Page MenuHome GnuPG

First 8 bytes of cache item left in clear in memory after decryption.
Closed, ResolvedPublic


_gcry_cipher_aeswrap_decrypt function in file cipher/cipher-aeswrap.c does not clean memory properly after decryption. The variable b is used to concatenate intermediate results during AES wrap decryption. At the end of the decryption it contains the constant 0xa6a6a6a6a6a6a6a6 and the first eight bytes of the cache item in clear. At the end of the decryption, the variable is not wiped thus it stay in clear in memory. This can be easy findable in memory since it is next to the constant. This is problematic when a passphrase is used for symmetric encryption since the function is called by the function agent_get_cache in the file agent/cache.c. The first eight bytes may be recovered from a memory dump after a decryption have been done previously with a passphrase in cache.

To reproduce de the behavior it is possible to compile libgcrypt examples in debug mode and run gdb on aeswrap sample binary. By issuing the following commands:

b gcry_cipher_decrypt
b *_gcry_cipher_aeswrap_decrypt+791
x/4x b



Related Objects

Event Timeline

werner triaged this task as High priority.
werner added a subscriber: werner.

Good catch. Thanks. This patch should fix the leak:

--- a/cipher/cipher-aeswrap.c
+++ b/cipher/cipher-aeswrap.c
@@ -187,6 +187,7 @@ _gcry_cipher_aeswrap_decrypt (gcry_cipher_hd_t c,
           memcpy (r+(i-1)*8, b+8, 8);
+  wipememory (b, 16);
   /* If an IV has been set we compare against this Alternative Initial
      Value; if it has not been set we compare against the standard IV.  */

You mentioned gpg-agent: This not really in danger because the key for the encryption is anyway stored in memory and easy to find. The whole idea here is to limit the space needed for mlock-ed memory and to be prepared for a time when we have a usable way to store in-process secrets.

And well, the context area of the handle is also wiped at gcry_cipher_close time. Thus any standard use of aeswrap (open,encrypt/decrypt,close) is not affected.

werner changed the task status from Open to Testing.Sep 13 2021, 4:51 PM