mratsim · mratsim · Oct 10, 2023 · Oct 9, 2023
diff --git a/constantine/math_arbitrary_precision/arithmetic/bigints_views.nim b/constantine/math_arbitrary_precision/arithmetic/bigints_views.nim
@@ -170,28 +170,28 @@ func powMod_vartime*(
   #   https://cetinkayakoc.net/docs/j34.pdf
 
   let qBits = mBits-ctz
-  let pBits = 1+ctz
+  let kBits = 1+ctz
   let qWords = qBits.wordsRequired()
-  let pWords = pBits.wordsRequired()
+  let kWords = kBits.wordsRequired()
 
   var qBuf  = allocStackArray(SecretWord, qWords)
   var a1Buf = allocStackArray(SecretWord, qWords)
-  var a2Buf = allocStackArray(SecretWord, pWords)
-  var yBuf =  allocStackArray(SecretWord, pWords)
-  var qInv2kBuf = allocStackArray(SecretWord, pWords)
+  var a2Buf = allocStackArray(SecretWord, kWords)
+  var yBuf =  allocStackArray(SecretWord, kWords)
+  var qInv2kBuf = allocStackArray(SecretWord, kWords)
 
   template q: untyped = qBuf.toOpenArray(0, qWords-1)
   template a1: untyped = a1Buf.toOpenArray(0, qWords-1)
-  template a2: untyped = a2Buf.toOpenArray(0, pWords-1)
-  template y: untyped = yBuf.toOpenArray(0, pWords-1)
-  template qInv2k: untyped = qInv2kBuf.toOpenArray(0, pWords-1)
+  template a2: untyped = a2Buf.toOpenArray(0, kWords-1)
+  template y: untyped = yBuf.toOpenArray(0, kWords-1)
+  template qInv2k: untyped = qInv2kBuf.toOpenArray(0, kWords-1)
 
   q.shiftRight_vartime(M, ctz)
 
   a1.powOddMod_vartime(a, exponent, q, window)
   a2.powMod2k_vartime(a, exponent, k = uint ctz)
 
-  qInv2k.invMod2k_vartime(qBuf.toOpenArray(0, qWords-1), uint ctz)
+  qInv2k.invMod2k_vartime(q, uint ctz)
   y.submod2k_vartime(a2, a1, uint ctz)
   y.mulmod2k_vartime(y, qInv2k, uint ctz)
 

diff --git a/constantine/math_arbitrary_precision/arithmetic/limbs_mod2k.nim b/constantine/math_arbitrary_precision/arithmetic/limbs_mod2k.nim
@@ -145,9 +145,12 @@ func powMod2k_vartime*(
   var sBuf = allocStackArray(SecretWord, r.len)
   template s: untyped = sBuf.toOpenArray(0, r.len-1)
 
-  for i in 0 ..< min(r.len, a.len):
+  let truncLen = min(r.len, a.len)
+  for i in 0 ..< truncLen:
     # range [r.len, a.len) will be truncated (mod 2ᵏ)
     sBuf[i] = a[i]
+  for i in truncLen ..< r.len:
+    sBuf[i] = Zero
 
   # TODO: sliding/fixed window exponentiation
   for i in countdown(exponent.len-1, 0):

diff --git a/tests/t_ethereum_evm_modexp.nim b/tests/t_ethereum_evm_modexp.nim
@@ -73,7 +73,7 @@ suite "EVM ModExp precompile (EIP-198)":
     doAssert status == cttEVM_Success
     doAssert r[0] == 0, ". Result was " & $r[0]
 
-  test "Audit #5-3 - temp buffer extra unintialized word":
+  test "Audit #5-3 - temp buffer extra uninitialized word":
     let input = [
 
         # Length of base (1)
@@ -104,6 +104,39 @@ suite "EVM ModExp precompile (EIP-198)":
     doAssert status == cttEVM_Success
     doAssert r == @[byte 0, 0, 1, 45, 106, 227, 225, 162, 136], ". Result was " & $r
 
+  test "Audit #5-4 - temp buffer extra uninitialized word (2)":
+    var input = [
+        # Length of base
+        uint8 0x00,
+              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c,
+
+        # Length of exponent
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+
+        # Length of modulus
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2b,
+
+        # Base
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+
+
+        # Exponent
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe0,
+
+        # Modulus
+        0x17, 0xc6, 0xab, 0xaa, 0x3f, 0x00, 0xe5, 0xc0, 0x5b, 0x75, 0x74, 0xcb,
+        0xcf, 0x2a, 0x44, 0xd4, 0x3a, 0xca, 0x4a, 0xc0, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    ]
+    var r = newSeq[byte](0x2b)
+    let status = eth_evm_modexp(r, input)
+    doAssert status == cttEVM_Success
+    doAssert r == @[byte 10, 141, 74, 46, 2, 18, 2, 37, 247, 220, 246, 65, 109, 246, 7, 144, 85, 202, 194, 191, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], ". Result was " & $r
+
   test "Audit #8 - off-by-1 buffer overflow - ptr + length exclusive vs openArray(lo, hi) inclusive":
     let input = [
         # Length of base (24)