Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 74a308c

Browse files
committed
Use explicit_bzero
Use the explicit_bzero() function in places where it is important that security information such as passwords is cleared from memory. There might be other places where it could be useful; this is just an initial collection. For platforms that don't have explicit_bzero(), provide various fallback implementations. (explicit_bzero() itself isn't standard, but as Linux/glibc, FreeBSD, and OpenBSD have it, it's the most common spelling, so it makes sense to make that the invocation point.) Discussion: https://www.postgresql.org/message-id/flat/42d26bde-5d5b-c90d-87ae-6cab875f73be%402ndquadrant.com
1 parent ae060a5 commit 74a308c

File tree

9 files changed

+99
-2
lines changed

9 files changed

+99
-2
lines changed

configure

+14-1
Original file line numberDiff line numberDiff line change
@@ -15087,7 +15087,7 @@ fi
1508715087
LIBS_including_readline="$LIBS"
1508815088
LIBS=`echo "$LIBS" | sed -e 's/-ledit//g' -e 's/-lreadline//g'`
1508915089

15090-
for ac_func in cbrt clock_gettime copyfile fdatasync getifaddrs getpeerucred getrlimit mbstowcs_l memmove poll posix_fallocate ppoll pstat pthread_is_threaded_np readlink setproctitle setproctitle_fast setsid shm_open strchrnul strsignal symlink sync_file_range uselocale utime utimes wcstombs_l
15090+
for ac_func in cbrt clock_gettime copyfile fdatasync getifaddrs getpeerucred getrlimit mbstowcs_l memset_s memmove poll posix_fallocate ppoll pstat pthread_is_threaded_np readlink setproctitle setproctitle_fast setsid shm_open strchrnul strsignal symlink sync_file_range uselocale utime utimes wcstombs_l
1509115091
do :
1509215092
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
1509315093
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -15739,6 +15739,19 @@ esac
1573915739

1574015740
fi
1574115741

15742+
ac_fn_c_check_func "$LINENO" "explicit_bzero" "ac_cv_func_explicit_bzero"
15743+
if test "x$ac_cv_func_explicit_bzero" = xyes; then :
15744+
$as_echo "#define HAVE_EXPLICIT_BZERO 1" >>confdefs.h
15745+
15746+
else
15747+
case " $LIBOBJS " in
15748+
*" explicit_bzero.$ac_objext "* ) ;;
15749+
*) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext"
15750+
;;
15751+
esac
15752+
15753+
fi
15754+
1574215755
ac_fn_c_check_func "$LINENO" "fls" "ac_cv_func_fls"
1574315756
if test "x$ac_cv_func_fls" = xyes; then :
1574415757
$as_echo "#define HAVE_FLS 1" >>confdefs.h

configure.in

+2
Original file line numberDiff line numberDiff line change
@@ -1594,6 +1594,7 @@ AC_CHECK_FUNCS(m4_normalize([
15941594
getpeerucred
15951595
getrlimit
15961596
mbstowcs_l
1597+
memset_s
15971598
memmove
15981599
poll
15991600
posix_fallocate
@@ -1691,6 +1692,7 @@ fi
16911692

16921693
AC_REPLACE_FUNCS(m4_normalize([
16931694
dlopen
1695+
explicit_bzero
16941696
fls
16951697
getopt
16961698
getrusage

src/backend/libpq/be-secure-common.c

+3
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,7 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
8787
{
8888
if (ferror(fh))
8989
{
90+
explicit_bzero(buf, size);
9091
ereport(loglevel,
9192
(errcode_for_file_access(),
9293
errmsg("could not read from command \"%s\": %m",
@@ -98,13 +99,15 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
9899
pclose_rc = ClosePipeStream(fh);
99100
if (pclose_rc == -1)
100101
{
102+
explicit_bzero(buf, size);
101103
ereport(loglevel,
102104
(errcode_for_file_access(),
103105
errmsg("could not close pipe to external command: %m")));
104106
goto error;
105107
}
106108
else if (pclose_rc != 0)
107109
{
110+
explicit_bzero(buf, size);
108111
ereport(loglevel,
109112
(errcode_for_file_access(),
110113
errmsg("command \"%s\" failed",

src/include/pg_config.h.in

+6
Original file line numberDiff line numberDiff line change
@@ -195,6 +195,9 @@
195195
/* Define to 1 if you have the <editline/readline.h> header file. */
196196
#undef HAVE_EDITLINE_READLINE_H
197197

198+
/* Define to 1 if you have the `explicit_bzero' function. */
199+
#undef HAVE_EXPLICIT_BZERO
200+
198201
/* Define to 1 if you have the `fdatasync' function. */
199202
#undef HAVE_FDATASYNC
200203

@@ -395,6 +398,9 @@
395398
/* Define to 1 if you have the <memory.h> header file. */
396399
#undef HAVE_MEMORY_H
397400

401+
/* Define to 1 if you have the `memset_s' function. */
402+
#undef HAVE_MEMSET_S
403+
398404
/* Define to 1 if the system has the type `MINIDUMP_TYPE'. */
399405
#undef HAVE_MINIDUMP_TYPE
400406

src/include/pg_config.h.win32

+6
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,9 @@
153153
/* Define to 1 if you have the <editline/readline.h> header file. */
154154
/* #undef HAVE_EDITLINE_READLINE_H */
155155

156+
/* Define to 1 if you have the `explicit_bzero' function. */
157+
/* #undef HAVE_EXPLICIT_BZERO */
158+
156159
/* Define to 1 if you have the `fdatasync' function. */
157160
/* #undef HAVE_FDATASYNC */
158161

@@ -283,6 +286,9 @@
283286
/* Define to 1 if you have the <memory.h> header file. */
284287
#define HAVE_MEMORY_H 1
285288

289+
/* Define to 1 if you have the `memset_s' function. */
290+
/* #undef HAVE_MEMSET_S */
291+
286292
/* Define to 1 if the system has the type `MINIDUMP_TYPE'. */
287293
#define HAVE_MINIDUMP_TYPE 1
288294

src/include/port.h

+4
Original file line numberDiff line numberDiff line change
@@ -378,6 +378,10 @@ extern int isinf(double x);
378378
#endif /* __clang__ && !__cplusplus */
379379
#endif /* !HAVE_ISINF */
380380

381+
#ifndef HAVE_EXPLICIT_BZERO
382+
extern void explicit_bzero(void *buf, size_t len);
383+
#endif
384+
381385
#ifndef HAVE_STRTOF
382386
extern float strtof(const char *nptr, char **endptr);
383387
#endif

src/interfaces/libpq/fe-connect.c

+8
Original file line numberDiff line numberDiff line change
@@ -3885,7 +3885,10 @@ freePGconn(PGconn *conn)
38853885
if (conn->connhost[i].port != NULL)
38863886
free(conn->connhost[i].port);
38873887
if (conn->connhost[i].password != NULL)
3888+
{
3889+
explicit_bzero(conn->connhost[i].password, strlen(conn->connhost[i].password));
38883890
free(conn->connhost[i].password);
3891+
}
38893892
}
38903893
free(conn->connhost);
38913894
}
@@ -3919,7 +3922,10 @@ freePGconn(PGconn *conn)
39193922
if (conn->pguser)
39203923
free(conn->pguser);
39213924
if (conn->pgpass)
3925+
{
3926+
explicit_bzero(conn->pgpass, strlen(conn->pgpass));
39223927
free(conn->pgpass);
3928+
}
39233929
if (conn->pgpassfile)
39243930
free(conn->pgpassfile);
39253931
if (conn->keepalives)
@@ -6931,6 +6937,7 @@ passwordFromFile(const char *hostname, const char *port, const char *dbname,
69316937
if (!ret)
69326938
{
69336939
/* Out of memory. XXX: an error message would be nice. */
6940+
explicit_bzero(buf, sizeof(buf));
69346941
return NULL;
69356942
}
69366943

@@ -6947,6 +6954,7 @@ passwordFromFile(const char *hostname, const char *port, const char *dbname,
69476954
}
69486955

69496956
fclose(fp);
6957+
explicit_bzero(buf, sizeof(buf));
69506958
return NULL;
69516959

69526960
#undef LINELEN

src/port/explicit_bzero.c

+55
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
/*-------------------------------------------------------------------------
2+
*
3+
* explicit_bzero.c
4+
*
5+
* Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
6+
* Portions Copyright (c) 1994, Regents of the University of California
7+
*
8+
*
9+
* IDENTIFICATION
10+
* src/port/explicit_bzero.c
11+
*
12+
*-------------------------------------------------------------------------
13+
*/
14+
15+
#include "c.h"
16+
17+
#if defined(HAVE_MEMSET_S)
18+
19+
void
20+
explicit_bzero(void *buf, size_t len)
21+
{
22+
(void) memset_s(buf, len, 0, len);
23+
}
24+
25+
#elif defined(WIN32)
26+
27+
void
28+
explicit_bzero(void *buf, size_t len)
29+
{
30+
(void) SecureZeroMemory(buf, len);
31+
}
32+
33+
#else
34+
35+
/*
36+
* Indirect call through a volatile pointer to hopefully avoid dead-store
37+
* optimisation eliminating the call. (Idea taken from OpenSSH.) We can't
38+
* assume bzero() is present either, so for simplicity we define our own.
39+
*/
40+
41+
static void
42+
bzero2(void *buf, size_t len)
43+
{
44+
memset(buf, 0, len);
45+
}
46+
47+
static void (* volatile bzero_p)(void *, size_t) = bzero2;
48+
49+
void
50+
explicit_bzero(void *buf, size_t len)
51+
{
52+
bzero_p(buf, len);
53+
}
54+
55+
#endif

src/tools/msvc/Mkvcbuild.pm

+1-1
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ sub mkvcbuild
9393
$solution = CreateSolution($vsVersion, $config);
9494

9595
our @pgportfiles = qw(
96-
chklocale.c fls.c fseeko.c getrusage.c inet_aton.c random.c
96+
chklocale.c explicit_bzero.c fls.c fseeko.c getrusage.c inet_aton.c random.c
9797
srandom.c getaddrinfo.c gettimeofday.c inet_net_ntop.c kill.c open.c
9898
erand48.c snprintf.c strlcat.c strlcpy.c dirmod.c noblock.c path.c
9999
dirent.c dlopen.c getopt.c getopt_long.c

0 commit comments

Comments
 (0)