pam_tcb: do not use deprecated _pam_overwrite macro

ldv-alt · solardiz · commit 19eb3e912622 · 2024-10-20T19:11:00.000+02:00
As Linux-PAM v1.5.3 deprecated this macro, follow the Linux-PAM example
by introducing an internal pam_tcb_overwrite_string macro and using it
instead of _pam_overwrite.

This fixes -Werror build with Linux-PAM &gt;= 1.5.3.
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,10 @@
 2024-10-17  Dmitry V. Levin  <ldv at owl.openwall.com>
 
+	pam_tcb: Do not use deprecated _pam_overwrite macro.
+	* pam_tcb/support.h (pam_tcb_overwrite_string): New macro.
+	(_pam_delete): Replace _pam_overwrite with pam_tcb_overwrite_string.
+	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
+
 	pam_tcb: Use _pam_delete in the compat implementation of pam_prompt.
 	* pam_tcb/compat.c (pam_prompt): Use _pam_delete instead of
 	_pam_overwrite followed by _pam_drop.
diff --git a/pam_tcb/pam_unix_passwd.c b/pam_tcb/pam_unix_passwd.c
@@ -547,11 +547,11 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 		retval = unix_approve_pass(pamh, oldpass, newpass);
 	}
 
-	_pam_overwrite((char *)oldpass);
+	pam_tcb_overwrite_string((char *)oldpass);
 
 	if (retval != PAM_SUCCESS) {
 		pam_syslog(pamh, LOG_NOTICE, "New password not acceptable");
-		_pam_overwrite((char *)newpass);
+		pam_tcb_overwrite_string((char *)newpass);
 		return retval;
 	}
 
@@ -562,7 +562,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 
 	/* First we hash the new password and forget the plaintext. */
 	newhash = do_crypt(pamh, newpass);
-	_pam_overwrite((char *)newpass);
+	pam_tcb_overwrite_string((char *)newpass);
 
 	D(("password processed"));
 
diff --git a/pam_tcb/support.h b/pam_tcb/support.h
@@ -147,10 +147,19 @@ struct unix_verify_password_param {
 	const char *pass;
 };
 
+#define pam_tcb_overwrite_string(xx)					\
+{									\
+	void *xx__ = xx;						\
+	if (xx__) {							\
+		xx__ = memset(xx__, '\0', strlen(xx__));		\
+		__asm__ __volatile__ ("" : : "r"(xx__) : "memory");	\
+	}								\
+}
+
 /* use this to free strings, ESPECIALLY password strings */
 #define _pam_delete(xx) \
 { \
-	_pam_overwrite(xx); \
+	pam_tcb_overwrite_string(xx); \
 	_pam_drop(xx); \
 }
 
