Bug 14806 - Erasure of intermediate values in sha_crypt() removed due to compiler optimization
Summary: Erasure of intermediate values in sha_crypt() removed due to compiler optimiz...
Status: NEW
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: 1.35.x
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-18 04:58 UTC by yufeidu
Modified: 2022-05-18 04:58 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
.config file when building busybox (28.51 KB, application/octet-stream)
2022-05-18 04:58 UTC, yufeidu 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description yufeidu 2022-05-18 04:58:49 UTC 
Created attachment 9306 [details]
.config file when building busybox

The SHA encrypt function sha_crypt() (located in pw_encrypt_sha.c) uses memset to erase the intermediate results in both the stack object L and heap objects key_data and salt_data before it returns. The comment above memset calls indicates that these erasures are necessary to prevent information leaks. However, when compiled with Clang 14 at O3 optimization, all 3 calls to memset are removed due to the Dead Store Elimination optimization. As a result, the intermediate results in L and part of the results in key_data may stay in memory outside their scopes. 

Here is a snippet of the disassembly at O3 (with the corresponding C code generated using "objdump -S"):
	memset(&L, 0, sizeof(L)); /* [alt]_ctx and XXX_result buffers */
	memset(key_data, 0, key_len); /* also p_bytes */
	memset(salt_data, 0, salt_len); /* also s_bytes */
	free(key_data);
  50d97e:	e8 d5 ad ef ff       	call   408758 <free@plt>
	free(salt_data);
  50d983:	4c 89 ef             	mov    %r13,%rdi
  50d986:	e8 cd ad ef ff       	call   408758 <free@plt>

At the assembly level, there is no function call to memset.