Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix stack buffer overflow in zxcvbn. #363

Closed
wants to merge 2 commits into from
Closed

Fix stack buffer overflow in zxcvbn. #363

wants to merge 2 commits into from

Conversation

hannob
Copy link
Contributor

@hannob hannob commented Mar 2, 2017

The array PossChars is filled with a 48 byte string plus a trailing zero
byte. Therefore it needs to be 49 bytes long.

This fixes a buffer overflow in the zxcvbn code. The code comes from the zxvcbn-c project, where I have also submitted a pull request:
tsyrogit/zxcvbn-c#11

Apart from the bug itself I find it worrying that a security tool contains such a bug. Such bug classes can be trivially found with address sanitizer, a compiler feature in gcc/clang (just do something like "CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake .; make" and try to run keepassxc). Given that this bug is present means apparently that nobody ever tested the keepassxc code with address sanitizer. I'd consider that very basic quality assurance that especially security-related projects should do by default.

@hannob
Fix stack buffer overflow in zxcvbn.
195afaa 
The array PossChars is filled with a 48 byte string plus a trailing zero
byte. Therefore it needs to be 49 bytes long.
@phoerious phoerious changed the base branch from develop to release/2.1.3 March 2, 2017 11:10
@phoerious phoerious changed the base branch from release/2.1.3 to develop March 2, 2017 11:10
@phoerious
Copy link
Member

phoerious commented Mar 2, 2017
edited
Loading

@Could you rebase that patch against release/2.1.3, please?

And you are right, we should enable address sanitation by default. We don't use any raw char arrays in our own code, but considering that some third-party code does, it is probably a good idea.

The bug is only critical when the DB is already unlocked and the user is editing a password, though.

@phoerious phoerious self-assigned this Mar 2, 2017
@phoerious phoerious added this to the v2.1.3 milestone Mar 2, 2017
@hannob hannob mentioned this pull request Mar 2, 2017
Merged
@hannob
Copy link
Contributor Author

hannob commented Mar 2, 2017

Hope I did this the right way (my git skills are... limited).

Also to clarify, I also don't think this is a severe issue. But it's a symptom. ASAN-testing is a really easy way to spot some nasty C bugs.

(And also: It's generally not a good idea to enable address sanitizer by default - it's a debugging / testing-tool and shouldn't be used in production)

@phoerious
Copy link
Member

phoerious commented Mar 2, 2017
edited
Loading

(And also: It's generally not a good idea to enable address sanitizer by default - it's a debugging / testing-tool and shouldn't be used in production)

Of course not. This would only be enabled for debug builds. However, the problem we are having with ASAN is that without ASAN_OPTIONS=detect_odr_violation=0 set, KeePassXC won't run at all. The Q_DECL_EXPORT macro in our AutoType library generates false positives.

@phoerious
Copy link
Member

Closing in favor of #365.

@phoerious phoerious closed this Mar 2, 2017
@phoerious phoerious removed this from the v2.1.3 milestone Mar 2, 2017
@droidmonkey
Copy link
Member

@hannob thanks for the tips. Are there any other flags or processes you think would be smart to run or have the option to run at compile time?

We have plans to work with Flaw Finder as a static code analysis tool.

@hannob
Copy link
Contributor Author

hannob commented Mar 2, 2017

From the asan doc it looks to me that detect_odr_violation is off by default:
https://github.com/google/sanitizers/wiki/AddressSanitizerOneDefinitionRuleViolation

I also was able to run keepassxc once I fixed the overflow.

There are other sanitizers in gcc/clang, but none of them is as effective and straightforward to use as asan:

  • msan finds uninitialized memory leaks, but requires all dependency libraries to be compiled with msan as well (only clang, not ported to gcc)
  • ubsan finds undefined behavior, also interesting, but finds a lot of noise (==they are bugs and should be fixed, but likely with no real impact, as most compilers will do what you expect)
  • tsan finds concurrency issues, I don't have much experience with it.

Start with asan, add ubsan next, then think about the rest.

@phoerious
Copy link
Member

I'm compiling with Clang 3.9.1 and I can't run KeePassXC without explicitly disabling odr violation detection.

phoerious added a commit that referenced this pull request Mar 2, 2017
@phoerious
Release 2.1.3
76dcfb5 
- Fix possible overflow in zxcvbn library [#363]
- Revert HiDPI setting to avoid problems on laptop screens [#332]
- Set file meta properties in Windows executable [#330]
- Suppress error message when auto-reloading a locked database [#345]
- Improve usability of question dialog when database is already locked by a different instance [#346]
- Fix compiler warnings in QHttp library [#351]
- Use unified toolbar on Mac OS X [#361]
- Fix an issue on X11 where the main window would be raised instead of closed on Alt+F4 [#362]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@phoerious phoerious

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hannob @phoerious @droidmonkey