{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":89053003,"defaultBranch":"master","name":"memguard","ownerLogin":"awnumar","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2017-04-22T07:40:40.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/8942495?v=4","public":true,"private":false,"isOrgOwned":false},"refInfo":{"name":"","listCacheKey":"v0:1711653817.0","currentOid":""},"activityList":{"items":[{"before":"d212cd14e98248ee6db8843c47cfeb622d48af39","after":"0756fbecf50e2d736906eb6baf5117e28c4433b3","ref":"refs/heads/master","pushedAt":"2024-04-26T17:04:26.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Remove mention of finalizer from readme as it has been removed for the time being due to a dangerous edge-case.\n\nRelated to https://github.com/awnumar/memguard/pull/157","shortMessageHtmlLink":"Remove mention of finalizer from readme as it has been removed for th…"}},{"before":"4ed2841e9041c2c37e455b05446477445c0eaf07","after":"d212cd14e98248ee6db8843c47cfeb622d48af39","ref":"refs/heads/master","pushedAt":"2024-04-11T16:54:20.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Removes unneeded echo in .cirrus.yml CI script (#161)\n\nVery minor change","shortMessageHtmlLink":"Removes unneeded echo in .cirrus.yml CI script (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2238007796\" data-permission-text=\"Title is private\" data-url=\"https://github.com/awnumar/memguard/issues/161\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/awnumar/memguard/pull/161/hovercard\" href=\"https://github.com/awnumar/memguard/pull/161\">#161</a>)"}},{"before":"763f8c737bfb60361ee2fae788121ecb35605419","after":"4ed2841e9041c2c37e455b05446477445c0eaf07","ref":"refs/heads/master","pushedAt":"2024-03-28T19:16:02.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Removes drop based finalizer (#157)\n\nThis PR addresses an issue in memguard where the go garbage collector\r\n(GC) will trigger the finalizer on a LockedBuffer, zeroing out and\r\nfreeing this buffer while the running code may still have a pointer to\r\nthis buffer. This can result in the code being run against partially or\r\nfully zero'd out memory.\r\n\r\nThis issue was originally privately disclosed to memguard and it was\r\nagreed that due to the minor security impact, a public PR should be\r\nopened to track one possible solution to this problem.\r\n \r\n\r\nThe Fix\r\n====\r\n\r\nWe fix this issue by removing the finalizer from the LockedBuffer. To\r\nwipe the LockedBuffer and free the associated memory the developer must\r\ncall `Destroy()`. This is a reasonable fix because memguard provides\r\nadditional security at the cost of requiring the developer managing this\r\nmemory. The finalizer on the LockedBuffer mixes the approach of placing\r\nthe responsibility on the developer with sometimes having the go GC also\r\nhandle this responsibility.\r\n\r\nThis fix simplifies this so that the developer is always responsible for\r\ncalling Destroy() on their LockedBuffer.\r\n\r\nThe Issue\r\n====\r\n\r\nConsider the following code:\r\n```go\r\n  dataToLock := []byte(`abcdefghijklmnopqrstuvwxyz`)\r\n  lb := memguard.NewBufferFromBytes(dataToLock)\r\n  lbBytes := lb.Bytes()\r\n  for i := 1; i < 30000; i++ {\r\n      fmt.Printf(\"i=%d, len(lbBytes)=%d, lbBytes=%d\\n\", i, len(lbBytes), lbBytes)\r\n      if lbBytes[0] != byte(97) {\r\n          fmt.Printf(\"error: i=%d, len(lbBytes)=%d, lbBytes=%d\\n\", i, len(lbBytes), lbBytes)\r\n      }\r\n   }\r\n```\r\n\r\nAt some point in the for loop lbBytes will eventually no longer equal\r\n'a' (97) but will have its value changed to 0x0. Soon afterwards\r\nattempts to write to lbBytes will result in a fault.\r\n\r\ni=9837, len(lbBytes)=26, lbBytes=[97 98 99 100 101 102 103 104 105 106\r\n107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122]\r\nunexpected fault address 0x29af8971fe6\r\nfatal error: fault\r\n[signal 0xc0000005 code=0x0 addr=0x29af8971fe6 pc=0x28fb0e]\r\n\r\nCause\r\n====\r\n\r\nWhen memguard creates a LockedBuffer, it associates a 16 byte value\r\nnamed drop with the LockedBuffer. This drop value acts as a standin for\r\nthe data in the LockedBuffer so that when the go garbage collector (GC)\r\ndetects there are zero references to the drop it calls the custom\r\nfinalizer on the drop value and then the finalizer called Destroy on the\r\nLockedBuffer which in turn deletes the data in the LockedBuffer and then\r\nfrees the page.\r\n\r\nhttps://github.com/awnumar/memguard/blob/master/buffer.go#L23C1-L35C2\r\n\r\nIn the above code, once you enter the for loop, the LockedBuffer is out\r\nof a scope and this means the drop is out of scope as well. When the\r\nGarbage Collector does a sweep, it will call the custom finalizer on the\r\ndrop, which will in turn delete the buffer, this will zero out lbBytes\r\nand then deallocate the memory for lbBytes.\r\n\r\nSince the timing of this depends on the GC (garbage collector) this can\r\nresult in:\r\n(a). no error (most of the time) :\r\n(b). a memory fault error (sometimes) ,\r\n(c). the buffer being fully or partially overwritten with zeros\r\n(rarely).\r\n\r\n(a) and (b) are likely not at all security critical, but the randomness\r\nand rareness of this occurring makes it a tricky problem to debug. It is\r\ncase (c) that could represent a security issue.\r\n\r\n(c) could be understood as working as intended since by zeroing out the\r\nbuffer when the LockedBuffer goes out of scope memguard achieves the\r\nfeature: \"Accidental memory leaks are mitigated against by harnessing\r\nthe garbage-collector to automatically destroy containers that have\r\nbecome unreachable\". However it can have a limited security impact (see\r\nbelow).\r\n\r\nSecurity impact\r\n====\r\n\r\nIf memguard LockedBuffers are used for keying material then encrypting a\r\nmessage with a secret key which is partially or fully changed to zero\r\nmay result in a loss of security. It may not be clear to an implementer\r\nthe security difference between:\r\n\r\n```go\r\n// This is insecure, very rarely you might get an all zero key\r\nkey := lb.Bytes()\r\nct := Encrypt(key, msg)\r\n```\r\n```go\r\n// This is secure\r\nct := Encrypt(lb.Bytes(), msg)\r\n```\r\n\r\nI consider the security impact here to be minimal because:\r\n1. Most projects create a LockedBuffer that lives in a struct that\r\nexists for the lifetime of the process so GC is never called until the\r\nprocess ends. Looking at all the projects that use memguard on github I\r\nwas unable to find a single one that this behavior would impact.\r\n2. If they are working with ephemeral secrets then they should be seting\r\n`defer lb.Destroy()` this prevents the GC from eating the buffer. The\r\ndefer keeps a reference to lb and GC isn't called until it leaves the\r\nfunction. I experimentally tested this.\r\n3. If they are not working with ephemeral secrets, but instead using the\r\nLockedBuffer to manage secrets needed through out the lifetime of the\r\nprocess, then the LockedBuffer shouldn't be garbage collected at all.","shortMessageHtmlLink":"Removes drop based finalizer (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2189391453\" data-permission-text=\"Title is private\" data-url=\"https://github.com/awnumar/memguard/issues/157\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/awnumar/memguard/pull/157/hovercard\" href=\"https://github.com/awnumar/memguard/pull/157\">#157</a>)"}},{"before":"fce56aae03b85d0cb7a54b0704c9ed9414148677","after":"763f8c737bfb60361ee2fae788121ecb35605419","ref":"refs/heads/master","pushedAt":"2024-03-28T18:41:40.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Fixes windows and FreeBSD ci failures (#159)\n\n* Fixes windows ci failure\r\n\r\n* Attempting to figure out why gcc isn't getting found\r\n\r\n* Get more data\r\n\r\n* Tries to fix windows and freebsd\r\n\r\n* Moves echo\r\n\r\n* Update .cirrus.yml\r\n\r\n* Update .cirrus.yml","shortMessageHtmlLink":"Fixes windows and FreeBSD ci failures (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2213808017\" data-permission-text=\"Title is private\" data-url=\"https://github.com/awnumar/memguard/issues/159\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/awnumar/memguard/pull/159/hovercard\" href=\"https://github.com/awnumar/memguard/pull/159\">#159</a>)"}},{"before":"8fbcea9daf8178f01f74944b7b056cec8aa2a42d","after":null,"ref":"refs/heads/patch-deadlock","pushedAt":"2023-12-04T10:29:02.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"}},{"before":"78a7ad6afa56e665c0e183d68f05601cc551e798","after":"fce56aae03b85d0cb7a54b0704c9ed9414148677","ref":"refs/heads/master","pushedAt":"2023-12-04T10:28:59.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Fix deadlock when Panic is called during Purge (#156)","shortMessageHtmlLink":"Fix deadlock when Panic is called during Purge (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1999089671\" data-permission-text=\"Title is private\" data-url=\"https://github.com/awnumar/memguard/issues/156\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/awnumar/memguard/pull/156/hovercard\" href=\"https://github.com/awnumar/memguard/pull/156\">#156</a>)"}},{"before":"716e98c469c3e996e9636ed489d1b9de76a57cd3","after":"8fbcea9daf8178f01f74944b7b056cec8aa2a42d","ref":"refs/heads/patch-deadlock","pushedAt":"2023-11-27T23:43:19.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Don't create new enclave during Purge","shortMessageHtmlLink":"Don't create new enclave during Purge"}},{"before":"f8a2722593ad01ad4df088ab30e4787f8aa37ad1","after":"78a7ad6afa56e665c0e183d68f05601cc551e798","ref":"refs/heads/master","pushedAt":"2023-11-27T23:39:16.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Update to latest memcall","shortMessageHtmlLink":"Update to latest memcall"}},{"before":"a449735905d04c34e2d05ba175d1b8b7ff5d2482","after":"716e98c469c3e996e9636ed489d1b9de76a57cd3","ref":"refs/heads/patch-deadlock","pushedAt":"2023-11-27T23:27:59.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Don't create new enclave during Purge","shortMessageHtmlLink":"Don't create new enclave during Purge"}},{"before":"d04de60eda1966d9fbafab144017f137ab18c675","after":"a449735905d04c34e2d05ba175d1b8b7ff5d2482","ref":"refs/heads/patch-deadlock","pushedAt":"2023-11-27T23:21:54.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Remove Enclave init test since there's not init anymore","shortMessageHtmlLink":"Remove Enclave init test since there's not init anymore"}},{"before":"cdf9c319c8ef76be568781b5d65e29a4c1b2584d","after":"d04de60eda1966d9fbafab144017f137ab18c675","ref":"refs/heads/patch-deadlock","pushedAt":"2023-11-17T13:10:32.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Only build x02 POC on linux","shortMessageHtmlLink":"Only build x02 POC on linux"}},{"before":null,"after":"cdf9c319c8ef76be568781b5d65e29a4c1b2584d","ref":"refs/heads/patch-deadlock","pushedAt":"2023-11-17T13:03:22.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Don't auto-create new key during Purge","shortMessageHtmlLink":"Don't auto-create new key during Purge"}},{"before":"fa1ba104bbea6fc4f84760407a2b2102dc9b6a2d","after":null,"ref":"refs/heads/fix-ci","pushedAt":"2023-09-10T19:53:03.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"}},{"before":"aebdcd0142865569835b1020f831694323c023ec","after":"f8a2722593ad01ad4df088ab30e4787f8aa37ad1","ref":"refs/heads/master","pushedAt":"2023-09-10T19:53:00.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"fix ci (#152)","shortMessageHtmlLink":"fix ci (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1889289611\" data-permission-text=\"Title is private\" data-url=\"https://github.com/awnumar/memguard/issues/152\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/awnumar/memguard/pull/152/hovercard\" href=\"https://github.com/awnumar/memguard/pull/152\">#152</a>)"}},{"before":"ad054c7c81779ef88bc293509bc9172e380f0a84","after":"fa1ba104bbea6fc4f84760407a2b2102dc9b6a2d","ref":"refs/heads/fix-ci","pushedAt":"2023-09-10T19:10:50.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"fix ci","shortMessageHtmlLink":"fix ci"}},{"before":"3b77f3192601bbb3ec2fc8ba859875345114a0f2","after":"ad054c7c81779ef88bc293509bc9172e380f0a84","ref":"refs/heads/fix-ci","pushedAt":"2023-09-10T19:09:10.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"fix ci","shortMessageHtmlLink":"fix ci"}},{"before":null,"after":"3b77f3192601bbb3ec2fc8ba859875345114a0f2","ref":"refs/heads/fix-ci","pushedAt":"2023-09-10T19:05:15.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"fix ci","shortMessageHtmlLink":"fix ci"}},{"before":"7bd0761962d5a4222846d539427ce9e792290ec5","after":"aebdcd0142865569835b1020f831694323c023ec","ref":"refs/heads/master","pushedAt":"2023-09-10T18:51:22.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Update dependencies","shortMessageHtmlLink":"Update dependencies"}},{"before":"9572d00f575940afe48d6de81934ebbcd058a297","after":"7bd0761962d5a4222846d539427ce9e792290ec5","ref":"refs/heads/master","pushedAt":"2023-05-31T13:10:37.987Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"awnumar","name":"Awn","path":"/awnumar","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8942495?s=80&v=4"},"commit":{"message":"Update dependencies, removal of deprecated funcs (#145)\n\n* Dependabot support, update dependencies, removal of deprecated funcs\r\n\r\nSigned-off-by: Juan Calderon-Perez <jgcalderonperez@protonmail.com>\r\n\r\n* Delete dependabot.yml\r\n\r\n---------\r\n\r\nSigned-off-by: Juan Calderon-Perez <jgcalderonperez@protonmail.com>","shortMessageHtmlLink":"Update dependencies, removal of deprecated funcs (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1561664519\" data-permission-text=\"Title is private\" data-url=\"https://github.com/awnumar/memguard/issues/145\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/awnumar/memguard/pull/145/hovercard\" href=\"https://github.com/awnumar/memguard/pull/145\">#145</a>)"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEO17Q_wA","startCursor":null,"endCursor":null}},"title":"Activity · awnumar/memguard"}