[SERVER-46630] RemoveSaver writes GCM tag to incorrect file position Created: 04/Mar/20 Updated: 29/Oct/23 Resolved: 09/Mar/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.2.5, 4.0.17, 4.4.0-rc0, 4.7.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Sara Golemon | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Backport Requested: |
v4.4, v4.2, v4.0, v3.6
|
||||
| Sprint: | Security 2020-03-09, Security 2020-03-23 | ||||
| Participants: | |||||
| Description |
|
In https://github.com/mongodb/mongo/blob/82424b742342d4b35cf10eb9d471984d1e805210/src/mongo/db/storage/remove_saver.cpp#L123 the output file pointer is reset to 0 to write the calculated GCM tag after the file has been encrypted. Unfortunately, the tag should appear at offset 1. Writing the tag here will prevent easy decryption as the contents will appear to contain an invalid version, and the tag will be invalid. Note that incorrectly written saver files may still be recovered by moving the tag bytes forward by one, and writing a zero to the version byte. A fix should include creating a protector API for requesting tag offset (rather than hardcoding to 1) and moving the write as a whole behind a check for tag size (if it's zero, then there's no tag to write, e.g. CBC mode). |
| Comments |
| Comment by Githook User [ 12/Mar/20 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit 00817f5cb6d202af084fce94ab57b5f127c66b90) |
| Comment by Githook User [ 12/Mar/20 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit 00817f5cb6d202af084fce94ab57b5f127c66b90) |
| Comment by Githook User [ 10/Mar/20 ] |
|
Author: {'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit 00817f5cb6d202af084fce94ab57b5f127c66b90) |
| Comment by Githook User [ 09/Mar/20 ] |
|
Author: {'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}Message: |