chkpass with RANDOMIZE_ALLOCATED_MEMORY

From: Asif Naeem <anaeem(dot)it(at)gmail(dot)com>
To: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: chkpass with RANDOMIZE_ALLOCATED_MEMORY
Date: 2015-02-13 12:27:37
Message-ID: CAEB4t-MPthnEWtfPaRrCQHAKTNU3qs1S3vyvz_CUmOiLo1QMoQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

It is been observed on RANDOMIZE_ALLOCATED_MEMORY enabled PG95 build that
chkpass is failing because of uninitialized memory and seems showing false
alarm. I have tried to add code snippets to explain as following i.e.

postgres=# CREATE EXTENSION chkpass;
> WARNING: type input function chkpass_in should not be volatile
> CREATE EXTENSION
> postgres=# CREATE TABLE test_tbl ( name text, pass chkpass );
> CREATE TABLE
> postgres=# INSERT INTO test_tbl VALUES('foo','foo1');
> WARNING: type chkpass has unstable input conversion for "foo1"
> LINE 1: INSERT INTO test_tbl VALUES('foo','foo1');
> ^
> INSERT 0 1

It is giving warning "type chkpass has unstable input conversion" because
chkpass structure hold uninitialized memory area’s that are left unused.
When chkpass_in() is called with input “foo1”, it allocate 16 bytes of
randomized memory for chkpass i.e.

contrib/chkpass/chkpass.c

> /*
> * This is the internal storage format for CHKPASSs.
> * 15 is all I need but add a little buffer
> */
> typedef struct chkpass
> {
> char password[16];
> } chkpass;

chkpass_in()

> result = (chkpass *) palloc(sizeof(chkpass));

*result memory*

> 0x7ffc93047a68: 0xdd 0xde 0xdf 0xe0 0xe1 0xe2 0xe3 0xe4
> 0x7ffc93047a70: 0xe5 0xe6 0xe7 0xe8 0xe9 0xea 0xeb 0xec
>

It copies string (16 bytes max) returned from crypt() function, it copies
until null character reached i.e.

strlcpy(result->password, crypt_output, sizeof(result->password));

*crypt_output memory*

> 0x7fff7d1577f0: 0x6a 0x6e 0x6d 0x54 0x44 0x53 0x55 0x33
> 0x7fff7d1577f8: 0x4b 0x48 0x52 0x55 0x6f 0x00 0x00 0x00

*result memory*

> 0x7ffc93047a68: 0x6a 0x6e 0x6d 0x54 0x44 0x53 0x55 0x33
> 0x7ffc93047a70: 0x4b 0x48 0x52 0x55 0x6f 0x00 0xeb 0xec

It left remaining last 2 byte left untouched. It is the cause for "unstable
input conversion” warning.

I think these uninitialized memory areas are false alarms. Along with this
there seems another issue that makes chkpass troubling
RANDOMIZE_ALLOCATED_MEMORY comparison logic is that crypt() function is
being passed with random salt value for DES based result. PFA patch, to
generate consistent results, it uses constant salt value.

It seems a minor inconvenience but it will make results better. Please do
let me know if I missed something or more information is required. Thanks.

Regards,
Muhammad Asif Naeem

Attachment Content-Type Size
chkpass_RANDOMIZE_ALLOCATED_MEMORY_v1.patch application/octet-stream 948 bytes

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2015-02-13 12:27:51 Re: Odd behavior of updatable security barrier views on foreign tables
Previous Message Kouhei Kaigai 2015-02-13 11:28:50 Re: Custom/Foreign-Join-APIs (Re: [v9.5] Custom Plan API)