Potential issues with respect to garbage collection

[simonspies]

I think I noticed an issue in two functions that, I believe, can lead to use-after-free errors due to garbage collection in some executions:

• In the function caml_blake2b_init in the blake2 stubs, the variable key appears to be a string that is not registered with the garbage collector through CAMLparam. If I'm not mistaken, the allocation in the function could potentially cause the GC to move the block that stores the string, making the access in the next line potentially result in a use-after-free bug.

• In the function caml_chacha20_cook_key in the chacha20 stubs a similar issue arises, I believe, with the variable counter that is an int64, not registered as a root, and then accessed after an allocation.

(I found these cases using a prototype tool that I've been working on for statically analyzing C stubs.)

[xavierleroy]

Thanks for your feedback. I think you're right, and I'll fix these issues shortly. +1 for your tool !

[UnixJunkie]

@simonspies you might be interested in analyzing this one after: https://erratique.ch/software/ttweetnacl
Such analysis tools are very important.

[xavierleroy]

Should be fixed by fe29617 . Thanks again for the report!