diff --git a/MANIFEST b/MANIFEST index 302182f33..fcd66bfac 100644 --- a/MANIFEST +++ b/MANIFEST @@ -138,6 +138,7 @@ lib/util/dup3.c lib/util/event.c lib/util/event_poll.c lib/util/event_select.c +lib/util/explicit_bzero.c lib/util/fatal.c lib/util/fchmodat.c lib/util/fnmatch.c @@ -163,7 +164,6 @@ lib/util/locking.c lib/util/logfac.c lib/util/logpri.c lib/util/memrchr.c -lib/util/memset_s.c lib/util/mkdir_parents.c lib/util/mksiglist.c lib/util/mksiglist.h diff --git a/config.h.in b/config.h.in index 1168b38db..c36333910 100644 --- a/config.h.in +++ b/config.h.in @@ -88,6 +88,9 @@ /* Define to 1 to enable BSM audit support. */ #undef HAVE_BSM_AUDIT +/* Define to 1 if you have the `bzero' function. */ +#undef HAVE_BZERO + /* Define to 1 if you have the `cfmakeraw' function. */ #undef HAVE_CFMAKERAW @@ -255,6 +258,12 @@ /* Define to 1 if you have the `execvpe' function. */ #undef HAVE_EXECVPE +/* Define to 1 if you have the `explicit_bzero' function. */ +#undef HAVE_EXPLICIT_BZERO + +/* Define to 1 if you have the `explicit_memset' function. */ +#undef HAVE_EXPLICIT_MEMSET + /* Define to 1 if you have the `faccessat' function. */ #undef HAVE_FACCESSAT @@ -535,6 +544,9 @@ /* Define to 1 if you have the `memrchr' function. */ #undef HAVE_MEMRCHR +/* Define to 1 if you have the `memset_explicit' function. */ +#undef HAVE_MEMSET_EXPLICIT + /* Define to 1 if you have the `memset_s' function. */ #undef HAVE_MEMSET_S @@ -1263,9 +1275,6 @@ /* Define to empty if `const' does not conform to ANSI C. */ #undef const -/* Define to `int' if does not define. */ -#undef errno_t - /* Define to `int' if doesn't define. */ #undef gid_t @@ -1284,9 +1293,6 @@ /* Define to an OS-specific initialization function or `os_init_common'. */ #undef os_init -/* Define to `size_t' if does not define. */ -#undef rsize_t - /* Define to `int' if does not define. */ #undef sig_atomic_t diff --git a/configure b/configure index 1d1c19cee..8e3af5fd0 100755 --- a/configure +++ b/configure @@ -18057,8 +18057,6 @@ fi fi -$as_echo "#define __STDC_WANT_LIB_EXT1__ 1" >>confdefs.h - ac_fn_c_check_type "$LINENO" "mode_t" "ac_cv_type_mode_t" "$ac_includes_default" if test "x$ac_cv_type_mode_t" = xyes; then : @@ -18318,28 +18316,6 @@ else fi -ac_fn_c_check_type "$LINENO" "rsize_t" "ac_cv_type_rsize_t" "$ac_includes_default" -if test "x$ac_cv_type_rsize_t" = xyes; then : - -else - -cat >>confdefs.h <<_ACEOF -#define rsize_t size_t -_ACEOF - -fi - -ac_fn_c_check_type "$LINENO" "errno_t" "ac_cv_type_errno_t" "$ac_includes_default" -if test "x$ac_cv_type_errno_t" = xyes; then : - -else - -cat >>confdefs.h <<_ACEOF -#define errno_t int -_ACEOF - -fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking max length of uid_t" >&5 $as_echo_n "checking max length of uid_t... " >&6; } @@ -20513,6 +20489,44 @@ fi done +fi +done + +for ac_func in explicit_bzero +do : + ac_fn_c_check_func "$LINENO" "explicit_bzero" "ac_cv_func_explicit_bzero" +if test "x$ac_cv_func_explicit_bzero" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_EXPLICIT_BZERO 1 +_ACEOF + +else + + case " $LIBOBJS " in + *" explicit_bzero.$ac_objext "* ) ;; + *) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext" + ;; +esac + + + for _sym in sudo_explicit_bzero; do + COMPAT_EXP="${COMPAT_EXP}${_sym} +" + done + + for ac_func in explicit_memset memset_explicit memset_s bzero +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + break +fi +done + + fi done @@ -20659,32 +20673,6 @@ esac done -fi -done - -for ac_func in memset_s -do : - ac_fn_c_check_func "$LINENO" "memset_s" "ac_cv_func_memset_s" -if test "x$ac_cv_func_memset_s" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_MEMSET_S 1 -_ACEOF - -else - - case " $LIBOBJS " in - *" memset_s.$ac_objext "* ) ;; - *) LIBOBJS="$LIBOBJS memset_s.$ac_objext" - ;; -esac - - - for _sym in sudo_memset_s; do - COMPAT_EXP="${COMPAT_EXP}${_sym} -" - done - - fi done diff --git a/configure.ac b/configure.ac index faaa51f6a..3b3d047f3 100644 --- a/configure.ac +++ b/configure.ac @@ -2504,9 +2504,7 @@ if test ${with_project-'no'} != "no"; then fi dnl dnl typedef checks -dnl We need to define __STDC_WANT_LIB_EXT1__ for errno_t and rsize_t dnl -AC_DEFINE([__STDC_WANT_LIB_EXT1__]) AC_TYPE_MODE_T AC_TYPE_UID_T AC_CHECK_TYPE([clockid_t], [], [AC_DEFINE(clockid_t, int)], [#include @@ -2527,8 +2525,6 @@ AC_CHECK_TYPE(uint64_t, unsigned long long) AC_CHECK_TYPE(socklen_t, [], [AC_DEFINE(socklen_t, unsigned int)], [ AC_INCLUDES_DEFAULT #include ]) -AC_CHECK_TYPE(rsize_t, size_t) -AC_CHECK_TYPE(errno_t, int) SUDO_UID_T_LEN SUDO_SOCK_SA_LEN SUDO_SOCK_SIN_LEN @@ -2810,6 +2806,11 @@ AC_CHECK_FUNCS([futimens], [], [ SUDO_APPEND_COMPAT_EXP(sudo_futimens) AC_CHECK_FUNCS([futimes futimesat futime], [break]) ]) +AC_CHECK_FUNCS([explicit_bzero], [], [ + AC_LIBOBJ(explicit_bzero) + SUDO_APPEND_COMPAT_EXP(sudo_explicit_bzero) + AC_CHECK_FUNCS([explicit_memset memset_explicit memset_s bzero], [break]) +]) SUDO_FUNC_FNMATCH([AC_DEFINE(HAVE_FNMATCH)], [ AC_LIBOBJ(fnmatch) SUDO_APPEND_COMPAT_EXP(sudo_fnmatch) @@ -2824,10 +2825,6 @@ AC_CHECK_FUNCS([memrchr], [], [ AC_LIBOBJ(memrchr) SUDO_APPEND_COMPAT_EXP(sudo_memrchr) ]) -AC_CHECK_FUNCS([memset_s], [], [ - AC_LIBOBJ(memset_s) - SUDO_APPEND_COMPAT_EXP(sudo_memset_s) -]) AC_CHECK_FUNCS(nanosleep, [], [ # On Solaris, nanosleep is in librt AC_CHECK_LIB(rt, nanosleep, [ diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index 0b69f4fb7..4ba139f49 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -4481,9 +4481,6 @@ the trailing NUL character). In practical terms, this is the longest password \fBsudo\fR will support. -It is also useful as a maximum value for the -\fBmemset_s\fR() -function when clearing passwords filled in by the conversation function. .PP The \fBprintf\fR()-style diff --git a/doc/sudo_plugin.mdoc.in b/doc/sudo_plugin.mdoc.in index f5442088d..c942db8a8 100644 --- a/doc/sudo_plugin.mdoc.in +++ b/doc/sudo_plugin.mdoc.in @@ -3960,9 +3960,6 @@ the trailing NUL character). In practical terms, this is the longest password .Nm sudo will support. -It is also useful as a maximum value for the -.Fn memset_s -function when clearing passwords filled in by the conversation function. .Pp The .Fn printf Ns -style diff --git a/include/sudo_compat.h b/include/sudo_compat.h index 879a0f3ff..03e256828 100644 --- a/include/sudo_compat.h +++ b/include/sudo_compat.h @@ -30,12 +30,6 @@ !defined(HAVE_VSYSLOG) || defined(PREFER_PORTABLE_SNPRINTF) # include #endif -#if !defined(HAVE_MEMSET_S) && !defined(rsize_t) -# include /* for rsize_t */ -# ifdef HAVE_STRING_H -# include /* for rsize_t on AIX */ -# endif /* HAVE_STRING_H */ -#endif /* HAVE_MEMSET_S && rsize_t */ /* * Macros and functions that may be missing on some operating systems. @@ -442,6 +436,11 @@ __dso_public void sudo_closefrom(int); # undef closefrom # define closefrom(_a) sudo_closefrom((_a)) #endif /* HAVE_CLOSEFROM */ +#ifndef HAVE_EXPLICIT_BZERO +__dso_public void sudo_explicit_bzero(void *s, size_t n); +# undef explicit_bzero +# define explicit_bzero(_a, _b) sudo_explicit_bzero((_a), (_b)) +#endif /* HAVE_EXPLICIT_BZERO */ #ifdef PREFER_PORTABLE_GETCWD __dso_public char *sudo_getcwd(char *, size_t size); # undef getcwd @@ -536,11 +535,6 @@ __dso_public void *sudo_memrchr(const void *s, int c, size_t n); # undef memrchr # define memrchr(_a, _b, _c) sudo_memrchr((_a), (_b), (_c)) #endif /* HAVE_MEMRCHR */ -#ifndef HAVE_MEMSET_S -__dso_public errno_t sudo_memset_s(void *v, rsize_t smax, int c, rsize_t n); -# undef memset_s -# define memset_s(_a, _b, _c, _d) sudo_memset_s((_a), (_b), (_c), (_d)) -#endif /* HAVE_MEMSET_S */ #if !defined(HAVE_MKDTEMP) || !defined(HAVE_MKSTEMPS) __dso_public char *sudo_mkdtemp(char *path); # undef mkdtemp diff --git a/include/sudo_plugin.h b/include/sudo_plugin.h index 439ef09e8..61f0f3dd9 100644 --- a/include/sudo_plugin.h +++ b/include/sudo_plugin.h @@ -57,9 +57,7 @@ struct sudo_conv_message { * conversing with the user. In practical terms, this is the longest * password sudo will support. This means that a buffer of size * SUDO_CONV_REPL_MAX+1 is guaranteed to be able to hold any reply - * from the conversation function. It is also useful as a max value - * for memset_s() when clearing passwords returned by the conversation - * function. + * from the conversation function. */ #define SUDO_CONV_REPL_MAX 1023 diff --git a/lib/util/Makefile.in b/lib/util/Makefile.in index f1e9a6223..342489f0f 100644 --- a/lib/util/Makefile.in +++ b/lib/util/Makefile.in @@ -559,6 +559,14 @@ event_select.i: $(srcdir)/event_select.c $(incdir)/compat/stdbool.h \ $(CC) -E -o $@ $(CPPFLAGS) $< event_select.plog: event_select.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/event_select.c --i-file $< --output-file $@ +explicit_bzero.lo: $(srcdir)/explicit_bzero.c $(incdir)/sudo_compat.h \ + $(top_builddir)/config.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/explicit_bzero.c +explicit_bzero.i: $(srcdir)/explicit_bzero.c $(incdir)/sudo_compat.h \ + $(top_builddir)/config.h + $(CC) -E -o $@ $(CPPFLAGS) $< +explicit_bzero.plog: explicit_bzero.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/explicit_bzero.c --i-file $< --output-file $@ fatal.lo: $(srcdir)/fatal.c $(incdir)/compat/getaddrinfo.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ @@ -847,14 +855,6 @@ memrchr.i: $(srcdir)/memrchr.c $(incdir)/sudo_compat.h $(top_builddir)/config.h $(CC) -E -o $@ $(CPPFLAGS) $< memrchr.plog: memrchr.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/memrchr.c --i-file $< --output-file $@ -memset_s.lo: $(srcdir)/memset_s.c $(incdir)/sudo_compat.h \ - $(top_builddir)/config.h - $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/memset_s.c -memset_s.i: $(srcdir)/memset_s.c $(incdir)/sudo_compat.h \ - $(top_builddir)/config.h - $(CC) -E -o $@ $(CPPFLAGS) $< -memset_s.plog: memset_s.i - rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/memset_s.c --i-file $< --output-file $@ mkdir_parents.lo: $(srcdir)/mkdir_parents.c $(incdir)/compat/stdbool.h \ $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ diff --git a/lib/util/arc4random.c b/lib/util/arc4random.c index 4e5994951..77e3ec205 100644 --- a/lib/util/arc4random.c +++ b/lib/util/arc4random.c @@ -103,7 +103,7 @@ _rs_stir(void) _rs_init(rnd, sizeof(rnd)); } else _rs_rekey(rnd, sizeof(rnd)); - memset_s(rnd, sizeof(rnd), 0, sizeof(rnd)); /* discard source seed */ + explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ /* invalidate rs_buf */ rs_have = 0; diff --git a/lib/util/explicit_bzero.c b/lib/util/explicit_bzero.c new file mode 100644 index 000000000..a7defbd0f --- /dev/null +++ b/lib/util/explicit_bzero.c @@ -0,0 +1,77 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2020 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This is an open source non-commercial project. Dear PVS-Studio, please check it. + * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com + */ + +#include + +#define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s() */ + +#include +#ifdef HAVE_STRINGS_H +# include +#endif /* HAVE_STRINGS_H */ + +#include "sudo_compat.h" + +#ifndef HAVE_EXPLICIT_BZERO + +# if defined(HAVE_EXPLICIT_MEMSET) +void +sudo_explicit_bzero(void *s, size_t n) +{ + explicit_memset(s, 0, n); +} +# elif defined(HAVE_MEMSET_EXPLICIT) +void +sudo_explicit_bzero(void *s, size_t n) +{ + memset_explicit(s, 0, n); +} +# elif defined(HAVE_MEMSET_S) +void +sudo_explicit_bzero(void *s, size_t n) +{ + (void)memset_s(s, n, 0, n); +} +# elif defined(HAVE_BZERO) +/* Jumping through a volatile function pointer should not be optimized away. */ +void (* volatile sudo_explicit_bzero_impl)(void *, size_t) = + (void (*)(void *, size_t))bzero; + +void +sudo_explicit_bzero(void *s, size_t n) +{ + sudo_explicit_bzero_impl(s, n); +} +# else +void +sudo_explicit_bzero(void *v, size_t n) +{ + volatile unsigned char *s = v; + + /* Updating through a volatile pointer should not be optimized away. */ + while (n--) + *s++ = '\0'; +} +# endif /* HAVE_BZERO */ + +#endif /* HAVE_EXPLICIT_BZERO */ diff --git a/lib/util/getentropy.c b/lib/util/getentropy.c index 73d7b634a..694eb52b5 100644 --- a/lib/util/getentropy.c +++ b/lib/util/getentropy.c @@ -614,7 +614,7 @@ getentropy_fallback(void *buf, size_t len) done: sudo_digest_free(ctx); if (results != NULL) { - memset_s(results, sizeof(results), 0, sizeof(results)); + explicit_bzero(results, sizeof(results)); free(results); } return (ret); diff --git a/lib/util/memset_s.c b/lib/util/memset_s.c deleted file mode 100644 index f6a04fa69..000000000 --- a/lib/util/memset_s.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * SPDX-License-Identifier: ISC - * - * Copyright (c) 2013-2014 Todd C. Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * This is an open source non-commercial project. Dear PVS-Studio, please check it. - * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com - */ - -#include - -#include -#include -#include -#if defined(HAVE_STDINT_H) -# include -#elif defined(HAVE_INTTYPES_H) -# include -#endif - -#include "sudo_compat.h" - -#ifndef RSIZE_MAX -# if defined(SIZE_MAX) -# define RSIZE_MAX (SIZE_MAX >> 1) -# elif defined(__LP64__) -# define RSIZE_MAX 0x7fffffffffffffffUL -# else -# define RSIZE_MAX 0x7fffffffU -# endif -#endif - -/* - * Simple implementation of C11 memset_s() function. - * We use a volatile pointer when updating the byte string. - * Most compilers will avoid optimizing away access to a - * volatile pointer, even if the pointer appears to be unused - * after the call. - * - * Note that C11 does not specify the return value on error, only - * that it be non-zero. We use EINVAL for all errors. - */ -errno_t -sudo_memset_s(void *v, rsize_t smax, int c, rsize_t n) -{ - errno_t ret = 0; - volatile unsigned char *s = v; - - /* Fatal runtime-constraint violations. */ - if (s == NULL || smax > RSIZE_MAX) { - ret = errno = EINVAL; - goto done; - } - /* Non-fatal runtime-constraint violation, n must not exceed smax. */ - if (n > smax) { - n = smax; - ret = errno = EINVAL; - } - /* Updating through a volatile pointer should not be optimized away. */ - while (n--) - *s++ = (unsigned char)c; -done: - return ret; -} diff --git a/lib/util/sha2.c b/lib/util/sha2.c index b8b51e6ca..b7a28cca8 100644 --- a/lib/util/sha2.c +++ b/lib/util/sha2.c @@ -237,8 +237,8 @@ SHA256Transform(uint32_t state[8], const uint8_t data[SHA256_BLOCK_LENGTH]) state[6] += g(0); state[7] += h(0); /* Cleanup */ - memset_s(T, sizeof(T), 0, sizeof(T)); - memset_s(W, sizeof(W), 0, sizeof(W)); + explicit_bzero(T, sizeof(T)); + explicit_bzero(W, sizeof(W)); } #undef S0 @@ -454,8 +454,8 @@ SHA512Transform(uint64_t state[8], const uint8_t data[SHA512_BLOCK_LENGTH]) state[6] += g(0); state[7] += h(0); /* Cleanup. */ - memset_s(T, sizeof(T), 0, sizeof(T)); - memset_s(W, sizeof(W), 0, sizeof(W)); + explicit_bzero(T, sizeof(T)); + explicit_bzero(W, sizeof(W)); } void diff --git a/plugins/sudoers/auth/aix_auth.c b/plugins/sudoers/auth/aix_auth.c index f9e353940..598350363 100644 --- a/plugins/sudoers/auth/aix_auth.c +++ b/plugins/sudoers/auth/aix_auth.c @@ -243,7 +243,7 @@ sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co free(message); message = NULL; result = authenticate(pw->pw_name, pass, &reenter, &message); - memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass)); + explicit_bzero(pass, strlen(pass)); free(pass); prompt = message; } while (reenter); diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c index f90e94e38..3ed6c458a 100644 --- a/plugins/sudoers/auth/bsdauth.c +++ b/plugins/sudoers/auth/bsdauth.c @@ -151,7 +151,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con if (pass) { authok = auth_userresponse(as, pass, 1); - memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass)); + explicit_bzero(pass, strlen(pass)); free(pass); } diff --git a/plugins/sudoers/auth/fwtk.c b/plugins/sudoers/auth/fwtk.c index c315a352e..4c99a84a6 100644 --- a/plugins/sudoers/auth/fwtk.c +++ b/plugins/sudoers/auth/fwtk.c @@ -133,8 +133,8 @@ restart: sudo_warnx("%s", resp); error = AUTH_FAILURE; done: - memset_s(buf, sizeof(buf), 0, sizeof(buf)); - memset_s(pass, SUDO_PASS_MAX, 0, strlen(pass)); + explicit_bzero(buf, sizeof(buf)); + explicit_bzero(pass, strlen(pass)); free(pass); debug_return_int(error); } diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index 6b4e24970..a725f1f62 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -702,7 +702,7 @@ converse(int num_msg, PAM_CONST struct pam_message **msg, sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, "password longer than %d", PAM_MAX_RESP_SIZE); ret = PAM_CONV_ERR; - memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass)); + explicit_bzero(pass, strlen(pass)); goto done; } reply[n].resp = pass; /* auth_getpass() malloc's a copy */ @@ -732,7 +732,7 @@ done: struct pam_response *pr = &reply[n]; if (pr->resp != NULL) { - memset_s(pr->resp, SUDO_CONV_REPL_MAX, 0, strlen(pr->resp)); + explicit_bzero(pr->resp, strlen(pr->resp)); free(pr->resp); pr->resp = NULL; } diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c index d83716011..305354196 100644 --- a/plugins/sudoers/auth/passwd.c +++ b/plugins/sudoers/auth/passwd.c @@ -101,7 +101,7 @@ sudo_passwd_cleanup(struct passwd *pw, sudo_auth *auth, bool force) debug_decl(sudo_passwd_cleanup, SUDOERS_DEBUG_AUTH); if (pw_epasswd != NULL) { - memset_s(pw_epasswd, SUDO_CONV_REPL_MAX, 0, strlen(pw_epasswd)); + explicit_bzero(pw_epasswd, strlen(pw_epasswd)); free(pw_epasswd); } debug_return_int(AUTH_SUCCESS); diff --git a/plugins/sudoers/auth/secureware.c b/plugins/sudoers/auth/secureware.c index 1b7c98745..dd02f515e 100644 --- a/plugins/sudoers/auth/secureware.c +++ b/plugins/sudoers/auth/secureware.c @@ -102,7 +102,7 @@ sudo_secureware_cleanup(struct passwd *pw, sudo_auth *auth, bool force) debug_decl(sudo_secureware_cleanup, SUDOERS_DEBUG_AUTH); if (pw_epasswd != NULL) { - memset_s(pw_epasswd, SUDO_CONV_REPL_MAX, 0, strlen(pw_epasswd)); + explicit_bzero(pw_epasswd, strlen(pw_epasswd)); free(pw_epasswd); } debug_return_int(AUTH_SUCCESS); diff --git a/plugins/sudoers/auth/securid5.c b/plugins/sudoers/auth/securid5.c index 93c712e69..e8eebdf2e 100644 --- a/plugins/sudoers/auth/securid5.c +++ b/plugins/sudoers/auth/securid5.c @@ -177,7 +177,7 @@ sudo_securid_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_ ACE challenges for the next token displayed (entered without the PIN) */ if (pass != NULL) { - memset_s(pass, SUDO_PASS_MAX, 0, strlen(pass)); + explicit_bzero(pass, strlen(pass)); free(pass); } pass = auth_getpass("\ @@ -218,7 +218,7 @@ then enter the new token code.\n", \ SD_Close(*sd); if (pass != NULL) { - memset_s(pass, SUDO_PASS_MAX, 0, strlen(pass)); + explicit_bzero(pass, strlen(pass)); free(pass); } diff --git a/plugins/sudoers/auth/sia.c b/plugins/sudoers/auth/sia.c index 5c7791f41..414a64b46 100644 --- a/plugins/sudoers/auth/sia.c +++ b/plugins/sudoers/auth/sia.c @@ -90,7 +90,7 @@ sudo_sia_verify(struct passwd *pw, char *prompt, sudo_auth *auth, /* Check password and zero out plaintext copy. */ rc = sia_ses_authent(NULL, pass, siah); - memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass)); + explicit_bzero(pass, strlen(pass)); free(pass); if (rc == SIASUCCESS) diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index 1bdacdb7c..5570c78b3 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -326,7 +326,7 @@ verify_user(struct passwd *pw, char *prompt, int validated, break; } if (pass != NULL) { - memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass)); + explicit_bzero(pass, strlen(pass)); free(pass); } diff --git a/scripts/mkdep.pl b/scripts/mkdep.pl index 28e7ff05c..b42de26ee 100755 --- a/scripts/mkdep.pl +++ b/scripts/mkdep.pl @@ -116,7 +116,7 @@ sub mkdep { # XXX - fill in AUTH_OBJS from contents of the auth dir instead $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; $makefile =~ s:\@DIGEST\@:digest.lo digest_openssl.lo digest_gcrypt.lo:; - $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo dup3.lo fchmodat.lo fstatat.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo getusershell.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo openat.lo pipe2.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo unlinkat.lo utimens.lo vsyslog.lo:; + $makefile =~ s:\@LTLIBOBJS\@:arc4random.lo arc4random_uniform.lo closefrom.lo dup3.lo explicit_bzero.lo fchmodat.lo fstatat.lo fnmatch.lo getaddrinfo.lo getcwd.lo getentropy.lo getgrouplist.lo getdelim.lo getopt_long.lo getusershell.lo glob.lo inet_ntop_lo inet_pton.lo isblank.lo memrchr.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo openat.lo pipe2.lo pw_dup.lo reallocarray.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo str2sig.lo strlcat.lo strlcpy.lo strndup.lo strnlen.lo strsignal.lo unlinkat.lo utimens.lo vsyslog.lo:; # Parse OBJS lines my %objs; diff --git a/src/conversation.c b/src/conversation.c index 55c2319c6..7a9f01ff2 100644 --- a/src/conversation.c +++ b/src/conversation.c @@ -80,7 +80,7 @@ sudo_conversation(int num_msgs, const struct sudo_conv_message msgs[], sudo_fatalx_nodebug(U_("%s: %s"), "sudo_conversation", U_("unable to allocate memory")); } - memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass)); + explicit_bzero(pass, strlen(pass)); break; case SUDO_CONV_ERROR_MSG: fp = stderr; @@ -135,7 +135,7 @@ err: struct sudo_conv_reply *repl = &replies[n]; if (repl->reply == NULL) continue; - memset_s(repl->reply, SUDO_CONV_REPL_MAX, 0, strlen(repl->reply)); + explicit_bzero(repl->reply, strlen(repl->reply)); free(repl->reply); repl->reply = NULL; } while (n--);