Bug 217298
| Summary: | [geli][boot] geli boot password prompt can be tricked to echo password in clear text | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Emanuel Haupt <ehaupt> |
| Component: | misc | Assignee: | Allan Jude <allanjude> |
| Status: | Closed FIXED | ||
| Severity: | Affects Many People | CC: | egypcio, kp |
| Priority: | --- | ||
| Version: | CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Emanuel Haupt
2017-02-22 14:22:52 UTC
This appears to be a deliberate feature:
In pwgets() (in sys/boot/geli/pwgets.c):
case 'r'&037: {
char *p;
putchar('\n');
for (p = buf; p < lp; ++p)
putchar(*p);
break;
}
I've not found a justification for it in the commit message or the review discussion.
Assigning to the original author for more input.
This looks to be an unintentional 'additional feature' from the code I borrowed from libstand. I will see it removed. A commit references this bug: Author: allanjude Date: Fri Feb 24 16:52:58 UTC 2017 New revision: 314213 URL: https://svnweb.freebsd.org/changeset/base/314213 Log: Remove control+r handling from geliboot's pwgets() pwgets() is based on ngets() from libstand, which includes a feature that is not wanted in a very of the function designed for password handling. Pressing control+r echos out the entered string This commit removes that feature from pwgets() PR: 217298 Reported by: ehaupt Reviewed by: kristof, tsoome, ehaupt Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D9782 Changes: head/sys/boot/geli/pwgets.c Gentlemen, Sadly I still get the same behavior as reported before by ehaupt@. Here are the steps I followed to update/upgrade the FreeBSD on my laptop (that runs it with full disk encryption using GELI): # cd /usr/src # svn update # svn info sys/boot/geli/pwgets.c Path: sys/boot/geli/pwgets.c Name: pwgets.c Working Copy Root Path: /usr/src URL: svn://svnmir.geo.freebsd.org/base/head/sys/boot/geli/pwgets.c Relative URL: ^/head/sys/boot/geli/pwgets.c Repository Root: svn://svnmir.geo.freebsd.org/base Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 314278 Node Kind: file Schedule: normal Last Changed Author: allanjude Last Changed Rev: 314213 Last Changed Date: 2017-02-24 17:52:57 +0100 (Fri, 24 Feb 2017) Text Last Updated: 2017-02-25 12:54:21 +0100 (Sat, 25 Feb 2017) Checksum: bc680882d2ae792308a7bb8e64b73e6d79fdc117 # make cleanworld ; make clean ; make cleandir ; make cleandir # make buildworld && make buildkernel # make installkernel && /bin/sh usr.sbin/mergemaster/mergemaster.sh -p # make installworld && /bin/sh usr.sbin/mergemaster/mergemaster.sh -i -U -F # reboot FreeBSD moose 12.0-CURRENT FreeBSD 12.0-CURRENT #0 r314278: Sat Feb 25 21:06:02 CET 2017 root@moose:/usr/obj/usr/src/sys/MOOSE amd64 GENERIC-NODEBUG The impacted bit of code lives in the bootstrap code, that loads the bootloader You need to update that as well: gpart bootcode -p /boot/gptzfsboot -i 1 ada0 Assuming the freebsd-boot partition is #1 on ada0 gpart show will help you find it (In reply to Allan Jude from comment #5) I totally forgot that! Right after updating the bootcode and rebooting, everything seems to be fine. Thanks (In reply to Vinícius Zavam from comment #4) AFAIK, one could just recompile and install the stuff under sys/boot. Right? This full upgrade is not needed just to patch the bootcode. I ran it like this because I really wanted to shape up an old HEAD running here. It might be useful to leave this explanation here so others can upgrade their systems quicker :) So, assuming the freebsd-boot partition is the first partition living on ada0: # cd /usr/src # svn update # cd sys/boot # make install # gpart bootcode -p /boot/gptzfsboot -i 1 ada0 Based on previous comments and feedback, I think this bug could be closed. I also report it as working in a "post ino64" system; 12.0-CURRENT r320024 (Sat Jun 17 06:00:55 CEST 2017) with updated bootcode. A commit references this bug: Author: kevans Date: Sat Feb 10 04:37:45 UTC 2018 New revision: 329099 URL: https://svnweb.freebsd.org/changeset/base/329099 Log: MFC Loader Fixes 2017q1: r311458,r312237,r312314,r312374,r312947,r313042, r313047,r313166,r313328,r313332,r313333,r313337,r313348,r313349,r313389, r313442,r313451,r313575,r313645,r313710,r314114,r314213,r314275,r314945, r314948,r315008,r315408,r315427,r315645,r315646,r315648,r315653,r315850, r316064,r316078,r316079,r316100,r316104,r316111,r316112,r316171,r316279, r316280,r316287,r316311,r316343,r316424,r316436 r311458: Use compiler driver to link BERI boot loaders r312237: loader.efi: find_currdev() can leak memory r312314: loader: move device path definitions to include/efidevp.h r312374: loader: efi devpath api usage should be more aware of NULL pointers r312947: Remove "-Xassembler -G0" from CFLAGS. r313042: loader.efi environment related cleanups r313047: loader: disk/part api needs to use uint64_t offsets r313166: loader: libefi/env.c warnings in arm build r313328: loader: Implement disk_ioctl() to support DIOCGSECTORSIZE and DIOCGMEDIASIZE. r313332: loader: bcache read ahead block count should take account the large sectors r313333: loader: Replace EFI part devices. r313337: loader: 313329 missed ZFS guard in loader/main.c r313348: loader: biosdisk fix for 2+TB disks r313349: loader: disk io should not use alloca() r313389: efipart is also using the '%S' printf format, add -Wno-format for it. r313442: loader: possible NULL pointer dereference in efipart.c r313451: loader: possible NULL pointer dereference in bcache.c r313575: makefs: make the buffer functions look exactly like the kernel ones r313645: loader: implement MEDIA_FILEPATH_DP support in efipart r313710: loader: cstyle fixes and DIOCGMEDIASIZE should use uint64_t r314114: Use LDFLAGS with CC instead of _LDFLAGS. r314213: Remove control+r handling from geliboot's pwgets() r314275: Remove unused macro from common/drv.c. r314945: Some style(9) fixes. No functional changes. r314948: Try to extract the RFC1048 data from PXE. r315008: r314948 seems to be missing a variable or two that will break r315408: loader: remove open_disk cache r315427: loader: biosdisk should report IO error from INT13 r315645: loader: disk_cleanup was left in userboot_disk.c r315646: loader: pxe.h constants have wrong values r315648: libstand: verify value provided by nfs.read_size r315653: loader: verify the value from dhcp.interface-mtu and use snprintf o set mtu r315850: The original author abused Nd (one-line description, used by makewhatis) r316064: Fix build with path names with 'align' or 'nop' in them. r316078: gpt*boot: Save a bit more memory when LOADER_NO_GELI_SUPPORT is specified r316079: Simply retire the sedification of the boot2.s file. r316100: Remove -fno-guess-branch-probability and -fno-unit-at-a-time. r316104: Use `NO_WCAST_ALIGN` instead of spelling it out as -Wno-cast-align in CFLAGS r316111: loader: move bios getsecs into time.c r316112: loader: ls command should display file types properly r316171: xfsread inlined uses more space, so remove the inline tag. r316279: loader: efipart should check disk size from partition table r316280: loader: simplify efi_zfs_probe and avoid double probing for zfs. r316287: Remove OLD_NFSV2 from loader and libstand r316311: Add explicit_bzero() to libstand, and switch GELIBoot to using it r316343: Implement boot-time encryption key passing (keybuf) r316424: Fix sparc64 build broken by r316343 and r316076 r316436: Restore EFI boot environment functionality broken in r313333 PR: 216940 217298 217935 Changes: _U stable/11/ stable/11/lib/libstand/Makefile stable/11/lib/libstand/bootp.c stable/11/lib/libstand/bootp.h stable/11/lib/libstand/nfs.c stable/11/lib/libstand/nfsv2.h stable/11/lib/libstand/stand.h stable/11/sys/boot/common/bcache.c stable/11/sys/boot/common/bootstrap.h stable/11/sys/boot/common/dev_net.c stable/11/sys/boot/common/disk.c stable/11/sys/boot/common/disk.h stable/11/sys/boot/common/ls.c stable/11/sys/boot/common/part.c stable/11/sys/boot/common/part.h stable/11/sys/boot/efi/include/efidevp.h stable/11/sys/boot/efi/include/efilib.h stable/11/sys/boot/efi/libefi/Makefile stable/11/sys/boot/efi/libefi/devpath.c stable/11/sys/boot/efi/libefi/efinet.c stable/11/sys/boot/efi/libefi/efipart.c stable/11/sys/boot/efi/libefi/env.c stable/11/sys/boot/efi/libefi/wchar.c stable/11/sys/boot/efi/loader/conf.c stable/11/sys/boot/efi/loader/devicename.c stable/11/sys/boot/efi/loader/main.c stable/11/sys/boot/forth/beastie.4th.8 stable/11/sys/boot/forth/loader.4th stable/11/sys/boot/geli/Makefile stable/11/sys/boot/geli/geliboot.c stable/11/sys/boot/geli/geliboot.h stable/11/sys/boot/geli/geliboot_crypto.c stable/11/sys/boot/geli/geliboot_internal.h stable/11/sys/boot/geli/pwgets.c stable/11/sys/boot/i386/boot2/Makefile stable/11/sys/boot/i386/boot2/boot2.c stable/11/sys/boot/i386/btx/lib/btxv86.h stable/11/sys/boot/i386/common/bootargs.h stable/11/sys/boot/i386/common/drv.c stable/11/sys/boot/i386/gptboot/Makefile stable/11/sys/boot/i386/gptboot/gptboot.c stable/11/sys/boot/i386/gptzfsboot/Makefile stable/11/sys/boot/i386/libi386/bioscd.c stable/11/sys/boot/i386/libi386/biosdisk.c stable/11/sys/boot/i386/libi386/bootinfo32.c stable/11/sys/boot/i386/libi386/bootinfo64.c stable/11/sys/boot/i386/libi386/pxe.c stable/11/sys/boot/i386/libi386/pxe.h stable/11/sys/boot/i386/libi386/time.c stable/11/sys/boot/i386/loader/Makefile stable/11/sys/boot/i386/loader/main.c stable/11/sys/boot/i386/zfsboot/zfsboot.c stable/11/sys/boot/mips/beri/boot2/Makefile stable/11/sys/boot/mips/beri/common/common.ldscript stable/11/sys/boot/mips/beri/loader/beri_disk_cfi.c stable/11/sys/boot/mips/beri/loader/beri_disk_sdcard.c stable/11/sys/boot/mips/beri/loader/loader.ldscript stable/11/sys/boot/sparc64/loader/Makefile stable/11/sys/boot/uboot/lib/disk.c stable/11/sys/boot/usb/storage/umass_loader.c stable/11/sys/boot/userboot/userboot/userboot_disk.c stable/11/sys/boot/zfs/libzfs.h stable/11/sys/boot/zfs/zfs.c stable/11/sys/crypto/intake.h stable/11/sys/geom/eli/g_eli.c stable/11/sys/geom/eli/g_eli.h stable/11/sys/opencrypto/crypto.c stable/11/sys/sys/linker.h stable/11/usr.sbin/makefs/ffs/buf.c stable/11/usr.sbin/makefs/ffs/buf.h stable/11/usr.sbin/makefs/ffs/ffs_alloc.c stable/11/usr.sbin/makefs/ffs/ffs_balloc.c stable/11/usr.sbin/makefs/ffs.c |