From: Radoslaw Zarzynski <rzarzyns@redhat.com>
Date: Fri, 15 Nov 2019 22:24:54 +0000 (+0100)
Subject: common: audit memset & bzero users for FIPS.
X-Git-Tag: v14.2.8~20^2~56^2~12
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a0cbd8fc6a7170392eec9c074ac7fe7ad5f1fb0c;p=ceph.git

common: audit memset & bzero users for FIPS.

Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
(cherry picked from commit fc05ac322580e409bd13645282d7e9a64f3d895f)
---

diff --git a/src/common/OutputDataSocket.cc b/src/common/OutputDataSocket.cc
index 4a5eca72d2f5..8d1c00f4cf92 100644
--- a/src/common/OutputDataSocket.cc
+++ b/src/common/OutputDataSocket.cc
@@ -152,6 +152,7 @@ std::string OutputDataSocket::bind_and_listen(const std::string &sock_path, int
 	<< "failed to create socket: " << cpp_strerror(err);
     return oss.str();
   }
+  // FIPS zeroization audit 20191115: this memset is not security related.
   memset(&address, 0, sizeof(struct sockaddr_un));
   address.sun_family = AF_UNIX;
   snprintf(address.sun_path, sizeof(address.sun_path),
@@ -198,6 +199,7 @@ void* OutputDataSocket::entry()
   ldout(m_cct, 5) << "entry start" << dendl;
   while (true) {
     struct pollfd fds[2];
+    // FIPS zeroization audit 20191115: this memset is not security related.
     memset(fds, 0, sizeof(fds));
     fds[0].fd = m_sock_fd;
     fds[0].events = POLLIN | POLLRDBAND;
diff --git a/src/common/addr_parsing.c b/src/common/addr_parsing.c
index 2a5f56623da5..4159dff67ceb 100644
--- a/src/common/addr_parsing.c
+++ b/src/common/addr_parsing.c
@@ -99,6 +99,7 @@ char *resolve_addrs(const char *orig_str)
 
     //printf("name '%s' port '%s'\n", tok, port_str);
 
+    // FIPS zeroization audit 20191115: this memset is fine.
     memset(&hint, 0, sizeof(hint));
     hint.ai_family = AF_UNSPEC;
     hint.ai_socktype = SOCK_STREAM;
diff --git a/src/common/address_helper.cc b/src/common/address_helper.cc
index 8774892211da..cdb8591f17a7 100644
--- a/src/common/address_helper.cc
+++ b/src/common/address_helper.cc
@@ -22,6 +22,7 @@ int entity_addr_from_url(entity_addr_t *addr /* out */, const char *url)
 		string host(m[2].first, m[2].second);
 		string port(m[3].first, m[3].second);
 		addrinfo hints;
+		// FIPS zeroization audit 20191115: this memset is fine.
 		memset(&hints, 0, sizeof(hints));
 		hints.ai_family = PF_UNSPEC;
 		addrinfo *res;
diff --git a/src/common/admin_socket.cc b/src/common/admin_socket.cc
index 25e8d8fafdcd..022f35609eab 100644
--- a/src/common/admin_socket.cc
+++ b/src/common/admin_socket.cc
@@ -167,6 +167,7 @@ std::string AdminSocket::bind_and_listen(const std::string &sock_path, int *fd)
 	<< "failed to create socket: " << cpp_strerror(err);
     return oss.str();
   }
+  // FIPS zeroization audit 20191115: this memset is fine.
   memset(&address, 0, sizeof(struct sockaddr_un));
   address.sun_family = AF_UNIX;
   snprintf(address.sun_path, sizeof(address.sun_path),
@@ -219,6 +220,7 @@ void AdminSocket::entry() noexcept
   ldout(m_cct, 5) << "entry start" << dendl;
   while (true) {
     struct pollfd fds[2];
+    // FIPS zeroization audit 20191115: this memset is fine.
     memset(fds, 0, sizeof(fds));
     fds[0].fd = m_sock_fd;
     fds[0].events = POLLIN | POLLRDBAND;
diff --git a/src/common/admin_socket_client.cc b/src/common/admin_socket_client.cc
index 9886bba6c06d..00d30675ebeb 100644
--- a/src/common/admin_socket_client.cc
+++ b/src/common/admin_socket_client.cc
@@ -56,6 +56,7 @@ static std::string asok_connect(const std::string &path, int *fd)
   }
 
   struct sockaddr_un address;
+  // FIPS zeroization audit 20191115: this memset is fine.
   memset(&address, 0, sizeof(struct sockaddr_un));
   address.sun_family = AF_UNIX;
   snprintf(address.sun_path, sizeof(address.sun_path), "%s", path.c_str());
diff --git a/src/common/buffer.cc b/src/common/buffer.cc
index a3c6201d208a..02a6f6624085 100644
--- a/src/common/buffer.cc
+++ b/src/common/buffer.cc
@@ -673,6 +673,7 @@ static ceph::spinlock debug_lock;
     ceph_assert(_raw);
     ceph_assert(l <= unused_tail_length());
     char* c = _raw->data + _off + _len;
+    // FIPS zeroization audit 20191115: this memset is not security related.
     memset(c, 0, l);
     _len += l;
     return _len + _off;
@@ -693,6 +694,7 @@ static ceph::spinlock debug_lock;
   {
     if (crc_reset)
         _raw->invalidate_crc();
+    // FIPS zeroization audit 20191115: this memset is not security related.
     memset(c_str(), 0, _len);
   }
 
@@ -701,6 +703,7 @@ static ceph::spinlock debug_lock;
     ceph_assert(o+l <= _len);
     if (crc_reset)
         _raw->invalidate_crc();
+    // FIPS zeroization audit 20191115: this memset is not security related.
     memset(c_str()+o, 0, l);
   }
 
@@ -1781,7 +1784,6 @@ void buffer::list::decode_base64(buffer::list& e)
   push_back(std::move(bp));
 }
 
-  
 
 int buffer::list::read_file(const char *fn, std::string *error)
 {
@@ -1795,6 +1797,7 @@ int buffer::list::read_file(const char *fn, std::string *error)
   }
 
   struct stat st;
+  // FIPS zeroization audit 20191115: this memset is not security related.
   memset(&st, 0, sizeof(st));
   if (::fstat(fd, &st) < 0) {
     int err = errno;
diff --git a/src/common/ceph_context.cc b/src/common/ceph_context.cc
index d454593686fa..c2d3d28e1ece 100644
--- a/src/common/ceph_context.cc
+++ b/src/common/ceph_context.cc
@@ -553,6 +553,7 @@ void CephContext::do_command(std::string_view command, const cmdmap_t& cmdmap,
 	f->dump_string("error", "syntax error: 'config get <var>'");
       } else {
 	char buf[4096];
+	// FIPS zeroization audit 20191115: this memset is not security related.
 	memset(buf, 0, sizeof(buf));
 	char *tmp = buf;
 	int r = _conf.get_val(var.c_str(), &tmp, sizeof(buf));
diff --git a/src/common/code_environment.cc b/src/common/code_environment.cc
index 0aab05c76460..414e2b62ada2 100644
--- a/src/common/code_environment.cc
+++ b/src/common/code_environment.cc
@@ -56,6 +56,7 @@ int get_process_name(char *buf, int len)
      * null-terminated. */
     return -ENAMETOOLONG;
   }
+  // FIPS zeroization audit 20191115: this memset is not security related.
   memset(buf, 0, len);
   return prctl(PR_GET_NAME, buf);
 }
diff --git a/src/common/cohort_lru.h b/src/common/cohort_lru.h
index 3e002344046d..3c789582f581 100644
--- a/src/common/cohort_lru.h
+++ b/src/common/cohort_lru.h
@@ -343,6 +343,7 @@ namespace cohort {
 	  if (csz) {
 	    p.csz = csz;
 	    p.cache = (T**) ::operator new(csz * sizeof(T*));
+	    // FIPS zeroization audit 20191115: this memset is not security related.
 	    memset(p.cache, 0, csz * sizeof(T*));
 	  }
 	  locks.push_back(&p.lock);
diff --git a/src/common/compat.cc b/src/common/compat.cc
index 3380d1cd031c..ceb8a0115b47 100644
--- a/src/common/compat.cc
+++ b/src/common/compat.cc
@@ -46,6 +46,7 @@ int manual_fallocate(int fd, off_t offset, off_t len) {
     return errno;
   char data[1024*128];
   // TODO: compressing filesystems would require random data
+  // FIPS zeroization audit 20191115: this memset is not security related.
   memset(data, 0x42, sizeof(data));
   for (off_t off = 0; off < len; off += sizeof(data)) {
     if (off + static_cast<off_t>(sizeof(data)) > len)
diff --git a/src/common/dns_resolve.cc b/src/common/dns_resolve.cc
index eb223a6836c2..7d5c4841f122 100644
--- a/src/common/dns_resolve.cc
+++ b/src/common/dns_resolve.cc
@@ -249,6 +249,7 @@ int DNSResolver::resolve_ip_addr(CephContext *cct, res_state *res, const string&
   }
 
   char addr_buf[64];
+  // FIPS zeroization audit 20191115: this memset is not security related.
   memset(addr_buf, 0, sizeof(addr_buf));
   inet_ntop(family, ns_rr_rdata(rr), addr_buf, sizeof(addr_buf));
   if (!addr->parse(addr_buf)) {
@@ -339,6 +340,7 @@ int DNSResolver::resolve_srv_hosts(CephContext *cct, const string& service_name,
     uint16_t priority = ns_get16(rdata); rdata += NS_INT16SZ;
     rdata += NS_INT16SZ;	// weight
     uint16_t port = ns_get16(rdata); rdata += NS_INT16SZ;
+    // FIPS zeroization audit 20191115: this memset is not security related.
     memset(full_target, 0, sizeof(full_target));
     ns_name_uncompress(ns_msg_base(handle), ns_msg_end(handle),
                        rdata, full_target, sizeof(full_target));
diff --git a/src/common/lockdep.cc b/src/common/lockdep.cc
index c37e38f53db2..cd87adce325b 100644
--- a/src/common/lockdep.cc
+++ b/src/common/lockdep.cc
@@ -65,6 +65,7 @@ void lockdep_register_ceph_context(CephContext *cct)
     lockdep_dout(1) << "lockdep start" << dendl;
     if (!free_ids_inited) {
       free_ids_inited = true;
+      // FIPS zeroization audit 20191115: this memset is not security related.
       memset((void*) &free_ids[0], 255, sizeof(free_ids));
     }
   }
@@ -90,6 +91,7 @@ void lockdep_unregister_ceph_context(CephContext *cct)
     held.clear();
     lock_names.clear();
     lock_ids.clear();
+    // FIPS zeroization audit 20191115: these memsets are not security related.
     memset((void*)&follows[0][0], 0, current_maxid * MAX_LOCKS/8);
     memset((void*)&follows_bt[0][0], 0, sizeof(BackTrace*) * current_maxid * MAX_LOCKS);
   }
@@ -213,6 +215,7 @@ void lockdep_unregister(int id)
   if (--refs == 0) {
     if (p != lock_names.end()) {
       // reset dependency ordering
+      // FIPS zeroization audit 20191115: this memset is not security related.
       memset((void*)&follows[id][0], 0, MAX_LOCKS/8);
       for (unsigned i=0; i<current_maxid; ++i) {
         delete follows_bt[id][i];
diff --git a/src/common/obj_bencher.cc b/src/common/obj_bencher.cc
index e247aece2c14..de73e70b15bd 100644
--- a/src/common/obj_bencher.cc
+++ b/src/common/obj_bencher.cc
@@ -69,6 +69,7 @@ static std::string generate_object_name_fast(int objnum, int pid = 0)
 }
 
 static void sanitize_object_contents (bench_data *data, size_t length) {
+  // FIPS zeroization audit 20191115: this memset is not security related.
   memset(data->object_contents, 'z', length);
 }
 
diff --git a/src/common/snap_types.h b/src/common/snap_types.h
index bf7941fb1cf9..0f5269932f56 100644
--- a/src/common/snap_types.h
+++ b/src/common/snap_types.h
@@ -14,9 +14,11 @@ struct SnapRealmInfo {
   vector<snapid_t> prior_parent_snaps;  // before parent_since
 
   SnapRealmInfo() {
+    // FIPS zeroization audit 20191115: this memset is not security related.
     memset(&h, 0, sizeof(h));
   }
   SnapRealmInfo(inodeno_t ino_, snapid_t created_, snapid_t seq_, snapid_t current_parent_since_) {
+    // FIPS zeroization audit 20191115: this memset is not security related.
     memset(&h, 0, sizeof(h));
     h.ino = ino_;
     h.created = created_;