Re: Re: Asserts considered harmful (or GMP spills its sensitive information)

[Jeffrey Walton <noloader () gmail com>]

On Tue, Jan 1, 2019 at 7:42 AM Simon McVittie <smcv () debian org> wrote:
> On Tue, 01 Jan 2019 at 12:07:17 +0100, Niels Möller wrote:
> > A security sensitive application can easily disable generation of core
> > files, using setrlimit (on the linux kernel, prctl may also be useful).
>
> If you want to avoid core dumps being recorded on Linux in the presence of
> system configuration that writes them into a pipe to a command instead
> of to a core file (systemd-coredump, corekeeper, abrt, apport etc.,
> using a string starting with | in /proc/sys/kernel/core_pattern), then
> you need to use prctl PR_SET_DUMPABLE. Setting RLIMIT_CORE to 0 prevents
> the kernel from creating core dump files itself, but does not prevent
> it from writing them to pipes.

This is kind of interesting. It looks like systems running systemd
with coredumpctl store the dumps in journald. Systemd does not appear
to offer a way to clear them, so a '/var/log/journal/*/*' is needed.

$ cat coredump.c
#include <stdio.h>
#include <assert.h>

int main(int argc, char* argv[])
{
    char password[128];
    printf("Please enter your password:\n");
    if(fgets(password, sizeof(password), stdin) != NULL) {
        /* do some real work, detect an error condition, then... */
        assert(0);
    }

    return 0;
}


$ gcc coredump.c -o coredump.exe
$ ./coredump.exe
Please enter your password:
supersecretpassword
coredump.exe: coredump.c:11: main: Assertion `0' failed.
Aborted (core dumped)


$ coredumpctl list
TIME                            PID   UID   GID SIG COREFILE  EXE
Wed 2019-01-02 16:23:15 EST   10827  1000  1000   6 present   /home/jwalton/...


$ coredumpctl -o coredump.exe.core dump 10827
           PID: 10827 (coredump.exe)
           UID: 1000 (jwalton)
           GID: 1000 (jwalton)
        Signal: 6 (ABRT)


$ strings coredump.exe.core | grep supersecret
supersecretpassword
supersecretpassword