glibc

/ hownot2code

1200px-Heckert_GNU_white.svg

BUG OF THE MONTH | Dangerous optimization (a vulnerability)

V597 The compiler could delete the ‘memset’ function call, which is used to flush ‘temp_result’ buffer. The RtlSecureZeroMemory() function should be used to erase the private data. sha256-crypt.c 385

char *
__sha256_crypt_r (key, salt, buffer, buflen)
     const char *key;
     const char *salt;
     char *buffer;
     int buflen;
{
  ....
  unsigned char temp_result[32]
  ....
  memset (temp_result, '\0', sizeof (temp_result));
  ....
  .... // temp_result not used further on
}

The compiler is allowed to remove the call of the memset() function when compiling the Release version. Well, it is actually obliged to do so for the sake of optimization. Since the ‘temp_result’ buffer is not used anywhere after calling the memset() function, the function call itself is not needed too.

This is a vulnerability because the private data will not be erased. The memset() function should be replaced with a more appropriate one. The analyzer suggests RtlSecureZeroMemory(), which is absent in Linux of course. But there are other alternatives.

Please click here to see more bugs from this project.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.