From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 20 Jul 2017 21:01:14 +0000 (-0700)
Subject: shred: use explicit_bzero
X-Git-Tag: v8.28~58
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73d55732df36ac4f32e7065392780a8258f5e21b;p=thirdparty%2Fcoreutils.git

shred: use explicit_bzero

* NEWS: Document this.
* bootstrap.conf (gnulib_modules): Add explicit_bzero.
* gl/lib/randint.c (randint_free):
* gl/lib/randread.c (randread_free):
* src/blake2/blake2-impl.h (secure_zero_memory):
* src/shred.c (dopass, do_wipefd):
Prefer explicit_bzero to memset when erasing secrets.
---

diff --git a/NEWS b/NEWS
index 110229bd8e..dfd2837a07 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,10 @@ GNU coreutils NEWS                                    -*- outline -*-
   Now, it prints a diagnostic or a line to stdout for each argument.
   [bug introduced in the bourne-shell-to-C rewrite for coreutils-6.11]
 
+  shred now erases buffers containing secrets via the explicit_bzero
+  function, which should be more reliable.
+  [potential bug has always been present in 'shred']
+
   split no longer exits when invocations of a --filter return EPIPE.
   [bug introduced in coreutils-8.26]
 
diff --git a/bootstrap.conf b/bootstrap.conf
index 4db77a3d78..9064a94bbf 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -69,6 +69,7 @@ gnulib_modules="
   euidaccess
   exclude
   exitfail
+  explicit_bzero
   faccessat
   fadvise
   fchdir
diff --git a/gl/lib/randint.c b/gl/lib/randint.c
index 4561067e84..b15982f463 100644
--- a/gl/lib/randint.c
+++ b/gl/lib/randint.c
@@ -198,7 +198,7 @@ randint_genmax (struct randint_source *s, randint genmax)
 void
 randint_free (struct randint_source *s)
 {
-  memset (s, 0, sizeof *s);
+  explicit_bzero (s, sizeof *s);
   free (s);
 }
 
diff --git a/gl/lib/randread.c b/gl/lib/randread.c
index 9c70a18752..834f8446ab 100644
--- a/gl/lib/randread.c
+++ b/gl/lib/randread.c
@@ -341,7 +341,7 @@ int
 randread_free (struct randread_source *s)
 {
   FILE *source = s->source;
-  memset (s, 0, sizeof *s);
+  explicit_bzero (s, sizeof *s);
   free (s);
   return (source ? fclose (source) : 0);
 }
diff --git a/src/blake2/blake2-impl.h b/src/blake2/blake2-impl.h
index 5dff7fc7a3..241e5abf5c 100644
--- a/src/blake2/blake2-impl.h
+++ b/src/blake2/blake2-impl.h
@@ -153,8 +153,7 @@ static BLAKE2_INLINE uint64_t rotr64( const uint64_t w, const unsigned c )
 /* prevents compiler optimizing out memset() */
 static BLAKE2_INLINE void secure_zero_memory(void *v, size_t n)
 {
-  static void *(*const volatile memset_v)(void *, int, size_t) = &memset;
-  memset_v(v, 0, n);
+  explicit_bzero (v, n);
 }
 
 #endif
diff --git a/src/shred.c b/src/shred.c
index 7926e7aa42..c95546cb7a 100644
--- a/src/shred.c
+++ b/src/shred.c
@@ -653,7 +653,7 @@ dopass (int fd, struct stat const *st, char const *qname, off_t *sizep,
     }
 
 free_pattern_mem:
-  memset (pbuf, 0, FILLPATTERN_SIZE);
+  explicit_bzero (pbuf, FILLPATTERN_SIZE);
   free (fill_pattern_mem);
 
   return other_error ? -1 : write_error;
@@ -987,7 +987,7 @@ do_wipefd (int fd, char const *qname, struct randint_source *s,
     }
 
 wipefd_out:
-  memset (passarray, 0, flags->n_iterations * sizeof (int));
+  explicit_bzero (passarray, flags->n_iterations * sizeof (int));
   free (passarray);
   return ok;
 }