Fwd: mpi_set_secure leads to heap corruption

Mark Wooding mdw at distorted.org.uk
Tue Jul 4 22:03:04 CEST 2017

NIIBE Yutaka <gniibe at fsij.org> writes:

> Thank you for forwarding the bug report.
> Fixed both for master and LIBGCRYPT-1-7-BRANCH.


> Yes.  While the patch is right, I followed the suggestion for less
> surprise.

Fair enough.

> While there is the API, I don't know the real use case.  So, I did
> search:
>     https://codesearch.debian.net/search?q=mpi_set_flag.*GCRYMPI_FLAG_SECURE
> and seccure-0.5_1 has use cases.  Since all use cases are
> gcry_mpi_scan then gcry_mpi_set_flag, I think that those cases are
> safe for heap corruption.

Alas not.  I found this bug because seccure-0.5_1 broke on amd64 (and I
couldn't mount my backup disks again until I fixed it).  What happened
is that `gcry_mpi_scan' returned a bignum with alloced = 5 and nlimbs =
4; zeroizing the limb vector clobbered the secure-memory pool structure
in a way I didn't investigate too carefully, but the result was that
`mb_get_new' thought that the pool was full and `gcry_malloc_secure'
failed.  As far as I can make out, `seccure-decrypt' can't decrypt
anything at all on amd64.

-- [mdw]

More information about the Gcrypt-devel mailing list