Hi!
I hope this is the right place to post this -- I got no reaction from
my previous post. If it's the wrong place, maybe someone could point
me to the right place.
Today, I found a buffer overflow in wipeSpecial(), which has a
parameter 'turn'. 'turn' is used to index an array [27] and 3 is
subtracted from it before that:
unsigned char write_modes[27][3] = {
...
memcpy(buffer, write_modes[turn - 3], 3);
So for the code to not cause a buffer overflow, 'turn' should be
in 3..29.
But it is later invoked in a loop like this:
else if(i >= 5 && i < 33) wipeSpecial(buffer, bufLen, i);
('i' runs from 0..38) So 'turn' is indeed 5..32 instead of 3..29.
So for i=30,31,32, there is a buffer overflow. It is always hit when
data is overwritten on disk.
Moreover, it is unfortunate that patterns 0 and 1 are never written.
A proposed patch would be as follows:
Index: luks/keymanage.c
===================================================================
--- luks/keymanage.c (revision 46)
+++ luks/keymanage.c (working copy)
@@ -371,9 +371,9 @@
{"\x92\x49\x24"}, {"\x49\x24\x92"}, {"\x24\x92\x49"},
{"\x6d\xb6\xdb"}, {"\xb6\xdb\x6d"}, {"\xdb\x6d\xb6"}
};
for(i = 0; i < buffer_size / 3; ++i) {
- memcpy(buffer, write_modes[turn - 3], 3);
+ memcpy(buffer, write_modes[turn], 3);
buffer += 3;
}
}
@@ -397,8 +397,8 @@
for(i = 0; i < 39; ++i) {
if (i >= 0 && i < 5) getRandom(buffer, bufLen);
- else if(i >= 5 && i < 33) wipeSpecial(buffer, bufLen, i);
- else if(i >= 33 && i < 38) getRandom(buffer, bufLen);
+ else if(i >= 5 && i < 32) wipeSpecial(buffer, bufLen, i - 5);
+ else if(i >= 32 && i < 38) getRandom(buffer, bufLen);
else if(i >= 38 && i < 39) memset(buffer, 0xFF, bufLen);
if(write_lseek_blockwise(devfd, buffer, bufLen, from * SECTOR_SIZE) < 0) {
Bye,
Henrik
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
