Use explicit_bzero

Use the explicit_bzero() function in places where it is important that
security information such as passwords is cleared from memory.  There
might be other places where it could be useful; this is just an
initial collection.

For platforms that don't have explicit_bzero(), provide various
fallback implementations.  (explicit_bzero() itself isn't standard,
but as Linux/glibc, FreeBSD, and OpenBSD have it, it's the most common
spelling, so it makes sense to make that the invocation point.)

Discussion: https://www.postgresql.org/message-id/flat/42d26bde-5d5b-c90d-87ae-6cab875f73be%402ndquadrant.com

7 files changed, 83 insertions, 1 deletions

diff --git a/src/backend/libpq/be-secure-common.c b/src/backend/libpq/be-secure-common.c
index e8f27bc7825..d801929ea28 100644
--- a/src/backend/libpq/be-secure-common.c
+++ b/src/backend/libpq/be-secure-common.c
@@ -87,6 +87,7 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
 	{
 		if (ferror(fh))
 		{
+			explicit_bzero(buf, size);
 			ereport(loglevel,
 					(errcode_for_file_access(),
 					 errmsg("could not read from command \"%s\": %m",
@@ -98,6 +99,7 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
 	pclose_rc = ClosePipeStream(fh);
 	if (pclose_rc == -1)
 	{
+		explicit_bzero(buf, size);
 		ereport(loglevel,
 				(errcode_for_file_access(),
 				 errmsg("could not close pipe to external command: %m")));
@@ -105,6 +107,7 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
 	}
 	else if (pclose_rc != 0)
 	{
+		explicit_bzero(buf, size);
 		ereport(loglevel,
 				(errcode_for_file_access(),
 				 errmsg("command \"%s\" failed",
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index d876926c21a..c6014e83fa8 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -195,6 +195,9 @@
 /* Define to 1 if you have the <editline/readline.h> header file. */
 #undef HAVE_EDITLINE_READLINE_H
 
+/* Define to 1 if you have the `explicit_bzero' function. */
+#undef HAVE_EXPLICIT_BZERO
+
 /* Define to 1 if you have the `fdatasync' function. */
 #undef HAVE_FDATASYNC
 
@@ -395,6 +398,9 @@
 /* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
 
+/* Define to 1 if you have the `memset_s' function. */
+#undef HAVE_MEMSET_S
+
 /* Define to 1 if the system has the type `MINIDUMP_TYPE'. */
 #undef HAVE_MINIDUMP_TYPE
 
diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32
index fc50528590a..5bbf476990f 100644
--- a/src/include/pg_config.h.win32
+++ b/src/include/pg_config.h.win32
@@ -153,6 +153,9 @@
 /* Define to 1 if you have the <editline/readline.h> header file. */
 /* #undef HAVE_EDITLINE_READLINE_H */
 
+/* Define to 1 if you have the `explicit_bzero' function. */
+/* #undef HAVE_EXPLICIT_BZERO */
+
 /* Define to 1 if you have the `fdatasync' function. */
 /* #undef HAVE_FDATASYNC */
 
@@ -283,6 +286,9 @@
 /* Define to 1 if you have the <memory.h> header file. */
 #define HAVE_MEMORY_H 1
 
+/* Define to 1 if you have the `memset_s' function. */
+/* #undef HAVE_MEMSET_S */
+
 /* Define to 1 if the system has the type `MINIDUMP_TYPE'. */
 #define HAVE_MINIDUMP_TYPE 1
 
diff --git a/src/include/port.h b/src/include/port.h
index 55619d893ce..30b6378ae56 100644
--- a/src/include/port.h
+++ b/src/include/port.h
@@ -378,6 +378,10 @@ extern int	isinf(double x);
 #endif							/* __clang__ && !__cplusplus */
 #endif							/* !HAVE_ISINF */
 
+#ifndef HAVE_EXPLICIT_BZERO
+extern void explicit_bzero(void *buf, size_t len);
+#endif
+
 #ifndef HAVE_STRTOF
 extern float strtof(const char *nptr, char **endptr);
 #endif
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 7f1fd2f45eb..9a5aa1a3c5f 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -3885,7 +3885,10 @@ freePGconn(PGconn *conn)
 			if (conn->connhost[i].port != NULL)
 				free(conn->connhost[i].port);
 			if (conn->connhost[i].password != NULL)
+			{
+				explicit_bzero(conn->connhost[i].password, strlen(conn->connhost[i].password));
 				free(conn->connhost[i].password);
+			}
 		}
 		free(conn->connhost);
 	}
@@ -3919,7 +3922,10 @@ freePGconn(PGconn *conn)
 	if (conn->pguser)
 		free(conn->pguser);
 	if (conn->pgpass)
+	{
+		explicit_bzero(conn->pgpass, strlen(conn->pgpass));
 		free(conn->pgpass);
+	}
 	if (conn->pgpassfile)
 		free(conn->pgpassfile);
 	if (conn->keepalives)
@@ -6931,6 +6937,7 @@ passwordFromFile(const char *hostname, const char *port, const char *dbname,
 		if (!ret)
 		{
 			/* Out of memory. XXX: an error message would be nice. */
+			explicit_bzero(buf, sizeof(buf));
 			return NULL;
 		}
 
@@ -6947,6 +6954,7 @@ passwordFromFile(const char *hostname, const char *port, const char *dbname,
 	}
 
 	fclose(fp);
+	explicit_bzero(buf, sizeof(buf));
 	return NULL;
 
 #undef LINELEN
diff --git a/src/port/explicit_bzero.c b/src/port/explicit_bzero.c
new file mode 100644
index 00000000000..7e7f24ef97e
--- /dev/null
+++ b/src/port/explicit_bzero.c
@@ -0,0 +1,55 @@
+/*-------------------------------------------------------------------------
+ *
+ * explicit_bzero.c
+ *
+ * Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *
+ * IDENTIFICATION
+ *	  src/port/explicit_bzero.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "c.h"
+
+#if defined(HAVE_MEMSET_S)
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+	(void) memset_s(buf, len, 0, len);
+}
+
+#elif defined(WIN32)
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+	(void) SecureZeroMemory(buf, len);
+}
+
+#else
+
+/*
+ * Indirect call through a volatile pointer to hopefully avoid dead-store
+ * optimisation eliminating the call.  (Idea taken from OpenSSH.)  We can't
+ * assume bzero() is present either, so for simplicity we define our own.
+ */
+
+static void
+bzero2(void *buf, size_t len)
+{
+	memset(buf, 0, len);
+}
+
+static void (* volatile bzero_p)(void *, size_t) = bzero2;
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+	bzero_p(buf, len);
+}
+
+#endif
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 2eab635898f..239f13cc122 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -93,7 +93,7 @@ sub mkvcbuild
 	$solution = CreateSolution($vsVersion, $config);
 
 	our @pgportfiles = qw(
-	  chklocale.c fls.c fseeko.c getrusage.c inet_aton.c random.c
+	  chklocale.c explicit_bzero.c fls.c fseeko.c getrusage.c inet_aton.c random.c
 	  srandom.c getaddrinfo.c gettimeofday.c inet_net_ntop.c kill.c open.c
 	  erand48.c snprintf.c strlcat.c strlcpy.c dirmod.c noblock.c path.c
 	  dirent.c dlopen.c getopt.c getopt_long.c