| Summary: | Erasure of intermediate values in sha_crypt() removed due to compiler optimization | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | yufeidu |
| Component: | Other | Assignee: | unassigned |
| Status: | NEW --- | ||
| Severity: | normal | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | 1.35.x | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: | .config file when building busybox | ||
Created attachment 9306 [details] .config file when building busybox The SHA encrypt function sha_crypt() (located in pw_encrypt_sha.c) uses memset to erase the intermediate results in both the stack object L and heap objects key_data and salt_data before it returns. The comment above memset calls indicates that these erasures are necessary to prevent information leaks. However, when compiled with Clang 14 at O3 optimization, all 3 calls to memset are removed due to the Dead Store Elimination optimization. As a result, the intermediate results in L and part of the results in key_data may stay in memory outside their scopes. Here is a snippet of the disassembly at O3 (with the corresponding C code generated using "objdump -S"): memset(&L, 0, sizeof(L)); /* [alt]_ctx and XXX_result buffers */ memset(key_data, 0, key_len); /* also p_bytes */ memset(salt_data, 0, salt_len); /* also s_bytes */ free(key_data); 50d97e: e8 d5 ad ef ff call 408758 <free@plt> free(salt_data); 50d983: 4c 89 ef mov %r13,%rdi 50d986: e8 cd ad ef ff call 408758 <free@plt> At the assembly level, there is no function call to memset.