Remove control+r handling from geliboot's pwgets()
ClosedPublic
Actions

Authored by allanjude on Feb 24 2017, 5:52 AM.

Details

Reviewers

kp
imp
ehaupt
tsoome

Commits

rS314213: Remove control+r handling from geliboot's pwgets()

Summary

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217298

While not really a security issue, it would be best if it did not do this:

The GELIBoot password prompt can be made to echo password in clear text.

How to repeat:

Boot a system with GELI full disk encryption
Wait for password prompt "GELI Passphrase for disk0p3:"
Enter password without pressing enter
Press ctrl-r

Entered password is displayed in clear text.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

allanjude updated this revision to Diff 25646.Feb 24 2017, 5:52 AM

allanjude retitled this revision from to Remove control+r handling from geliboot's pwgets().

allanjude updated this object.

allanjude edited the test plan for this revision. (Show Details)

allanjude added reviewers: kp, tsoome, imp, ehaupt.

I discovered this by accident and was glad nobody had a view on my monitor at the time. I think it makes sense to have this removed as I see no other purpose than debugging.

This revision is now accepted and ready to land.Feb 24 2017, 7:37 AM

LGTM

kp accepted this revision.Feb 24 2017, 10:59 AM

kp edited edge metadata.

Closed by commit rS314213: Remove control+r handling from geliboot's pwgets() (authored by allanjude). · Explain WhyFeb 24 2017, 4:53 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

head/

sys/

boot/

geli/

pwgets.c

8 lines

Diff 25654

View Options

head/sys/boot/geli/pwgets.c

Remove control+r handling from geliboot's pwgets()ClosedPublicActions