned int) (modes.h:151)
==17075==    by 0x4F85F53: CryptoPP::AdditiveCipherTemplate<CryptoPP::AbstractPolicyHolder<CryptoPP::AdditiveCipherAbstractPolicy, CryptoPP::CTR_ModePolicy> >::ProcessData(unsigned char*, unsigned char const*, unsigned int) (strciphr.cpp:119)
==17075==    by 0x5059617: AES_process(AES*, _object*) (aesmodule.cpp:78)
==17075==    by 0x80F92A8: call_function (ceval.c:3738)
==17075==    by 0x80F4ACA: PyEval_EvalFrameEx (ceval.c:2412)
==17075==    by 0x80F98F3: fast_function (ceval.c:3836)
==17075==    by 0x80F964C: call_function (ceval.c:3771)
==17075==    by 0x80F4ACA: PyEval_EvalFrameEx (ceval.c:2412)
==17075==    by 0x80F7214: PyEval_EvalCodeEx (ceval.c:3000)
==17075==    by 0x80ED06A: PyEval_EvalCode (ceval.c:541)
==17075== 

[Nikratio]

Some buildbots do show the error. Example:

​http://tahoe-lafs.org/buildbot-pycryptopp/builders/Brian%20Ubuntu-i386%20linode/builds/27/steps/test/logs/valgrind

[zooko]

The same valgrind warning happens when you run cryptopp561.zip upstream (see below).

Wei Dai, primary author of upstream Crypto++, is looking into it.

==1403== Memcheck, a memory error detector
==1403== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==1403== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==1403== Command: ./cryptest.exe tv aes
==1403== Parent PID: 1235
==1403== 
==1403== Use of uninitialised value of size 4
==1403==    at 0x81D65FE: CryptoPP::Rijndael::Enc::AdvancedProcessBlocks(unsigned char const*, unsigned char const*, unsigned char*, unsigned int, unsigned int) const (rijndael.cpp:1233)
==1403==    by 0x81D6FE4: CryptoPP::Rijndael::Enc::ProcessAndXorBlock(unsigned char const*, unsigned char const*, unsigned char*) const (rijndael.cpp:354)
==1403==    by 0x81B28E5: CryptoPP::OFB_ModePolicy::WriteKeystream(unsigned char*, unsigned int) (cryptlib.h:438)
==1403==    by 0x813CA51: CryptoPP::AdditiveCipherTemplate<CryptoPP::AbstractPolicyHolder<CryptoPP::AdditiveCipherAbstractPolicy, CryptoPP::OFB_ModePolicy> >::GenerateBlock(unsigned char*, unsigned int) (strciphr.cpp:60)
==1403==    by 0x811ADA6: CryptoPP::RandomNumberGenerator::GenerateWord32(unsigned int, unsigned int) (cryptlib.cpp:257)
==1403==    by 0x80D3B78: RandomizedTransfer(CryptoPP::BufferedTransformation&, CryptoPP::BufferedTransformation&, bool, std::string const&) (datatest.cpp:65)
==1403==    by 0x80D43A6: PutDecodedDatumInto(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > > const&, char const*, CryptoPP::BufferedTransformation&) (datatest.cpp:119)
==1403==    by 0x80D4AAE: GetDecodedDatum(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > > const&, char const*) (datatest.cpp:125)
==1403==    by 0x80D54F9: TestSymmetricCipher(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > >&, CryptoPP::NameValuePairs const&) (datatest.cpp:321)
==1403==    by 0x80DB1C5: TestDataFile(std::string const&, CryptoPP::NameValuePairs const&, unsigned int&, unsigned int&) (datatest.cpp:703)
==1403==    by 0x80DB7BB: RunTestDataFile(char const*, CryptoPP::NameValuePairs const&) (datatest.cpp:747)
==1403==    by 0x806EEEA: main (test.cpp:255)
==1403== 
==1403== Use of uninitialised value of size 4
==1403==    at 0x81D6618: CryptoPP::Rijndael::Enc::AdvancedProcessBlocks(unsigned char const*, unsigned char const*, unsigned char*, unsigned int, unsigned int) const (rijndael.cpp:1238)
==1403==    by 0x81D6FE4: CryptoPP::Rijndael::Enc::ProcessAndXorBlock(unsigned char const*, unsigned char const*, unsigned char*) const (rijndael.cpp:354)
==1403==    by 0x81B28E5: CryptoPP::OFB_ModePolicy::WriteKeystream(unsigned char*, unsigned int) (cryptlib.h:438)
==1403==    by 0x813CA51: CryptoPP::AdditiveCipherTemplate<CryptoPP::AbstractPolicyHolder<CryptoPP::AdditiveCipherAbstractPolicy, CryptoPP::OFB_ModePolicy> >::GenerateBlock(unsigned char*, unsigned int) (strciphr.cpp:60)
==1403==    by 0x811ADA6: CryptoPP::RandomNumberGenerator::GenerateWord32(unsigned int, unsigned int) (cryptlib.cpp:257)
==1403==    by 0x80D3B78: RandomizedTransfer(CryptoPP::BufferedTransformation&, CryptoPP::BufferedTransformation&, bool, std::string const&) (datatest.cpp:65)
==1403==    by 0x80D43A6: PutDecodedDatumInto(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > > const&, char const*, CryptoPP::BufferedTransformation&) (datatest.cpp:119)
==1403==    by 0x80D4AAE: GetDecodedDatum(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > > const&, char const*) (datatest.cpp:125)
==1403==    by 0x80D54F9: TestSymmetricCipher(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > >&, CryptoPP::NameValuePairs const&) (datatest.cpp:321)
==1403==    by 0x80DB1C5: TestDataFile(std::string const&, CryptoPP::NameValuePairs const&, unsigned int&, unsigned int&) (datatest.cpp:703)
==1403==    by 0x80DB7BB: RunTestDataFile(char const*, CryptoPP::NameValuePairs const&) (datatest.cpp:747)
==1403==    by 0x806EEEA: main (test.cpp:255)
==1403== 
==1403== Use of uninitialised value of size 4
==1403==    at 0x81D661B: CryptoPP::Rijndael::Enc::AdvancedProcessBlocks(unsigned char const*, unsigned char const*, unsigned char*, unsigned int, unsigned int) const (rijndael.cpp:1238)
==1403==    by 0x81D6FE4: CryptoPP::Rijndael::Enc::ProcessAndXorBlock(unsigned char const*, unsigned char const*, unsigned char*) const (rijndael.cpp:354)
==1403==    by 0x81B28E5: CryptoPP::OFB_ModePolicy::WriteKeystream(unsigned char*, unsigned int) (cryptlib.h:438)
==1403==    by 0x813CA51: CryptoPP::AdditiveCipherTemplate<CryptoPP::AbstractPolicyHolder<CryptoPP::AdditiveCipherAbstractPolicy, CryptoPP::OFB_ModePolicy> >::GenerateBlock(unsigned char*, unsigned int) (strciphr.cpp:60)
==1403==    by 0x811ADA6: CryptoPP::RandomNumberGenerator::GenerateWord32(unsigned int, unsigned int) (cryptlib.cpp:257)
==1403==    by 0x80D3B78: RandomizedTransfer(CryptoPP::BufferedTransformation&, CryptoPP::BufferedTransformation&, bool, std::string const&) (datatest.cpp:65)
==1403==    by 0x80D43A6: PutDecodedDatumInto(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > > const&, char const*, CryptoPP::BufferedTransformation&) (datatest.cpp:119)
==1403==    by 0x80D4AAE: GetDecodedDatum(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > > const&, char const*) (datatest.cpp:125)
==1403==    by 0x80D54F9: TestSymmetricCipher(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > >&, CryptoPP::NameValuePairs const&) (datatest.cpp:321)
==1403==    by 0x80DB1C5: TestDataFile(std::string const&, CryptoPP::NameValuePairs const&, unsigned int&, unsigned int&) (datatest.cpp:703)
==1403==    by 0x80DB7BB: RunTestDataFile(char const*, CryptoPP::NameValuePairs const&) (datatest.cpp:747)
==1403==    by 0x806EEEA: main (test.cpp:255)
==1403== 
==1403== Use of uninitialised value of size 4
==1403==    at 0x81D65FE: CryptoPP::Rijndael::Enc::AdvancedProcessBlocks(unsigned char const*, unsigned char const*, unsigned char*, unsigned int, unsigned int) const (rijndael.cpp:1233)
==1403==    by 0x81B2619: CryptoPP::CTR_ModePolicy::OperateKeystream(CryptoPP::KeystreamOperation, unsigned char*, unsigned char const*, unsigned int) (modes.cpp:120)
==1403==    by 0x80703BE: CryptoPP::CTR_ModePolicy::WriteKeystream(unsigned char*, unsigned int) (modes.h:151)
==1403==    by 0x813CF6F: CryptoPP::AdditiveCipherTemplate<CryptoPP::AbstractPolicyHolder<CryptoPP::AdditiveCipherAbstractPolicy, CryptoPP::CTR_ModePolicy> >::ProcessData(unsigned char*, unsigned char const*, unsigned int) (strciphr.cpp:119)
==1403==    by 0x8169F56: CryptoPP::StreamTransformationFilter::NextPutMultiple(unsigned char const*, unsigned int) (cryptlib.h:503)
==1403==    by 0x816B328: CryptoPP::FilterWithBufferedInput::PutMaybeModifiable(unsigned char*, unsigned int, int, bool, bool) (filters.cpp:365)
==1403==    by 0x8074E55: CryptoPP::FilterWithBufferedInput::Put2(unsigned char const*, unsigned int, int, bool) (filters.h:157)
==1403==    by 0x811D205: CryptoPP::BufferedTransformation::ChannelPut2(std::string const&, unsigned char const*, unsigned int, int, bool) (cryptlib.cpp:357)
==1403==    by 0x80D3C3D: RandomizedTransfer(CryptoPP::BufferedTransformation&, CryptoPP::BufferedTransformation&, bool, std::string const&) (cryptlib.h:976)
==1403==    by 0x80D6021: TestSymmetricCipher(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > >&, CryptoPP::NameValuePairs const&) (datatest.cpp:401)
==1403==    by 0x80DB1C5: TestDataFile(std::string const&, CryptoPP::NameValuePairs const&, unsigned int&, unsigned int&) (datatest.cpp:703)
==1403==    by 0x80DB7BB: RunTestDataFile(char const*, CryptoPP::NameValuePairs const&) (datatest.cpp:747)
==1403== 
==1403== Use of uninitialised value of size 4
==1403==    at 0x81D6618: CryptoPP::Rijndael::Enc::AdvancedProcessBlocks(unsigned char const*, unsigned char const*, unsigned char*, unsigned int, unsigned int) const (rijndael.cpp:1238)
==1403==    by 0x81B2619: CryptoPP::CTR_ModePolicy::OperateKeystream(CryptoPP::KeystreamOperation, unsigned char*, unsigned char const*, unsigned int) (modes.cpp:120)
==1403==    by 0x80703BE: CryptoPP::CTR_ModePolicy::WriteKeystream(unsigned char*, unsigned int) (modes.h:151)
==1403==    by 0x813CF6F: CryptoPP::AdditiveCipherTemplate<CryptoPP::AbstractPolicyHolder<CryptoPP::AdditiveCipherAbstractPolicy, CryptoPP::CTR_ModePolicy> >::ProcessData(unsigned char*, unsigned char const*, unsigned int) (strciphr.cpp:119)
==1403==    by 0x8169F56: CryptoPP::StreamTransformationFilter::NextPutMultiple(unsigned char const*, unsigned int) (cryptlib.h:503)
==1403==    by 0x816B328: CryptoPP::FilterWithBufferedInput::PutMaybeModifiable(unsigned char*, unsigned int, int, bool, bool) (filters.cpp:365)
==1403==    by 0x8074E55: CryptoPP::FilterWithBufferedInput::Put2(unsigned char const*, unsigned int, int, bool) (filters.h:157)
==1403==    by 0x811D205: CryptoPP::BufferedTransformation::ChannelPut2(std::string const&, unsigned char const*, unsigned int, int, bool) (cryptlib.cpp:357)
==1403==    by 0x80D3C3D: RandomizedTransfer(CryptoPP::BufferedTransformation&, CryptoPP::BufferedTransformation&, bool, std::string const&) (cryptlib.h:976)
==1403==    by 0x80D6021: TestSymmetricCipher(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > >&, CryptoPP::NameValuePairs const&) (datatest.cpp:401)
==1403==    by 0x80DB1C5: TestDataFile(std::string const&, CryptoPP::NameValuePairs const&, unsigned int&, unsigned int&) (datatest.cpp:703)
==1403==    by 0x80DB7BB: RunTestDataFile(char const*, CryptoPP::NameValuePairs const&) (datatest.cpp:747)
==1403== 
==1403== Use of uninitialised value of size 4
==1403==    at 0x81D661B: CryptoPP::Rijndael::Enc::AdvancedProcessBlocks(unsigned char const*, unsigned char const*, unsigned char*, unsigned int, unsigned int) const (rijndael.cpp:1238)
==1403==    by 0x81B2619: CryptoPP::CTR_ModePolicy::OperateKeystream(CryptoPP::KeystreamOperation, unsigned char*, unsigned char const*, unsigned int) (modes.cpp:120)
==1403==    by 0x80703BE: CryptoPP::CTR_ModePolicy::WriteKeystream(unsigned char*, unsigned int) (modes.h:151)
==1403==    by 0x813CF6F: CryptoPP::AdditiveCipherTemplate<CryptoPP::AbstractPolicyHolder<CryptoPP::AdditiveCipherAbstractPolicy, CryptoPP::CTR_ModePolicy> >::ProcessData(unsigned char*, unsigned char const*, unsigned int) (strciphr.cpp:119)
==1403==    by 0x8169F56: CryptoPP::StreamTransformationFilter::NextPutMultiple(unsigned char const*, unsigned int) (cryptlib.h:503)
==1403==    by 0x816B328: CryptoPP::FilterWithBufferedInput::PutMaybeModifiable(unsigned char*, unsigned int, int, bool, bool) (filters.cpp:365)
==1403==    by 0x8074E55: CryptoPP::FilterWithBufferedInput::Put2(unsigned char const*, unsigned int, int, bool) (filters.h:157)
==1403==    by 0x811D205: CryptoPP::BufferedTransformation::ChannelPut2(std::string const&, unsigned char const*, unsigned int, int, bool) (cryptlib.cpp:357)
==1403==    by 0x80D3C3D: RandomizedTransfer(CryptoPP::BufferedTransformation&, CryptoPP::BufferedTransformation&, bool, std::string const&) (cryptlib.h:976)
==1403==    by 0x80D6021: TestSymmetricCipher(std::map<std::string, std::string, std::less<std::string>, std::allocator<std::pair<std::string const, std::string> > >&, CryptoPP::NameValuePairs const&) (datatest.cpp:401)
==1403==    by 0x80DB1C5: TestDataFile(std::string const&, CryptoPP::NameValuePairs const&, unsigned int&, unsigned int&) (datatest.cpp:703)
==1403==    by 0x80DB7BB: RunTestDataFile(char const*, CryptoPP::NameValuePairs const&) (datatest.cpp:747)
==1403== 
==1403== 
==1403== HEAP SUMMARY:
==1403==     in use at exit: 0 bytes in 0 blocks
==1403==   total heap usage: 19,097 allocs, 19,097 frees, 968,981 bytes allocated
==1403== 
==1403== All heap blocks were freed -- no leaks are possible
==1403== 
==1403== For counts of detected and suppressed errors, rerun with: -v
==1403== Use --track-origins=yes to see where uninitialised values come from
==1403== ERROR SUMMARY: 852 errors from 6 contexts (suppressed: 21 from 8)

[weidai]

The way the AES inline assembly is written makes Valgrind think it's using uninitialised value when it's not. I've checked in a workaround to Crypto++ SVN as revision 525.

[zooko]

Dear Wei Dai:

Thanks again for the quick response to this bug report!

The sf.net SVN browser is off-line due to a security breach at sf.net: ​http://sourceforge.net/blog/sourceforge-net-attack/ (and by the way we should probably think about what could go wrong if the servers that host Crypto++ were compromised. Does everyone need to check the secure hashes of the downloadable .zip files? What about revision control history -- how can we verify that it hasn't been tampered with. Are there any other assets at sf.net that we might need to account for? The issue tracker? Any passwords or other secrets stored at sf.net?)

The bzr mirror that I have set up (launchpad.net does this for me automatically) has this as patch 520:

​http://bazaar.launchpad.net/~zooko/cryptopp/trunk/revision/502

Here is the text of it:

=== modified file 'rijndael.cpp'
--- rijndael.cpp        2011-01-07 01:38:48 +0000
+++ rijndael.cpp        2011-01-28 01:22:27 +0000
@@ -526,7 +526,7 @@
 #if CRYPTOPP_BOOL_X86
 
 #define L_REG                  esp
-#define L_INDEX(i)             (L_REG+512+i)
+#define L_INDEX(i)             (L_REG+768+i)
 #define L_INXORBLOCKS  L_INBLOCKS+4
 #define L_OUTXORBLOCKS L_INBLOCKS+8
 #define L_OUTBLOCKS            L_INBLOCKS+12
@@ -625,7 +625,7 @@
 
 #if CRYPTOPP_BOOL_X86
        AS2(    mov             [ecx+16*12+16*4], esp)  // save esp to L_SP
-       AS2(    lea             esp, [ecx-512])
+       AS2(    lea             esp, [ecx-768])
 #endif
 
        // copy subkeys to stack

Could you please explain further how this is not actually a bug in Crypto++ but only a false alarm from valgrind? Valgrind rarely emits false alarms -- the only other one I've seen is the ​interesting case of PyObject_Free.

I would like to understand what is going on here, but my grasp of assembly is weak.

Thanks!

[zooko]

I committed the patch to pycryptopp as 906683989eddadb9a5f4da17ce49867b3e27a24a/git. Thanks! (I still want to understand it if you can take time to explain.)