Crypt::Argon2 Heap Out-of-Bounds Read Vulnerability in argon2_verify Function

A heap out-of-bounds read vulnerability has been identified in Crypt::Argon2 versions 0.017 prior to 0.031 for Perl. The issue arises in the argon2_verify function when it processes empty encoded input. The auto-detect feature of argon2_verify incorrectly passes a length of encoded_len - 1 to the memchr function without verifying that encoded_len is greater than zero. This oversight causes a buffer underflow, resulting in memchr scanning adjacent heap memory for a '$' separator byte. Consequently, if argon2_verify is called with a stored hash that is legitimately empty, it can lead to reading out-of-bounds heap memory, potentially crashing the process or leaking information about adjacent memory into subsequent operations.

Impact

Exploitation of this vulnerability can cause a process crash or unintended memory disclosure, revealing the location of a '$' byte separator, which could disrupt normal parsing operations.

Reproduction

The vulnerability can be reproduced by invoking the argon2_verify function with an empty string as the encoded input. This will trigger the out-of-bounds read by causing the length parameter to underflow, allowing the function to read adjacent heap memory.

Remediation

Users can upgrade to Crypt::Argon2 version 0.031 or later, where this vulnerability has been fixed.