Reporting Multiple Vulnerabilities in MP-SPDZ Detected via Active Adversary Simulation

[GuopengLin]

Hello, Keller.
During a security review conducted through the simulation of an active adversary, I identified seven critical vulnerabilities in spdz2k-party.x (commit version a4f08e6). Given MP-SPDZ's extensive use in both academic and industrial spheres, addressing these vulnerabilities should be crucial for maintaining the integrity of applications built on this framework.

Below are the details of the identified vulnerabilities:

1. stack-buffer-overflow in octetStream.cpp

Description

stack-buffer-overflow MP-SPDZ/Tools/octetStream.cpp:147:3 in octetStream::get_bytes

Replay

Please refer to Vulnerabilities-in-MPC-Framework and stack-buffer-overflow in octetStream.cpp.

ASAN

==2479299==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f65dc207f60 at pc 0x561cdfaf866e bp 0x7f65dc1464e0 sp 0x7f65dc145ca0
WRITE of size 193965026 at 0x7f65dc207f60 thread T70
    #0 0x561cdfaf866d in __asan_memcpy (/home/lgp/MP-SPDZ/spdz2k-party.x+0x34766d) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x7f6630e67397 in octetStream::get_bytes(unsigned char*, unsigned long&) /home/lgp/MP-SPDZ/Tools/octetStream.cpp:147:3
    #2 0x561cdfc0d8e3 in void BaseOT::exec_base<ot_sender, ot_receiver>(bool) /home/lgp/MP-SPDZ/OT/BaseOT.cpp:211:19
    #3 0x561cdfc0357f in OTTripleSetup::setup() /home/lgp/MP-SPDZ/OT/OTTripleSetup.cpp:18:21
    #4 0x561cdfb897d8 in OTTripleSetup::OTTripleSetup(Player&, bool) /home/lgp/MP-SPDZ/./OT/OTTripleSetup.h:72:9
    #5 0x561cdfb88920 in OnDemandOTTripleSetup::get_fresh(Player&) /home/lgp/MP-SPDZ/./OT/OTTripleSetup.h:101:30
    #6 0x561cdfb70876 in BaseMachine::fresh_ot_setup(Player&) /home/lgp/MP-SPDZ/./Processor/BaseMachine.h:102:21
    #7 0x561cdfb70876 in GC::TinierSharePrep<GC::TinierShare<gf2n_mac_key>>::set_protocol(Beaver<GC::TinierShare<gf2n_mac_key>>&) /home/lgp/MP-SPDZ/./GC/TinierSharePrep.hpp:52:13
    #8 0x561cdfb63ea3 in SubProcessor<GC::TinierShare<gf2n_mac_key>>::SubProcessor(MAC_Check_<GC::TinierShare<gf2n_mac_key>>&, Preprocessing<GC::TinierShare<gf2n_mac_key>>&, Player&, ArithmeticProcessor*) /home/lgp/MP-SPDZ/./Processor/Processor.hpp:34:9
    #9 0x561cdfb63943 in GC::CcdPrep<GC::TinierSecret<gf2n_mac_key>>::set_protocol(GC::VectorProtocol<GC::TinierSecret<gf2n_mac_key>>&) /home/lgp/MP-SPDZ/./GC/CcdPrep.hpp:36:21
    #10 0x561cdfd5ed8a in GC::ShareThread<GC::TinierSecret<gf2n_mac_key>>::pre_run(Player&, gf2n_mac_key) /home/lgp/MP-SPDZ/./GC/ShareThread.hpp:65:11
    #11 0x561ce0364313 in GC::ShareThread<GC::TinierSecret<gf2n_mac_key>>::ShareThread(Preprocessing<GC::TinierSecret<gf2n_mac_key>>&, Player&, gf2n_mac_key) /home/lgp/MP-SPDZ/./GC/ShareThread.hpp:44:5
    #12 0x561ce0364313 in Processor<Spdz2kShare<64, 64>, Share<gf2n_long>>::Processor(int, Player&, MAC_Check_<Share<gf2n_long>>&, MAC_Check_Z2k<Z2<128>, Z2<64>, Z2<128>, Spdz2kShare<64, 64>>&, Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>&, Program const&) /home/lgp/MP-SPDZ/./Processor/Processor.hpp:88:3
    #13 0x561ce035eb23 in thread_info<Spdz2kShare<64, 64>, Share<gf2n_long>>::Sub_Main_Func() /home/lgp/MP-SPDZ/./Processor/Online-Thread.hpp:102:19
    #14 0x561ce0350638 in thread_info<Spdz2kShare<64, 64>, Share<gf2n_long>>::Main_Func(void*) /home/lgp/MP-SPDZ/./Processor/Online-Thread.hpp:374:8
    #15 0x561cdfaf8206 in asan_thread_start(void*) asan_interceptors.cpp.o
    #16 0x7f6630393608 in start_thread /build/glibc-e2p3jK/glibc-2.31/nptl/pthread_create.c:477:8
    #17 0x7f663026f352 in __clone /build/glibc-e2p3jK/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Address 0x7f65dc207f60 is located in stack of thread T70 at offset 792992 in frame
    #0 0x561cdfc0c56f in void BaseOT::exec_base<ot_sender, ot_receiver>(bool) /home/lgp/MP-SPDZ/OT/BaseOT.cpp:122

  This frame has 13 object(s):
    [32, 1632) 'sender' (line 128)
    [1760, 791424) 'receiver' (line 129)
    [791680, 791712) 'ref.tmp.i'
    [791744, 791745) 'ref.tmp2.i'
    [791760, 791768) 'len' (line 124)
    [791792, 792464) 'G' (line 125)
    [792592, 792616) 'os' (line 127)
    [792656, 792657) 'ref.tmp' (line 127)
    [792672, 792704) 'S_pack' (line 131)
    [792736, 792992) 'Rs_pack' (line 132)
    [793056, 793312) 'sender_keys' (line 133) <== Memory access at offset 792992 partially underflows this variable
    [793376, 793504) 'receiver_keys' (line 134) <== Memory access at offset 792992 partially underflows this variable
    [793536, 793540) 'cs' (line 135) <== Memory access at offset 792992 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T70 created by T0 here:
    #0 0x561cdfae01b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x561ce034f4cd in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::prepare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:203:7
    #2 0x561ce03579b6 in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:452:3
    #3 0x561cdfb45c4c in int OnlineMachine::run<Spdz2kShare<64, 64>, Share<gf2n_long>>() /home/lgp/MP-SPDZ/./Processor/OnlineMachine.hpp:181:70
    #4 0x561cdfb3cf4f in main /home/lgp/MP-SPDZ/Machines/spdz2k-party.cpp:45:5
    #5 0x7f6630174082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/lgp/MP-SPDZ/spdz2k-party.x+0x34766d) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3) in __asan_memcpy
Shadow bytes around the buggy address:
  0x7f65dc207c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f65dc207d00: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2
  0x7f65dc207d80: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2
  0x7f65dc207e00: f2 f2 f8 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00
  0x7f65dc207e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f65dc207f00: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
  0x7f65dc207f80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f65dc208000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f65dc208080: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x7f65dc208100: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x7f65dc208180: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2479299==ABORTING

2. stack-buffer-overflow in OTExtensionWithMatrix.cpp

Description

stack-buffer-overflow MP-SPDZ/OT/OTExtensionWithMatrix.cpp:134:5 in OTExtensionWithMatrix::extend

Replay

Please refer to Vulnerabilities-in-MPC-Framework and stack-buffer-overflow-OTExtensionWithMatrix.

ASAN

=================================================================
==2440880==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f516eded066 at pc 0x5589fd1c9b9b bp 0x7f516feec920 sp 0x7f516feec0e8
READ of size 7 at 0x7f516eded066 thread T71
    #0 0x5589fd1c9b9a in strlen (/home/lgp/MP-SPDZ/spdz2k-party.x+0x2c3b9a) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x7f51ce1fb0ff in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::compare(char const*) const (/lib/x86_64-linux-gnu/libstdc++.so.6+0x15c0ff) (BuildId: 20422e448604b560d74d2eb3befe56d6655830db)
    #2 0x5589fd367967 in bool std::operator==<char, std::char_traits<char>, std::allocator<char>>(char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/basic_string.h:6291:20
    #3 0x5589fd367967 in OTExtensionWithMatrix::extend(int, BitVector const&) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:134:5
    #4 0x5589fd32433d in OTMultiplier<GC::TinierSecret<gf2n_mac_key>>::multiply() /home/lgp/MP-SPDZ/./OT/OTMultiplier.hpp:94:13
    #5 0x5589fd31ecc1 in void* run_ot_thread<GC::TinierSecret<gf2n_mac_key>>(void*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:28:31
    #6 0x5589fd24d206 in asan_thread_start(void*) asan_interceptors.cpp.o
    #7 0x7f51cdf35608 in start_thread /build/glibc-e2p3jK/glibc-2.31/nptl/pthread_create.c:477:8
    #8 0x7f51cde11352 in __clone /build/glibc-e2p3jK/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Address 0x7f516eded066 is located in stack of thread T71 at offset 102 in frame
    #0 0x5589fd3675ef in OTExtensionWithMatrix::extend(int, BitVector const&) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:108

  This frame has 4 object(s):
    [32, 48) 'ref.tmp.i47'
    [64, 80) 'ref.tmp.i'
    [96, 102) 'buf' (line 132) <== Memory access at offset 102 overflows this variable
    [128, 160) 'ref.tmp' (line 134)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T71 created by T70 here:
    #0 0x5589fd2351b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x5589fd31bde2 in OTTripleGenerator<GC::TinierSecret<gf2n_mac_key>>::OTTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, gf2n_mac_key, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:135:9
    #2 0x5589fd2c5961 in NPartyTripleGenerator<GC::TinierSecret<gf2n_mac_key>>::NPartyTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, gf2n_mac_key, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:40:9
    #3 0x5589fd2c5961 in GC::TinierSharePrep<GC::TinierShare<gf2n_mac_key>>::set_protocol(Beaver<GC::TinierShare<gf2n_mac_key>>&) /home/lgp/MP-SPDZ/./GC/TinierSharePrep.hpp:51:28
    #4 0x5589fd2b8ea3 in SubProcessor<GC::TinierShare<gf2n_mac_key>>::SubProcessor(MAC_Check_<GC::TinierShare<gf2n_mac_key>>&, Preprocessing<GC::TinierShare<gf2n_mac_key>>&, Player&, ArithmeticProcessor*) /home/lgp/MP-SPDZ/./Processor/Processor.hpp:34:9

Thread T70 created by T0 here:
    #0 0x5589fd2351b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x5589fdaa44cd in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::prepare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:203:7
    #2 0x5589fdaac9b6 in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:452:3
    #3 0x5589fd29ac4c in int OnlineMachine::run<Spdz2kShare<64, 64>, Share<gf2n_long>>() /home/lgp/MP-SPDZ/./Processor/OnlineMachine.hpp:181:70
    #4 0x5589fd291f4f in main /home/lgp/MP-SPDZ/Machines/spdz2k-party.cpp:45:5
    #5 0x7f51cdd16082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/lgp/MP-SPDZ/spdz2k-party.x+0x2c3b9a) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3) in strlen
Shadow bytes around the buggy address:
  0x7f516edecd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f516edece00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f516edece80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f516edecf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f516edecf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f516eded000: f1 f1 f1 f1 f8 f8 f2 f2 f8 f8 f2 f2[06]f2 f2 f2
  0x7f516eded080: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x7f516eded100: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f516eded180: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f516eded200: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f516eded280: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2440880==ABORTING

3. Requested allocation size exceeds maximum supported size

Description

requested allocation size 0x12a0000000000040 (0x12a0000000001040 after adjustments for alignment, red zones etc.) exceeds the maximum supported size of 0x10000000000

While the AddressSanitizer does not specify a precise location for this vulnerability, it appears that an active adversary can manipulate the memory allocation size of the parties, leading to potential security risks.

Replay

Please refer to Vulnerabilities-in-MPC-Framework and requested-allocation-size.

ASAN

=================================================================
==2461797==ERROR: AddressSanitizer: requested allocation size 0x12a0000000000040 (0x12a0000000001040 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x55da7826e3cd in operator new(unsigned long) (/home/lgp/MP-SPDZ/spdz2k-party.x+0x3893cd) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x7f3c9a71e382 in __gnu_cxx::new_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/ext/new_allocator.h:127:27
    #2 0x7f3c9a71e382 in std::allocator_traits<std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>::allocate(std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/alloc_traits.h:464:20
    #3 0x7f3c9a71e382 in std::_Vector_base<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_vector.h:346:20
    #4 0x7f3c9a71e382 in std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>::reserve(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/vector.tcc:78:22

==2461797==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/home/lgp/MP-SPDZ/spdz2k-party.x+0x3893cd) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3) in operator new(unsigned long)
==2461797==ABORTING

4-7. SEGV in SilentPprf.cpp

Description

• SEGV MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:949 in osuCrypto::SilentMultiPprfReceiver::expand
• SEGV MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1083:47 in osuCrypto::SilentMultiPprfReceiver::expand
• SEGV MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:140:41 in osuCrypto::copyOut
• SEGV MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1068:59 in osuCrypto::SilentMultiPprfReceiver::expand

Vulnerabilities 4-7 are identified within the deps/libOTe/libOTe/Tools/SilentPprf.cpp file. I am not sure whether it is possible to address these vulnerabilities directly within MP-SPDZ, since It appears these issues are inherently related to the libOTe library. I will reproduce these vulnerabilities by only using libOTe and also report them to the libOTe developers.

Replay

Please refer to Vulnerabilities-in-MPC-Framework and

-SEGV-SlientPprf
-SEGV-SlientPprf-2
-SEGV-SlientPprf-3
-SEGV-SlientPprf-4

ASAN

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2287856==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x556a792804e5 bp 0x7f74a43a1e48 sp 0x7f74a43a1e30 T80)
==2287856==The signal is caused by a READ memory access.
==2287856==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x556a792804e5 in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long)::$_0::operator()(unsigned long) const /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:949:33
    #1 0x556a7927fdfb in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1199:9
    #2 0x556a792707e9 in osuCrypto::SoftSpokenOT::SmallFieldVoleReceiver::SmallFieldVoleReceiver(unsigned long, unsigned long, osuCrypto::Channel&, osuCrypto::PRNG&, gsl::span<osuCrypto::block const, -1l>, osuCrypto::BitVector, unsigned long, bool) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Vole/SoftSpokenOT/SmallFieldVole.cpp:386:7
    #3 0x556a7926c815 in osuCrypto::SoftSpokenOT::DotSemiHonestSenderWithVole<osuCrypto::SoftSpokenOT::SubspaceVoleMaliciousReceiver<osuCrypto::RepetitionCode>>::setBaseOts(gsl::span<osuCrypto::block, -1l>, osuCrypto::BitVector const&, osuCrypto::PRNG&, osuCrypto::Channel&, bool) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/TwoChooseOne/SoftSpokenOT/DotSemiHonest.cpp:30:3
    #4 0x556a7920f3de in osuCrypto::SoftSpokenOT::DotMaliciousLeakySender::setBaseOts(gsl::span<osuCrypto::block, -1l>, osuCrypto::BitVector const&, osuCrypto::PRNG&, osuCrypto::Channel&) /home/lgp/MP-SPDZ/./local/include/libOTe/TwoChooseOne/SoftSpokenOT/DotMaliciousLeaky.h:75:9
    #5 0x556a7920f3de in OTExtensionWithMatrix::soft_sender(unsigned long) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:152:12
    #6 0x556a7920ea75 in OTExtensionWithMatrix::extend(int, BitVector const&) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:128:9
    #7 0x556a79a208ed in OTMultiplier<Spdz2kShare<64, 64>>::multiply() /home/lgp/MP-SPDZ/./OT/OTMultiplier.hpp:94:13
    #8 0x556a79a1e511 in void* run_ot_thread<Spdz2kShare<64, 64>>(void*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:28:31
    #9 0x556a790f4206 in asan_thread_start(void*) asan_interceptors.cpp.o
    #10 0x7f750d09f608 in start_thread /build/glibc-e2p3jK/glibc-2.31/nptl/pthread_create.c:477:8
    #11 0x7f750cf7b352 in __clone /build/glibc-e2p3jK/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:949:33 in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long)::$_0::operator()(unsigned long) const
Thread T80 created by T70 here:
    #0 0x556a790dc1b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x556a79a1db32 in OTTripleGenerator<Spdz2kShare<64, 64>>::OTTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, Z2<64>, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:135:9
    #2 0x556a799f86d5 in NPartyTripleGenerator<Spdz2kShare<64, 64>>::NPartyTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, Z2<64>, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:40:9
    #3 0x556a799f86d5 in Spdz2kTripleGenerator<Spdz2kShare<64, 64>>::Spdz2kTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, Z2<64>, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:67:9
    #4 0x556a799f86d5 in OTPrep<Spdz2kShare<64, 64>>::set_protocol(SPDZ2k<Spdz2kShare<64, 64>>&) /home/lgp/MP-SPDZ/./Protocols/MascotPrep.hpp:44:28
    #5 0x556a799fbc21 in Spdz2kPrep<Spdz2kShare<64, 64>>::set_protocol(SPDZ2k<Spdz2kShare<64, 64>>&) /home/lgp/MP-SPDZ/./Protocols/Spdz2kPrep.hpp:44:16
    #6 0x556a7998ae9c in SubProcessor<Spdz2kShare<64, 64>>::SubProcessor(MAC_Check_Z2k<Z2<128>, Z2<64>, Z2<128>, Spdz2kShare<64, 64>>&, Preprocessing<Spdz2kShare<64, 64>>&, Player&, ArithmeticProcessor*) /home/lgp/MP-SPDZ/./Processor/Processor.hpp:34:9

Thread T70 created by T0 here:
    #0 0x556a790dc1b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x556a7994b4cd in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::prepare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:203:7
    #2 0x556a799539b6 in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:452:3
    #3 0x556a79141c4c in int OnlineMachine::run<Spdz2kShare<64, 64>, Share<gf2n_long>>() /home/lgp/MP-SPDZ/./Processor/OnlineMachine.hpp:181:70
    #4 0x556a79138f4f in main /home/lgp/MP-SPDZ/Machines/spdz2k-party.cpp:45:5
    #5 0x7f750ce80082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16

==2287856==ABORTING

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2418663==ERROR: AddressSanitizer: SEGV on unknown address 0x7b100007c380 (pc 0x55934620c808 bp 0x1fffffffffffffff sp 0x7fa40e5cbcf0 T83)
==2418663==The signal is caused by a READ memory access.
    #0 0x55934620c808 in osuCrypto::block::mm_xor_si128(osuCrypto::block const&) const /home/lgp/MP-SPDZ/deps/libOTe/cryptoTools/cryptoTools/../cryptoTools/Common/block.h:133:20
    #1 0x55934620c808 in osuCrypto::block::operator^(osuCrypto::block const&) const /home/lgp/MP-SPDZ/deps/libOTe/cryptoTools/cryptoTools/../cryptoTools/Common/block.h:125:20
    #2 0x55934620c808 in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long)::$_0::operator()(unsigned long) const /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1083:47
    #3 0x55934620bdfb in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1199:9
    #4 0x5593461fc7e9 in osuCrypto::SoftSpokenOT::SmallFieldVoleReceiver::SmallFieldVoleReceiver(unsigned long, unsigned long, osuCrypto::Channel&, osuCrypto::PRNG&, gsl::span<osuCrypto::block const, -1l>, osuCrypto::BitVector, unsigned long, bool) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Vole/SoftSpokenOT/SmallFieldVole.cpp:386:7
    #5 0x5593461f8815 in osuCrypto::SoftSpokenOT::DotSemiHonestSenderWithVole<osuCrypto::SoftSpokenOT::SubspaceVoleMaliciousReceiver<osuCrypto::RepetitionCode>>::setBaseOts(gsl::span<osuCrypto::block, -1l>, osuCrypto::BitVector const&, osuCrypto::PRNG&, osuCrypto::Channel&, bool) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/TwoChooseOne/SoftSpokenOT/DotSemiHonest.cpp:30:3
    #6 0x55934619b3de in osuCrypto::SoftSpokenOT::DotMaliciousLeakySender::setBaseOts(gsl::span<osuCrypto::block, -1l>, osuCrypto::BitVector const&, osuCrypto::PRNG&, osuCrypto::Channel&) /home/lgp/MP-SPDZ/./local/include/libOTe/TwoChooseOne/SoftSpokenOT/DotMaliciousLeaky.h:75:9
    #7 0x55934619b3de in OTExtensionWithMatrix::soft_sender(unsigned long) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:152:12
    #8 0x55934619aa75 in OTExtensionWithMatrix::extend(int, BitVector const&) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:128:9
    #9 0x559346a23557 in OTMultiplier<Spdz2kShare<66, 64>>::multiplyForTriples() /home/lgp/MP-SPDZ/./OT/OTMultiplier.hpp:271:21
    #10 0x559346a131a2 in OTMultiplier<Spdz2kShare<66, 64>>::multiply() /home/lgp/MP-SPDZ/./OT/OTMultiplier.hpp:129:17
    #11 0x559346a10421 in void* run_ot_thread<Spdz2kShare<66, 64>>(void*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:28:31
    #12 0x559346080206 in asan_thread_start(void*) asan_interceptors.cpp.o
    #13 0x7fa4807dc608 in start_thread /build/glibc-e2p3jK/glibc-2.31/nptl/pthread_create.c:477:8
    #14 0x7fa4806b8352 in __clone /build/glibc-e2p3jK/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lgp/MP-SPDZ/deps/libOTe/cryptoTools/cryptoTools/../cryptoTools/Common/block.h:133:20 in osuCrypto::block::mm_xor_si128(osuCrypto::block const&) const
Thread T83 created by T70 here:
    #0 0x5593460681b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x559346a0fa42 in OTTripleGenerator<Spdz2kShare<66, 64>>::OTTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, Z2<64>, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:135:9
    #2 0x5593469ff595 in NPartyTripleGenerator<Spdz2kShare<66, 64>>::NPartyTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, Z2<64>, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:40:9
    #3 0x5593469ff595 in Spdz2kTripleGenerator<Spdz2kShare<66, 64>>::Spdz2kTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, Z2<64>, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:67:9
    #4 0x5593469ff595 in OTPrep<Spdz2kShare<66, 64>>::set_protocol(SPDZ2k<Spdz2kShare<66, 64>>&) /home/lgp/MP-SPDZ/./Protocols/MascotPrep.hpp:44:28
    #5 0x5593469f375b in SubProcessor<Spdz2kShare<66, 64>>::SubProcessor(MAC_Check_Z2k<Z2<130>, Z2<64>, Z2<130>, Spdz2kShare<66, 64>>&, Preprocessing<Spdz2kShare<66, 64>>&, Player&, ArithmeticProcessor*) /home/lgp/MP-SPDZ/./Processor/Processor.hpp:34:9

Thread T70 created by T0 here:
    #0 0x5593460681b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x5593468d74cd in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::prepare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:203:7
    #2 0x5593468df9b6 in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:452:3
    #3 0x5593460cdc4c in int OnlineMachine::run<Spdz2kShare<64, 64>, Share<gf2n_long>>() /home/lgp/MP-SPDZ/./Processor/OnlineMachine.hpp:181:70
    #4 0x5593460c4f4f in main /home/lgp/MP-SPDZ/Machines/spdz2k-party.cpp:45:5
    #5 0x7fa4805bd082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16

==2418663==ABORTING

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2455232==ERROR: AddressSanitizer: SEGV on unknown address 0x5210000d7b00 (pc 0x56384a86d836 bp 0x7faf2dd49e48 sp 0x7faf2dd49df0 T80)
==2455232==The signal is caused by a WRITE memory access.
    #0 0x56384a86d836 in osuCrypto::copyOut(gsl::span<std::array<osuCrypto::block, 8ul>, -1l>, osuCrypto::MatrixView<osuCrypto::block>, unsigned long, unsigned long, osuCrypto::PprfOutputFormat) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:140:41
    #1 0x56384a8734b6 in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long)::$_0::operator()(unsigned long) const /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1191:17
    #2 0x56384a871dfb in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1199:9
    #3 0x56384a8627e9 in osuCrypto::SoftSpokenOT::SmallFieldVoleReceiver::SmallFieldVoleReceiver(unsigned long, unsigned long, osuCrypto::Channel&, osuCrypto::PRNG&, gsl::span<osuCrypto::block const, -1l>, osuCrypto::BitVector, unsigned long, bool) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Vole/SoftSpokenOT/SmallFieldVole.cpp:386:7
    #4 0x56384a85e815 in osuCrypto::SoftSpokenOT::DotSemiHonestSenderWithVole<osuCrypto::SoftSpokenOT::SubspaceVoleMaliciousReceiver<osuCrypto::RepetitionCode>>::setBaseOts(gsl::span<osuCrypto::block, -1l>, osuCrypto::BitVector const&, osuCrypto::PRNG&, osuCrypto::Channel&, bool) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/TwoChooseOne/SoftSpokenOT/DotSemiHonest.cpp:30:3
    #5 0x56384a8013de in osuCrypto::SoftSpokenOT::DotMaliciousLeakySender::setBaseOts(gsl::span<osuCrypto::block, -1l>, osuCrypto::BitVector const&, osuCrypto::PRNG&, osuCrypto::Channel&) /home/lgp/MP-SPDZ/./local/include/libOTe/TwoChooseOne/SoftSpokenOT/DotMaliciousLeaky.h:75:9
    #6 0x56384a8013de in OTExtensionWithMatrix::soft_sender(unsigned long) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:152:12
    #7 0x56384a800a75 in OTExtensionWithMatrix::extend(int, BitVector const&) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:128:9
    #8 0x56384b0128ed in OTMultiplier<Spdz2kShare<64, 64>>::multiply() /home/lgp/MP-SPDZ/./OT/OTMultiplier.hpp:94:13
    #9 0x56384b010511 in void* run_ot_thread<Spdz2kShare<64, 64>>(void*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:28:31
    #10 0x56384a6e6206 in asan_thread_start(void*) asan_interceptors.cpp.o
    #11 0x7faf96a3b608 in start_thread /build/glibc-e2p3jK/glibc-2.31/nptl/pthread_create.c:477:8
    #12 0x7faf96917352 in __clone /build/glibc-e2p3jK/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:140:41 in osuCrypto::copyOut(gsl::span<std::array<osuCrypto::block, 8ul>, -1l>, osuCrypto::MatrixView<osuCrypto::block>, unsigned long, unsigned long, osuCrypto::PprfOutputFormat)
Thread T80 created by T70 here:
    #0 0x56384a6ce1b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x56384b00fb32 in OTTripleGenerator<Spdz2kShare<64, 64>>::OTTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, Z2<64>, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:135:9
    #2 0x56384afea6d5 in NPartyTripleGenerator<Spdz2kShare<64, 64>>::NPartyTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, Z2<64>, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:40:9
    #3 0x56384afea6d5 in Spdz2kTripleGenerator<Spdz2kShare<64, 64>>::Spdz2kTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, Z2<64>, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:67:9
    #4 0x56384afea6d5 in OTPrep<Spdz2kShare<64, 64>>::set_protocol(SPDZ2k<Spdz2kShare<64, 64>>&) /home/lgp/MP-SPDZ/./Protocols/MascotPrep.hpp:44:28
    #5 0x56384afedc21 in Spdz2kPrep<Spdz2kShare<64, 64>>::set_protocol(SPDZ2k<Spdz2kShare<64, 64>>&) /home/lgp/MP-SPDZ/./Protocols/Spdz2kPrep.hpp:44:16
    #6 0x56384af7ce9c in SubProcessor<Spdz2kShare<64, 64>>::SubProcessor(MAC_Check_Z2k<Z2<128>, Z2<64>, Z2<128>, Spdz2kShare<64, 64>>&, Preprocessing<Spdz2kShare<64, 64>>&, Player&, ArithmeticProcessor*) /home/lgp/MP-SPDZ/./Processor/Processor.hpp:34:9

Thread T70 created by T0 here:
    #0 0x56384a6ce1b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x56384af3d4cd in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::prepare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:203:7
    #2 0x56384af459b6 in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:452:3
    #3 0x56384a733c4c in int OnlineMachine::run<Spdz2kShare<64, 64>, Share<gf2n_long>>() /home/lgp/MP-SPDZ/./Processor/OnlineMachine.hpp:181:70
    #4 0x56384a72af4f in main /home/lgp/MP-SPDZ/Machines/spdz2k-party.cpp:45:5
    #5 0x7faf9681c082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16

==2455232==ABORTING

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2495730==ERROR: AddressSanitizer: SEGV on unknown address 0x518800023dc0 (pc 0x55a03827f7dd bp 0x0000e0000003 sp 0x7fd6cf211e30 T71)
==2495730==The signal is caused by a READ memory access.
    #0 0x55a03827f7dd in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long)::$_0::operator()(unsigned long) const /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1068:59
    #1 0x55a03827edfb in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1199:9
    #2 0x55a03826f7e9 in osuCrypto::SoftSpokenOT::SmallFieldVoleReceiver::SmallFieldVoleReceiver(unsigned long, unsigned long, osuCrypto::Channel&, osuCrypto::PRNG&, gsl::span<osuCrypto::block const, -1l>, osuCrypto::BitVector, unsigned long, bool) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Vole/SoftSpokenOT/SmallFieldVole.cpp:386:7
    #3 0x55a03826b815 in osuCrypto::SoftSpokenOT::DotSemiHonestSenderWithVole<osuCrypto::SoftSpokenOT::SubspaceVoleMaliciousReceiver<osuCrypto::RepetitionCode>>::setBaseOts(gsl::span<osuCrypto::block, -1l>, osuCrypto::BitVector const&, osuCrypto::PRNG&, osuCrypto::Channel&, bool) /home/lgp/MP-SPDZ/deps/libOTe/libOTe/TwoChooseOne/SoftSpokenOT/DotSemiHonest.cpp:30:3
    #4 0x55a03820e3de in osuCrypto::SoftSpokenOT::DotMaliciousLeakySender::setBaseOts(gsl::span<osuCrypto::block, -1l>, osuCrypto::BitVector const&, osuCrypto::PRNG&, osuCrypto::Channel&) /home/lgp/MP-SPDZ/./local/include/libOTe/TwoChooseOne/SoftSpokenOT/DotMaliciousLeaky.h:75:9
    #5 0x55a03820e3de in OTExtensionWithMatrix::soft_sender(unsigned long) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:152:12
    #6 0x55a03820da75 in OTExtensionWithMatrix::extend(int, BitVector const&) /home/lgp/MP-SPDZ/OT/OTExtensionWithMatrix.cpp:128:9
    #7 0x55a0381ca33d in OTMultiplier<GC::TinierSecret<gf2n_mac_key>>::multiply() /home/lgp/MP-SPDZ/./OT/OTMultiplier.hpp:94:13
    #8 0x55a0381c4cc1 in void* run_ot_thread<GC::TinierSecret<gf2n_mac_key>>(void*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:28:31
    #9 0x55a0380f3206 in asan_thread_start(void*) asan_interceptors.cpp.o
    #10 0x7fd72d26b608 in start_thread /build/glibc-e2p3jK/glibc-2.31/nptl/pthread_create.c:477:8
    #11 0x7fd72d147352 in __clone /build/glibc-e2p3jK/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lgp/MP-SPDZ/deps/libOTe/libOTe/Tools/SilentPprf.cpp:1068:59 in osuCrypto::SilentMultiPprfReceiver::expand(osuCrypto::Channel&, osuCrypto::PRNG&, osuCrypto::MatrixView<osuCrypto::block>, osuCrypto::PprfOutputFormat, bool, unsigned long)::$_0::operator()(unsigned long) const
Thread T71 created by T70 here:
    #0 0x55a0380db1b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x55a0381c1de2 in OTTripleGenerator<GC::TinierSecret<gf2n_mac_key>>::OTTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, gf2n_mac_key, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:135:9
    #2 0x55a03816b961 in NPartyTripleGenerator<GC::TinierSecret<gf2n_mac_key>>::NPartyTripleGenerator(OTTripleSetup const&, Names const&, int, int, int, MascotParams&, gf2n_mac_key, Player*) /home/lgp/MP-SPDZ/./OT/NPartyTripleGenerator.hpp:40:9
    #3 0x55a03816b961 in GC::TinierSharePrep<GC::TinierShare<gf2n_mac_key>>::set_protocol(Beaver<GC::TinierShare<gf2n_mac_key>>&) /home/lgp/MP-SPDZ/./GC/TinierSharePrep.hpp:51:28
    #4 0x55a03815eea3 in SubProcessor<GC::TinierShare<gf2n_mac_key>>::SubProcessor(MAC_Check_<GC::TinierShare<gf2n_mac_key>>&, Preprocessing<GC::TinierShare<gf2n_mac_key>>&, Player&, ArithmeticProcessor*) /home/lgp/MP-SPDZ/./Processor/Processor.hpp:34:9

Thread T70 created by T0 here:
    #0 0x55a0380db1b1 in pthread_create (/home/lgp/MP-SPDZ/spdz2k-party.x+0x32f1b1) (BuildId: 696978139b793a6e175ed0121529d7fe607437a3)
    #1 0x55a03894a4cd in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::prepare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:203:7
    #2 0x55a0389529b6 in Machine<Spdz2kShare<64, 64>, Share<gf2n_long>>::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/lgp/MP-SPDZ/./Processor/Machine.hpp:452:3
    #3 0x55a038140c4c in int OnlineMachine::run<Spdz2kShare<64, 64>, Share<gf2n_long>>() /home/lgp/MP-SPDZ/./Processor/OnlineMachine.hpp:181:70
    #4 0x55a038137f4f in main /home/lgp/MP-SPDZ/Machines/spdz2k-party.cpp:45:5
    #5 0x7fd72d04c082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16

==2495730==ABORTING

Credit

Guopeng Lin (Fudan University)

[mkskeller]

Thank you for your efforts. You should find that that 6ce15d4 fixes 1, 2, and 4-7. However, I'm not sure what to make of 3 as it's unclear where it happens. It might be Names::setup_names() where party 0 sends the hostnames of all parties as part of the setup procedure. If this is true, I don't think it can be fixed. One could set a limit on the number of parties but the result would be an abort either way.

[GuopengLin]

Thank you for your response.

Upon a careful examination of the MP-SPDZ code, I suppose that vulnerability 3 might originate from the octetStream::resize_precise(size_t l) function in MP-SPDZ/Tools/octetStream.h. It appears that the parameter l could be manipulated by an active adversary.

Here's a potential call sequence:
octetStream::input -> octetStream::resize_min -> octetStream::resize_precise

[mkskeller]

octetStream::input reads from a C++ istream, which in all cases I can think of is from a file. If I understand your analysis correctly, it only covers socket communication. Furthermore, the posted stack trace refers to a vector of strings, which does not appear in the your sequence.

[GuopengLin]

Sorry, I made a mistake.
The potential call sequence should be:
octetStream::Receive -> octetStream::resize_min -> octetStream::resize_precise

[mkskeller]

I don't think that that's the case either. resize_precise calls new char[], which doesn't match the stack trace. It does expose a similar pattern, but the situation is also similar to the one above. If the memory is not available, it will throw bad_alloc(). This is equivalent to the program aborting due to a size check.