ryantimwilson / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone
b9a53a
From c6c8e0d097d6ba12471c6112c3fd339ea40329d5 Mon Sep 17 00:00:00 2001
76b84c
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
76b84c
Date: Mon, 13 May 2019 16:58:01 -0300
76b84c
Subject: [PATCH] ask-password: prevent buffer overrow when reading from
76b84c
 keyring
76b84c
76b84c
When we read from keyring, a temporary buffer is allocated in order to
76b84c
determine the size needed for the entire data. However, when zeroing that area,
76b84c
we use the data size returned by the read instead of the lesser size allocate
76b84c
for the buffer.
76b84c
76b84c
That will cause memory corruption that causes systemd-cryptsetup to crash
76b84c
either when a single large password is used or when multiple passwords have
76b84c
already been pushed to the keyring.
76b84c
76b84c
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
76b84c
(cherry picked from commit 59c55e73eaee345e1ee67c23eace8895ed499693)
76b84c
b9a53a
Resolves: #1752050
76b84c
---
76b84c
 src/shared/ask-password-api.c | 2 +-
76b84c
 1 file changed, 1 insertion(+), 1 deletion(-)
76b84c
76b84c
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
76b84c
index 682dc754fc..764ebd08e1 100644
76b84c
--- a/src/shared/ask-password-api.c
76b84c
+++ b/src/shared/ask-password-api.c
76b84c
@@ -79,7 +79,7 @@ static int retrieve_key(key_serial_t serial, char ***ret) {
76b84c
                 if (n < m)
76b84c
                         break;
76b84c
 
76b84c
-                explicit_bzero(p, n);
76b84c
+                explicit_bzero(p, m);
76b84c
                 free(p);
76b84c
                 m *= 2;
76b84c
         }