Use the explicit_bzero() function in places where it is important that
security information such as passwords is cleared from memory. There
might be other places where it could be useful; this is just an
initial collection.
For platforms that don't have explicit_bzero(), provide various
fallback implementations. (explicit_bzero() itself isn't standard,
but as Linux/glibc, FreeBSD, and OpenBSD have it, it's the most common
spelling, so it makes sense to make that the invocation point.)
Discussion: https://www.postgresql.org/message-id/flat/
42d26bde-5d5b-c90d-87ae-
6cab875f73be%402ndquadrant.com
LIBS_including_readline="$LIBS"
LIBS=`echo "$LIBS" | sed -e 's/-ledit//g' -e 's/-lreadline//g'`
-for ac_func in cbrt clock_gettime copyfile fdatasync getifaddrs getpeerucred getrlimit mbstowcs_l memmove poll posix_fallocate ppoll pstat pthread_is_threaded_np readlink setproctitle setproctitle_fast setsid shm_open strchrnul strsignal symlink sync_file_range uselocale utime utimes wcstombs_l
+for ac_func in cbrt clock_gettime copyfile fdatasync getifaddrs getpeerucred getrlimit mbstowcs_l memset_s memmove poll posix_fallocate ppoll pstat pthread_is_threaded_np readlink setproctitle setproctitle_fast setsid shm_open strchrnul strsignal symlink sync_file_range uselocale utime utimes wcstombs_l
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
fi
+ac_fn_c_check_func "$LINENO" "explicit_bzero" "ac_cv_func_explicit_bzero"
+if test "x$ac_cv_func_explicit_bzero" = xyes; then :
+ $as_echo "#define HAVE_EXPLICIT_BZERO 1" >>confdefs.h
+
+else
+ case " $LIBOBJS " in
+ *" explicit_bzero.$ac_objext "* ) ;;
+ *) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext"
+ ;;
+esac
+
+fi
+
ac_fn_c_check_func "$LINENO" "fls" "ac_cv_func_fls"
if test "x$ac_cv_func_fls" = xyes; then :
$as_echo "#define HAVE_FLS 1" >>confdefs.h
getpeerucred
getrlimit
mbstowcs_l
+ memset_s
memmove
poll
posix_fallocate
AC_REPLACE_FUNCS(m4_normalize([
dlopen
+ explicit_bzero
fls
getopt
getrusage
{
if (ferror(fh))
{
+ explicit_bzero(buf, size);
ereport(loglevel,
(errcode_for_file_access(),
errmsg("could not read from command \"%s\": %m",
pclose_rc = ClosePipeStream(fh);
if (pclose_rc == -1)
{
+ explicit_bzero(buf, size);
ereport(loglevel,
(errcode_for_file_access(),
errmsg("could not close pipe to external command: %m")));
}
else if (pclose_rc != 0)
{
+ explicit_bzero(buf, size);
ereport(loglevel,
(errcode_for_file_access(),
errmsg("command \"%s\" failed",
/* Define to 1 if you have the <editline/readline.h> header file. */
#undef HAVE_EDITLINE_READLINE_H
+/* Define to 1 if you have the `explicit_bzero' function. */
+#undef HAVE_EXPLICIT_BZERO
+
/* Define to 1 if you have the `fdatasync' function. */
#undef HAVE_FDATASYNC
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
+/* Define to 1 if you have the `memset_s' function. */
+#undef HAVE_MEMSET_S
+
/* Define to 1 if the system has the type `MINIDUMP_TYPE'. */
#undef HAVE_MINIDUMP_TYPE
/* Define to 1 if you have the <editline/readline.h> header file. */
/* #undef HAVE_EDITLINE_READLINE_H */
+/* Define to 1 if you have the `explicit_bzero' function. */
+/* #undef HAVE_EXPLICIT_BZERO */
+
/* Define to 1 if you have the `fdatasync' function. */
/* #undef HAVE_FDATASYNC */
/* Define to 1 if you have the <memory.h> header file. */
#define HAVE_MEMORY_H 1
+/* Define to 1 if you have the `memset_s' function. */
+/* #undef HAVE_MEMSET_S */
+
/* Define to 1 if the system has the type `MINIDUMP_TYPE'. */
#define HAVE_MINIDUMP_TYPE 1
#endif /* __clang__ && !__cplusplus */
#endif /* !HAVE_ISINF */
+#ifndef HAVE_EXPLICIT_BZERO
+extern void explicit_bzero(void *buf, size_t len);
+#endif
+
#ifndef HAVE_STRTOF
extern float strtof(const char *nptr, char **endptr);
#endif
if (conn->connhost[i].port != NULL)
free(conn->connhost[i].port);
if (conn->connhost[i].password != NULL)
+ {
+ explicit_bzero(conn->connhost[i].password, strlen(conn->connhost[i].password));
free(conn->connhost[i].password);
+ }
}
free(conn->connhost);
}
if (conn->pguser)
free(conn->pguser);
if (conn->pgpass)
+ {
+ explicit_bzero(conn->pgpass, strlen(conn->pgpass));
free(conn->pgpass);
+ }
if (conn->pgpassfile)
free(conn->pgpassfile);
if (conn->keepalives)
if (!ret)
{
/* Out of memory. XXX: an error message would be nice. */
+ explicit_bzero(buf, sizeof(buf));
return NULL;
}
}
fclose(fp);
+ explicit_bzero(buf, sizeof(buf));
return NULL;
#undef LINELEN
--- /dev/null
+/*-------------------------------------------------------------------------
+ *
+ * explicit_bzero.c
+ *
+ * Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *
+ * IDENTIFICATION
+ * src/port/explicit_bzero.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "c.h"
+
+#if defined(HAVE_MEMSET_S)
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+ (void) memset_s(buf, len, 0, len);
+}
+
+#elif defined(WIN32)
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+ (void) SecureZeroMemory(buf, len);
+}
+
+#else
+
+/*
+ * Indirect call through a volatile pointer to hopefully avoid dead-store
+ * optimisation eliminating the call. (Idea taken from OpenSSH.) We can't
+ * assume bzero() is present either, so for simplicity we define our own.
+ */
+
+static void
+bzero2(void *buf, size_t len)
+{
+ memset(buf, 0, len);
+}
+
+static void (* volatile bzero_p)(void *, size_t) = bzero2;
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+ bzero_p(buf, len);
+}
+
+#endif
$solution = CreateSolution($vsVersion, $config);
our @pgportfiles = qw(
- chklocale.c fls.c fseeko.c getrusage.c inet_aton.c random.c
+ chklocale.c explicit_bzero.c fls.c fseeko.c getrusage.c inet_aton.c random.c
srandom.c getaddrinfo.c gettimeofday.c inet_net_ntop.c kill.c open.c
erand48.c snprintf.c strlcat.c strlcpy.c dirmod.c noblock.c path.c
dirent.c dlopen.c getopt.c getopt_long.c
projects / postgresql.git / commitdiff