diff options
author | Daiki Ueno <dueno@redhat.com> | 2020-03-31 06:58:48 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2020-04-04 06:10:45 +0200 |
commit | 50ad8778a81f9421effa4c5a3b457f98e559b178 (patch) | |
tree | 9218655da18732912b7f3808966fbac4053f5fcd | |
parent | 5c08aeda8f7c6453e43998fff5b528045d2b32a9 (diff) | |
download | gnutls-tmp-valgrind-memcheck.tar.gz |
build: use valgrind client request to detect undefined memory usetmp-valgrind-memcheck
This tightens the check introduced in
ac2f71b892d13a7ab4cc39086eef179042c7e23c, by using the valgrind client
request to explicitly mark the "uninitialized but initialization is
needed before use" regions. With this patch and the
fix (c01011c2d8533dbbbe754e49e256c109cb848d0d) reverted, you will see
the following error when running dtls_hello_random_value under
valgrind:
$ valgrind ./dtls_hello_random_value
testing: default
==520145== Conditional jump or move depends on uninitialised value(s)
==520145== at 0x4025F5: hello_callback (dtls_hello_random_value.c:90)
==520145== by 0x488BF97: _gnutls_call_hook_func (handshake.c:1215)
==520145== by 0x488C1AA: _gnutls_send_handshake2 (handshake.c:1332)
==520145== by 0x488FC7E: send_client_hello (handshake.c:2290)
==520145== by 0x48902A1: handshake_client (handshake.c:2908)
==520145== by 0x48902A1: gnutls_handshake (handshake.c:2740)
==520145== by 0x402CB3: client (dtls_hello_random_value.c:153)
==520145== by 0x402CB3: start (dtls_hello_random_value.c:317)
==520145== by 0x402EFE: doit (dtls_hello_random_value.c:331)
==520145== by 0x4023D4: main (utils.c:254)
==520145==
Signed-off-by: Daiki Ueno <dueno@redhat.com>
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | lib/handshake.c | 15 | ||||
-rw-r--r-- | lib/state.c | 21 |
3 files changed, 35 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index 172cf429e4..12da283430 100644 --- a/configure.ac +++ b/configure.ac @@ -233,6 +233,8 @@ AS_IF([test "$ac_cv_search___atomic_load_4" = "none required" || test "$ac_cv_se dnl We use its presence to detect C11 threads AC_CHECK_HEADERS([threads.h]) +AC_CHECK_HEADERS([valgrind/memcheck.h]) + AC_ARG_ENABLE(padlock, AS_HELP_STRING([--disable-padlock], [unconditionally disable padlock acceleration]), use_padlock=$enableval) diff --git a/lib/handshake.c b/lib/handshake.c index 84a0e52101..8d58fa48e7 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -57,6 +57,9 @@ #include "secrets.h" #include "tls13/session_ticket.h" #include "locks.h" +#ifdef HAVE_VALGRIND_MEMCHECK_H +#include <valgrind/memcheck.h> +#endif #define TRUE 1 #define FALSE 0 @@ -242,6 +245,12 @@ int _gnutls_gen_client_random(gnutls_session_t session) return gnutls_assert_val(ret); } +#ifdef HAVE_VALGRIND_MEMCHECK_H + if (RUNNING_ON_VALGRIND) + VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.client_random, + GNUTLS_RANDOM_SIZE); +#endif + return 0; } @@ -320,6 +329,12 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version) return ret; } +#ifdef HAVE_VALGRIND_MEMCHECK_H + if (RUNNING_ON_VALGRIND) + VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.server_random, + GNUTLS_RANDOM_SIZE); +#endif + return 0; } diff --git a/lib/state.c b/lib/state.c index 0e1d155442..98900c171f 100644 --- a/lib/state.c +++ b/lib/state.c @@ -55,6 +55,9 @@ #include "ext/cert_types.h" #include "locks.h" #include "kx.h" +#ifdef HAVE_VALGRIND_MEMCHECK_H +#include <valgrind/memcheck.h> +#endif /* to be used by supplemental data support to disable TLS1.3 * when supplemental data have been globally registered */ @@ -564,10 +567,22 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) UINT32_MAX; } - /* everything else not initialized here is initialized - * as NULL or 0. This is why calloc is used. + /* Everything else not initialized here is initialized as NULL + * or 0. This is why calloc is used. However, we want to + * ensure that certain portions of data are initialized at + * runtime before being used. Mark such regions with a + * valgrind client request as undefined. */ - +#ifdef HAVE_VALGRIND_MEMCHECK_H + if (RUNNING_ON_VALGRIND) { + if (flags & GNUTLS_CLIENT) + VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random, + GNUTLS_RANDOM_SIZE); + if (flags & GNUTLS_SERVER) + VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random, + GNUTLS_RANDOM_SIZE); + } +#endif handshake_internal_state_clear1(*session); #ifdef HAVE_WRITEV |