Merge pull request #21 from blooo-io/fix/address-ledger-audit-vuln

Fix: address Ledger's audit vulnerabilities

Author: keiff3r

.gitignore

@@ -38,3 +38,5 @@ doc/latex
 
 tests/snapshots-tmp
 tests/bitcoin
+
+.DS_Store

.vscode/settings.json

@@ -5,6 +5,9 @@
     "C_Cpp.clang_format_path": "/usr/bin/clang-format",
     "editor.formatOnSave": true,
     "ledgerDevTools.appSettings": {
-        "selectedUseCase": "release"
-    }
+        "selectedUseCase": "release",
+        "selectedDevice": "Nano S Plus",
+        "selectedVariant": "acre_testnet"
+    },
+    "makefile.configureOnOpen": false
 }

Makefile

@@ -45,7 +45,7 @@ PATH_APP_LOAD_PARAMS = "44'/0'" "44'/1'" "48'/0'" "48'/1'" "49'/0'" "49'/1'" "84
 # Application version
 APPVERSION_M = 1
 APPVERSION_N = 1
-APPVERSION_P = 1
+APPVERSION_P = 2
 APPVERSION_SUFFIX = # if not empty, appended at the end. Do not add a dash.
 
 ifeq ($(APPVERSION_SUFFIX),)
@@ -158,8 +158,6 @@ DEFINES   += HAVE_BOLOS_APP_STACK_CANARY
 
 DEFINES   += IO_SEPROXYHAL_BUFFER_SIZE_B=300
 
-# debugging helper functions and macros
-CFLAGS    += -g -include debug-helpers/debug.h
 
 # DEFINES   += HAVE_PRINT_STACK_POINTER
 
@@ -169,6 +167,10 @@ ifeq ($(DEBUG),10)
     DEFINES   += HAVE_PRINTF HAVE_SEMIHOSTED_PRINTF PRINTF=semihosted_printf
 endif
 
+ifeq ($(DEBUG),1)
+    # debugging helper functions and macros
+    CFLAGS    += -include debug-helpers/debug.h -g
+endif
 # Needed to be able to include the definition of G_cx
 INCLUDES_PATH += $(BOLOS_SDK)/lib_cxng/src
 

src/debug-helpers/debug.c

@@ -1,6 +1,7 @@
 #include <stdio.h>
 #include <stdarg.h>
 #include "printf.h"
+#include "debug.h"
 
 #pragma GCC diagnostic ignored "-Wunused-function"
 

src/handler/lib/get_merkle_preimage.c

@@ -63,7 +63,11 @@ int call_get_merkle_preimage(dispatcher_context_t *dispatcher_context,
     cx_sha256_init(&hash_context);
 
     // update hash
-    crypto_hash_update(&hash_context.header, data_ptr, partial_data_len);
+    int ret = cx_hash_no_throw(&hash_context.header, 0, data_ptr, partial_data_len, NULL, 0);
+    if (ret != 0) {
+        PRINTF("Error updating hash\n");
+        return -11;
+    }
 
     buffer_t out_buffer = buffer_create(out_ptr, out_ptr_len);
 
@@ -98,10 +102,17 @@ int call_get_merkle_preimage(dispatcher_context_t *dispatcher_context,
         }
 
         // update hash
-        crypto_hash_update(
+        ret = cx_hash_no_throw(
             &hash_context.header,
+            0,
             dispatcher_context->read_buffer.ptr + dispatcher_context->read_buffer.offset,
-            n_bytes);
+            n_bytes,
+            NULL,
+            0);
+        if (ret != 0) {
+            PRINTF("Error updating hash\n");
+            return -12;
+        }
 
         // write bytes to output
         buffer_write_bytes(&out_buffer, data_ptr, n_bytes);

src/handler/sign_erc4361_message.c

@@ -311,9 +311,14 @@ void handler_sign_erc4361_message(dispatcher_context_t *dc, uint8_t protocol_ver
         }
         // # Format signature into standard bitcoin format
         int r_length = sig[3];
-        int s_length = sig[4 + r_length + 1];
+        if (r_length < 0 || r_length > 33) {
+            SAFE_SEND_SW(dc, SW_BAD_STATE);  // can never happen
+            ui_post_processing_confirm_message(dc, false);
+            return;
+        }
 
-        if (r_length > 33 || s_length > 33) {
+        int s_length = sig[4 + r_length + 1];
+        if (s_length < 0 || s_length > 33) {
             SAFE_SEND_SW(dc, SW_BAD_STATE);  // can never happen
             ui_post_processing_confirm_message(dc, false);
             return;

src/handler/withdraw.c

@@ -183,12 +183,18 @@ static bool display_data_content_and_confirm(dispatcher_context_t* dc,
     snprintf(value_with_ticker, sizeof(value_with_ticker), "stBTC %s", value);
 
     // Trim the value of trailing zeros in a char of size of value
-    int i = sizeof(value_with_ticker) - 1;
+    int value_with_ticker_len = sizeof(value_with_ticker) - 1;
+    int i = value_with_ticker_len;
     while (value_with_ticker[i] == '0' || value_with_ticker[i] == '\0' ||
            value_with_ticker[i] == '.') {
+        if (i == 0) {
+            break;
+        }
         i--;
     }
-    value_with_ticker[i + 1] = '\0';
+    if (i < value_with_ticker_len) {
+        value_with_ticker[i + 1] = '\0';
+    }
     // Get the second chunk that contains the data to display
     call_get_merkle_leaf_element(dc,
                                  data_merkle_root,
@@ -264,6 +270,10 @@ void add_leading_zeroes(uint8_t* dest_buffer,
         PRINTF("Error: Null buffer\n");
         return;
     }
+    if (dest_size < src_size) {
+        PRINTF("Error: Destination buffer is too small\n");
+        return;
+    }
     // Clear the destination buffer
     memset(dest_buffer, 0, dest_size);
 

src/swap/handle_get_printable_amount.c

@@ -1,5 +1,6 @@
 #include <string.h>
 #include <stdint.h>
+#include "debug-helpers/debug.h"
 
 #include "handle_get_printable_amount.h"
 

src/ui/menu_nbgl.c

@@ -23,7 +23,7 @@
 
 #define SETTING_INFO_NB 3
 static const char* const INFO_TYPES[SETTING_INFO_NB] = {"Version", "Developer", "Copyright"};
-static const char* const INFO_CONTENTS[SETTING_INFO_NB] = {APPVERSION, "Blooo", "(c) 2024 Blooo"};
+static const char* const INFO_CONTENTS[SETTING_INFO_NB] = {APPVERSION, "Acre", "(c) 2024 Acre"};
 
 static const nbgl_contentInfoList_t infoList = {
     .nbInfos = SETTING_INFO_NB,