1 |
From 3f61c7a09b220805ee6778f4bf2f429e3df8e37a Mon Sep 17 00:00:00 2001 |
2 |
From: Matthieu Herrb <matthieu@herrb.eu> |
3 |
Date: Tue, 28 Feb 2017 19:18:25 +0100 |
4 |
Subject: [PATCH 2/4] Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES |
5 |
CVE-2017-2624 |
6 |
|
7 |
Provide the function definition for systems that don't have it. |
8 |
|
9 |
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> |
10 |
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
11 |
(cherry picked from commit d7ac755f0b618eb1259d93c8a16ec6e39a18627c) |
12 |
--- |
13 |
configure.ac | 3 ++- |
14 |
include/dix-config.h.in | 3 +++ |
15 |
include/os.h | 5 +++++ |
16 |
os/mitauth.c | 2 +- |
17 |
os/timingsafe_memcmp.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ |
18 |
5 files changed, 56 insertions(+), 2 deletions(-) |
19 |
create mode 100644 os/timingsafe_memcmp.c |
20 |
|
21 |
diff --git a/configure.ac b/configure.ac |
22 |
index 770c3e6..62cd547 100644 |
23 |
--- a/configure.ac |
24 |
+++ b/configure.ac |
25 |
@@ -221,7 +221,8 @@ AC_CHECK_FUNCS([backtrace ffs geteuid getuid issetugid getresuid \ |
26 |
mmap posix_fallocate seteuid shmctl64 strncasecmp vasprintf vsnprintf \ |
27 |
walkcontext setitimer poll epoll_create1]) |
28 |
AC_CONFIG_LIBOBJ_DIR([os]) |
29 |
-AC_REPLACE_FUNCS([reallocarray strcasecmp strcasestr strlcat strlcpy strndup]) |
30 |
+AC_REPLACE_FUNCS([reallocarray strcasecmp strcasestr strlcat strlcpy strndup\ |
31 |
+ timingsafe_memcmp]) |
32 |
AM_CONDITIONAL(POLL, [test "x$ac_cv_func_poll" = "xyes"]) |
33 |
|
34 |
AC_CHECK_DECLS([program_invocation_short_name], [], [], [[#include <errno.h>]]) |
35 |
diff --git a/include/dix-config.h.in b/include/dix-config.h.in |
36 |
index 4f020e5..4b86c1a 100644 |
37 |
--- a/include/dix-config.h.in |
38 |
+++ b/include/dix-config.h.in |
39 |
@@ -238,6 +238,9 @@ |
40 |
/* Define to 1 if you have the <sys/utsname.h> header file. */ |
41 |
#undef HAVE_SYS_UTSNAME_H |
42 |
|
43 |
+/* Define to 1 if you have the `timingsafe_memcmp' function. */ |
44 |
+#undef HAVE_TIMINGSAFE_MEMCMP |
45 |
+ |
46 |
/* Define to 1 if you have the <tslib.h> header file. */ |
47 |
#undef HAVE_TSLIB_H |
48 |
|
49 |
diff --git a/include/os.h b/include/os.h |
50 |
index d2c41b4..aa231f5 100644 |
51 |
--- a/include/os.h |
52 |
+++ b/include/os.h |
53 |
@@ -590,6 +590,11 @@ extern _X_EXPORT char * |
54 |
strndup(const char *str, size_t n); |
55 |
#endif |
56 |
|
57 |
+#ifndef HAVE_TIMINGSAFE_MEMCMP |
58 |
+extern _X_EXPORT int |
59 |
+timingsafe_memcmp(const void *b1, const void *b2, size_t len); |
60 |
+#endif |
61 |
+ |
62 |
/* Logging. */ |
63 |
typedef enum _LogParameter { |
64 |
XLOG_FLUSH, |
65 |
diff --git a/os/mitauth.c b/os/mitauth.c |
66 |
index 768a52a..efae440 100644 |
67 |
--- a/os/mitauth.c |
68 |
+++ b/os/mitauth.c |
69 |
@@ -76,7 +76,7 @@ MitCheckCookie(unsigned short data_length, |
70 |
|
71 |
for (auth = mit_auth; auth; auth = auth->next) { |
72 |
if (data_length == auth->len && |
73 |
- memcmp(data, auth->data, (int) data_length) == 0) |
74 |
+ timingsafe_memcmp(data, auth->data, (int) data_length) == 0) |
75 |
return auth->id; |
76 |
} |
77 |
*reason = "Invalid MIT-MAGIC-COOKIE-1 key"; |
78 |
diff --git a/os/timingsafe_memcmp.c b/os/timingsafe_memcmp.c |
79 |
new file mode 100644 |
80 |
index 0000000..36ab362 |
81 |
--- /dev/null |
82 |
+++ b/os/timingsafe_memcmp.c |
83 |
@@ -0,0 +1,45 @@ |
84 |
+/* |
85 |
+ * Copyright (c) 2014 Google Inc. |
86 |
+ * |
87 |
+ * Permission to use, copy, modify, and distribute this software for any |
88 |
+ * purpose with or without fee is hereby granted, provided that the above |
89 |
+ * copyright notice and this permission notice appear in all copies. |
90 |
+ * |
91 |
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
92 |
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
93 |
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
94 |
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
95 |
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
96 |
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
97 |
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
98 |
+ */ |
99 |
+ |
100 |
+#include <limits.h> |
101 |
+#include <string.h> |
102 |
+ |
103 |
+int |
104 |
+timingsafe_memcmp(const void *b1, const void *b2, size_t len) |
105 |
+{ |
106 |
+ const unsigned char *p1 = b1, *p2 = b2; |
107 |
+ size_t i; |
108 |
+ int res = 0, done = 0; |
109 |
+ |
110 |
+ for (i = 0; i < len; i++) { |
111 |
+ /* lt is -1 if p1[i] < p2[i]; else 0. */ |
112 |
+ int lt = (p1[i] - p2[i]) >> CHAR_BIT; |
113 |
+ |
114 |
+ /* gt is -1 if p1[i] > p2[i]; else 0. */ |
115 |
+ int gt = (p2[i] - p1[i]) >> CHAR_BIT; |
116 |
+ |
117 |
+ /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ |
118 |
+ int cmp = lt - gt; |
119 |
+ |
120 |
+ /* set res = cmp if !done. */ |
121 |
+ res |= cmp & ~done; |
122 |
+ |
123 |
+ /* set done if p1[i] != p2[i]. */ |
124 |
+ done |= lt | gt; |
125 |
+ } |
126 |
+ |
127 |
+ return (res); |
128 |
+} |
129 |
-- |
130 |
2.10.2 |
131 |
|