From fb813abe5c130d03fa516cb82d43973f73cb5fa7 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 19 Apr 2019 13:08:32 -0700 Subject: [PATCH] egg: Request that secure memory not be dumped to disk Linux 3.4 added support for the MADV_DONTDUMP option to madvise(), which requests that the covered memory not be included in coredumps. It makes sense to use this to prevent cases where application crashes could result in secrets being persisted to disk or included in dumps that are uploaded to remote servers for analysis. I've avoided making this fatal since there's a chance this code could be built on systems that have MADV_DONTDUMP but run on systems that don't. --- egg/egg-secure-memory.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/egg/egg-secure-memory.c b/egg/egg-secure-memory.c index bc82184..ed6fbcc 100644 --- a/egg/egg-secure-memory.c +++ b/egg/egg-secure-memory.c @@ -885,6 +885,19 @@ sec_acquire_pages (size_t *sz, DEBUG_ALLOC ("gkr-secure-memory: new block ", *sz); +#if defined(MADV_DONTDUMP) + if (madvise (pages, *sz, MADV_DONTDUMP) < 0) { + if (show_warning && egg_secure_warnings) { + /* + * Not fatal - this was added in Linux 3.4 and older + * kernels will legitimately fail this at runtime + */ + fprintf (stderr, "couldn't MADV_DONTDUMP %lu bytes of memory (%s): %s\n", + (unsigned long)*sz, during_tag, strerror (errno)); + } + } +#endif + show_warning = 1; return pages;