Package: libgcrypt20
Version: 1.7.6-2+deb9u1
Severity: normal
Tags: patch
The function `mpi_set_secure' is used by `gcry_mpi_set_flag' to convert
an integer so as to use `secure' (i.e., locked, non-swappable) memory.
It's broken.
The code in 1.7.8 (sid) is the same, so that's broken too.
The code allocates enough secure memory for the active limbs, copies
them from the existing buffer, and stores a pointer to the new buffer --
all without reducing the separate count of the number of allocated
limbs. In particular, when the securified integer is freed,
`_gcry_mpi_free' calls `_gcry_mpi_free_limb_space' to release the limb
buffer, giving it the allocated size, and the latter attempts to zeroize
the storage, leading to a heap corruption.
The patch fixes the problem. I've not thought deeply about the
performance effects: maybe it'd be better to allocate the same total
limb buffer rather than just the active size, but this patch is simple
and obviously right.
diff --git a/mpi/mpiutil.c b/mpi/mpiutil.c
index 6dee0b9..2a32d26 100644
--- a/mpi/mpiutil.c
+++ b/mpi/mpiutil.c
@@ -260,6 +260,7 @@ mpi_set_secure( gcry_mpi_t a )
MPN_COPY( bp, ap, a->nlimbs );
a->d = bp;
_gcry_mpi_free_limb_space (ap, a->alloced);
+ a->alloced = a->nlimbs;
}
-- System Information:
Debian Release: 9.0
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Foreign Architectures: amd64
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8),
LANGUAGE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libgcrypt20 depends on:
ii libc6 2.24-11+deb9u1
ii libgpg-error0 1.26-2
libgcrypt20 recommends no packages.
Versions of packages libgcrypt20 suggests:
pn rng-tools <none>
-- no debconf information
