Stop copying password into insecure memory when getting entry (#795617)

The underlying C coded Gtk Entry widget is careful to zero memory after use, allowing the widget to be safely used for password entry [1]. However the C++ method Gtk::Entry::get_text() just takes the underlying C string from the Gtk Entry widget and copies it when constructing a Glib::ustring for the return value [2]. So directly use the Gtk/C API to get the C string instead. [1] https://git.gnome.org/browse/gtk+/tree/gtk/gtkentrybuffer.c?h=3.22.28#n92 See function trash_area() which zeros memory and its use in gtk_entry_buffer_normal_insert_text(), gtk_entry_buffer_normal_delete_text() and gtk_entry_buffer_finalize(). [2] https://git.gnome.org/browse/gtkmm/tree/gtk/src/entry.hg?h=3.22.2#n104 _WRAP_METHOD(Glib::ustring get_text() const, gtk_entry_get_text) https://git.gnome.org/browse/glibmm/tree/docs/internal/using_gmmproc.txt?h=2.46.1#n53 _WRAP_METHOD(Glib::ustring METHOD const, FUNC) is processed to: Glib::ustring METHOD() const { return Glib::convert_const_gchar_ptr_to_ustring( FUNC(const_cast<GtkEntry*>(gobj()))); } https://git.gnome.org/browse/glibmm/tree/glib/glibmm/utility.h?h=2.46.1#n82 Glib::ustring convert_const_gchar_ptr_to_ustring(const char* str) { return (str) ? Glib::ustring(str) : Glib::ustring(); } So Gtk::Entry::get_text() calls Glib::ustring() constructor which copies the C string to create the Glib::ustring object returned. Bug 795617 - Implement opening and closing of LUKS mappings
2018-03-22 17:12:45 +00:00 · 2018-03-22 17:12:45 +00:00 · 3d49fdc2e4
parent 307472489d
commit 3d49fdc2e4
3 changed files with 8 additions and 5 deletions
--- a/include/DialogPasswordEntry.h
+++ b/include/DialogPasswordEntry.h
@ -20,7 +20,6 @@
 #include "Partition.h"

 #include <gtkmm/dialog.h>
-#include <glibmm/ustring.h>
 #include <gtkmm/entry.h>

 namespace GParted
@ -31,7 +30,7 @@ class DialogPasswordEntry : public Gtk::Dialog
 public:
 	DialogPasswordEntry( const Partition & partition );
 	~DialogPasswordEntry();
-	Glib::ustring get_password();
+	const char * get_password();

 private:
 	Gtk::Entry *entry;
--- a/src/DialogPasswordEntry.cc
+++ b/src/DialogPasswordEntry.cc
@ -20,6 +20,7 @@
 #include <glibmm/ustring.h>
 #include <gtkmm/box.h>
 #include <gtkmm/stock.h>
+#include <gtk/gtkentry.h>

 namespace GParted
 {
@ -68,9 +69,12 @@ DialogPasswordEntry::~DialogPasswordEntry()
 {
 }

-Glib::ustring DialogPasswordEntry::get_password()
+const char * DialogPasswordEntry::get_password()
 {
-	return Glib::ustring( entry->get_text() );
+	// Avoid using the gtkmm C++ entry->get_text() because that constructs a
+	// Glib::ustring, copying the password from the underlying C GtkEntry object into
+	// an unsecured malloced chunk of memory.
+	return (const char *)gtk_entry_get_text( GTK_ENTRY( entry->gobj() ) );
 }

 } //GParted
--- a/src/Win_GParted.cc
+++ b/src/Win_GParted.cc
@ -2563,7 +2563,7 @@ void Win_GParted::toggle_crypt_busy_state()
 					return;

 				success = open_encrypted_partition( *selected_partition_ptr,
-				                                    dialog.get_password().c_str(),
+				                                    dialog.get_password(),
 				                                    error_msg );
 			} while ( ! success );
 		}