Seems you have found a classical time of check - time of use
inconsistency. And, yes, I believe the place to post it is
here.
Arno
On Tue, Feb 26, 2008 at 09:32:18PM +0100, Henrik Theiling wrote:
> Hi!
>
> I hope this is the right place to post this -- I got no reaction from
> my previous post. If it's the wrong place, maybe someone could point
> me to the right place.
>
> Today, I found a buffer overflow in wipeSpecial(), which has a
> parameter 'turn'. 'turn' is used to index an array [27] and 3 is
> subtracted from it before that:
>
> unsigned char write_modes[27][3] = {
> ...
> memcpy(buffer, write_modes[turn - 3], 3);
>
> So for the code to not cause a buffer overflow, 'turn' should be
> in 3..29.
>
> But it is later invoked in a loop like this:
>
> else if(i >= 5 && i < 33) wipeSpecial(buffer, bufLen, i);
>
> ('i' runs from 0..38) So 'turn' is indeed 5..32 instead of 3..29.
>
> So for i=30,31,32, there is a buffer overflow. It is always hit when
> data is overwritten on disk.
>
> Moreover, it is unfortunate that patterns 0 and 1 are never written.
>
> A proposed patch would be as follows:
>
> Index: luks/keymanage.c
> ===================================================================
> --- luks/keymanage.c (revision 46)
> +++ luks/keymanage.c (working copy)
> @@ -371,9 +371,9 @@
> {"\x92\x49\x24"}, {"\x49\x24\x92"}, {"\x24\x92\x49"},
> {"\x6d\xb6\xdb"}, {"\xb6\xdb\x6d"}, {"\xdb\x6d\xb6"}
> };
>
> for(i = 0; i < buffer_size / 3; ++i) {
> - memcpy(buffer, write_modes[turn - 3], 3);
> + memcpy(buffer, write_modes[turn], 3);
> buffer += 3;
> }
> }
> @@ -397,8 +397,8 @@
>
> for(i = 0; i < 39; ++i) {
> if (i >= 0 && i < 5) getRandom(buffer, bufLen);
> - else if(i >= 5 && i < 33) wipeSpecial(buffer, bufLen, i);
> - else if(i >= 33 && i < 38) getRandom(buffer, bufLen);
> + else if(i >= 5 && i < 32) wipeSpecial(buffer, bufLen, i - 5);
> + else if(i >= 32 && i < 38) getRandom(buffer, bufLen);
> else if(i >= 38 && i < 39) memset(buffer, 0xFF, bufLen);
>
> if(write_lseek_blockwise(devfd, buffer, bufLen, from * SECTOR_SIZE) < 0) {
>
> Bye,
> Henrik
>
> ---------------------------------------------------------------------
> dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
> To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
> For additional commands, e-mail: dm-crypt-help@xxxxxxxx
>
--
Arno Wagner, Dipl. Inform., CISSP --- Email: arno@xxxxxxxxxxx
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
