Fwd: mpi_set_secure leads to heap corruption
Mark Wooding
mdw at distorted.org.uk
Tue Jul 4 22:03:04 CEST 2017
NIIBE Yutaka <gniibe at fsij.org> writes:
> Thank you for forwarding the bug report.
>
> Fixed both for master and LIBGCRYPT-1-7-BRANCH.
Thanks.
> Yes. While the patch is right, I followed the suggestion for less
> surprise.
Fair enough.
> While there is the API, I don't know the real use case. So, I did
> search:
>
> https://codesearch.debian.net/search?q=mpi_set_flag.*GCRYMPI_FLAG_SECURE
>
> and seccure-0.5_1 has use cases. Since all use cases are
> gcry_mpi_scan then gcry_mpi_set_flag, I think that those cases are
> safe for heap corruption.
Alas not. I found this bug because seccure-0.5_1 broke on amd64 (and I
couldn't mount my backup disks again until I fixed it). What happened
is that `gcry_mpi_scan' returned a bignum with alloced = 5 and nlimbs =
4; zeroizing the limb vector clobbered the secure-memory pool structure
in a way I didn't investigate too carefully, but the result was that
`mb_get_new' thought that the pool was full and `gcry_malloc_secure'
failed. As far as I can make out, `seccure-decrypt' can't decrypt
anything at all on amd64.
-- [mdw]
More information about the Gcrypt-devel
mailing list