From 679a9972b46b0ebd03444f3c08ce7d3424c494f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivan=20=C4=8Cuki=C4=87?= Date: Fri, 7 Dec 2018 23:24:58 +0100 Subject: TextInput: Stop leaking password values to process memory The contents of a deleted QString can still remain in memory and can be accessible by tools that read the raw process memory. The same problem appears when the QString reallocates -- the old buffer gets deleted, but its contents will remain in memory. This means that a TextInput that serves as a password input field can leak parts of the password while the user is entering it (due to reallocation) and the whole password when the TextInput instance is destroyed. With this patch, the contents of the m_text string member variable will be zeroed-out before the TextInput is destructed. This is done only in the cases when the TextInput serves as a password field. Also, this patch reserves the space for 30 characters for m_text when the TextInput is used for password input. This is enough to make sure no reallocation happens in majority of cases as barely anyone uses passwords longer than 30 characters. [ChangeLog][QtQuick][TextInput/security] When the TextInput is used for password input, preallocate a buffer for the string that stores the entered value and zero-out the string on TextInput destruction to avoid leaking sensitive data to process memory Change-Id: I8f1f307b1cfc25ad51f48bae8509a258042a2e7f Reviewed-by: Frederik Gladhorn --- src/quick/items/qquicktextinput.cpp | 6 ++++++ src/quick/items/qquicktextinput_p_p.h | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/src/quick/items/qquicktextinput.cpp b/src/quick/items/qquicktextinput.cpp index a0ac884fef..aac7137ff3 100644 --- a/src/quick/items/qquicktextinput.cpp +++ b/src/quick/items/qquicktextinput.cpp @@ -1242,6 +1242,12 @@ void QQuickTextInput::setEchoMode(QQuickTextInput::EchoMode echo) d->updateDisplayText(); updateCursorRectangle(); + // If this control is used for password input, we want to minimize + // the possibility of string reallocation not to leak (parts of) + // the password. + if (d->m_echoMode != QQuickTextInput::Normal) + d->m_text.reserve(30); + emit echoModeChanged(echoMode()); } diff --git a/src/quick/items/qquicktextinput_p_p.h b/src/quick/items/qquicktextinput_p_p.h index a2e2f0f66d..7965f3d3f4 100644 --- a/src/quick/items/qquicktextinput_p_p.h +++ b/src/quick/items/qquicktextinput_p_p.h @@ -162,6 +162,11 @@ public: ~QQuickTextInputPrivate() { + // If this control is used for password input, we don't want the + // password data to stay in the process memory, therefore we need + // to zero it out + if (m_echoMode != QQuickTextInput::Normal) + m_text.fill(0); } void init(); -- cgit v1.2.3