[fprint] Minor security hole in libfprint (with fix included)

Alan Davidson alan at key.me
Tue Aug 23 18:14:02 UTC 2016 

I apologize for the pause. I'm somewhat inexperienced at git, and am unsure
how to make a pull request to a non-github repository.

The commit I showed you is still at [1], but I've now cherry-picked it into
its own branch at [2]. I've also run a `git request-pull` on my local
machine, whose results I have copied below, but I don't think that actually
sent anything to you. How do I make a pull request? Sorry for such a newbie
question.

Output of `git request-pull`:

"""
alan-14:03>git request-pull -p master https://github.com/keyme/libfprint
g_malloc0
The following changes since commit 9570c36fd42bff6246de50ace398a457b9495b46:

  build: Fix running autogen.sh out-of-tree (2016-07-19 11:18:58 +0200)

are available in the git repository at:

  https://github.com/keyme/libfprint g_malloc0

for you to fetch changes up to 0d0fa5a523662e69c3929b2fe530d9d36e2f06d3:

  Fix security hole: zero out memory when allocated (2016-08-23 14:03:03
-0400)

----------------------------------------------------------------
Alan Davidson (1):
      Fix security hole: zero out memory when allocated

 libfprint/data.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
"""

 - Alan

[1]
https://github.com/keyme/libfprint/commit/1b71aff9ea389c427f9f8bfaabf8aa0acde37269
[2] https://github.com/keyme/libfprint/compare/g_malloc0?expand=1

On Fri, Aug 19, 2016 at 12:49 PM, Alan Davidson <alan at key.me> wrote:

> Thanks for taking a look! and thanks for maintaining this library; it's
> very useful.
>
>  - Alan
>
> On Fri, Aug 19, 2016 at 1:56 AM, Vasily Khoruzhick <anarsoul at gmail.com>
> wrote:
>
>> Hi Alan,
>>
>> Thanks for your e-mail and patch.
>>
>> I expect it to be in worst case some re-used memory of libfprint, so
>> it's not really a security leak, since the only sensitive information
>> is saved to the disk. But I'll take your patch.
>>
>> Regards,
>> Vasily
>>
>> On Thu, Aug 18, 2016 at 3:01 PM, Alan Davidson <alan at key.me> wrote:
>> > Hi libfprint folks -
>> >
>> > I was enrolling fingerprints and saving the data to files (using
>> > fp_print_data_get_data), when I noticed that the data section for the
>> > minutiae had interesting stuff in the unused parts. This is to say, the
>> > xyt_struct (from bozorth.h) allocates space for 200 minutiae, and if I
>> only
>> > use 50 of them, the other 150 are still allocated and have stuff in
>> them.
>> > These values come from things that were previously allocated and
>> deallocated
>> > on the heap, and the data is still there because it wasn't zeroed out
>> when
>> > we re-allocated it.
>> >
>> > I think it should be zeroed out, to prevent leaking whatever used to be
>> in
>> > this memory. What do you think? It's a very easy change; see the commit
>> at
>> > [1], though I'm unclear how to transfer it to your repo. Without this
>> > change, enrolled fingerprints saved to file on my computer have non-null
>> > data in the unused minutiae, and with it, all the unused minutiae are
>> full
>> > of null bytes.
>> >
>> > A little more detail: this happens in fpi_img_to_print_data (in img.c),
>> when
>> > we create a new item to store the minutiae in xyt format. The data is
>> later
>> > copied wholesale into the output buffer in fp_print_data_get_data.
>> >
>> > Thanks for taking a look!
>> >
>> >  - Alan
>> >
>> > [1]
>> > https://github.com/keyme/libfprint/commit/1b71aff9ea389c427f
>> 9f8bfaabf8aa0acde37269
>> >
>> > _______________________________________________
>> > fprint mailing list
>> > fprint at lists.freedesktop.org
>> > https://lists.freedesktop.org/mailman/listinfo/fprint
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/fprint/attachments/20160823/98a53cbb/attachment.html>

More information about the fprint mailing list