Date: Fri, 23 Jan 2009 21:46:33 +0100 From: Oliver Pinter <oliver.pntr@gmail.com> To: Jaakko Heinonen <jh@saunalahti.fi> Cc: freebsd-security@freebsd.org Subject: Re: [patch] libc Berkeley DB information leak Message-ID: <6101e8c40901231246j264c3e43y7989d14fb9b77037@mail.gmail.com> In-Reply-To: <20090115144459.GA3154@a91-153-125-115.elisa-laajakaista.fi> References: <20090115144459.GA3154@a91-153-125-115.elisa-laajakaista.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 1/15/09, Jaakko Heinonen <jh@saunalahti.fi> wrote: > > Hi, > > FreeBSD libc Berkeley DB can leak sensitive information to database > files. The problem is that it writes uninitialized memory obtained from > malloc(3) to database files. > > You can use this simple test program to reproduce the behavior: > > http://www.saunalahti.fi/~jh3/dbtest.c > > Run the program and see the resulting test.db file which will contain a > sequence of 0xa5 bytes directly from malloc(3). (See malloc(3) manual > page for the explanation for the "J" flag if you need more information.) > > This has been reported as PR 123529 > (http://www.freebsd.org/cgi/query-pr.cgi?pr=123529) which contains a > real information leak case. The PR is assigned to secteam and I have > also personally reported it to secteam but I haven't heard a word from > secteam members. > > A code to initialize malloc'd memory exists but the feature must be > enabled with PURIFY macro. With following patch applied > the test program doesn't output 0xa5 bytes to the database file: > > %%% > Index: lib/libc/db/hash/hash_buf.c > =================================================================== > --- lib/libc/db/hash/hash_buf.c (revision 187214) > +++ lib/libc/db/hash/hash_buf.c (working copy) > @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); > #include <stddef.h> > #include <stdio.h> > #include <stdlib.h> > +#include <string.h> > > #ifdef DEBUG > #include <assert.h> > Index: lib/libc/db/Makefile.inc > =================================================================== > --- lib/libc/db/Makefile.inc (revision 187214) > +++ lib/libc/db/Makefile.inc (working copy) > @@ -3,6 +3,8 @@ > # > CFLAGS+=-D__DBINTERFACE_PRIVATE > > +CFLAGS+=-DPURIFY > + > .include "${.CURDIR}/db/btree/Makefile.inc" > .include "${.CURDIR}/db/db/Makefile.inc" > .include "${.CURDIR}/db/hash/Makefile.inc" > %%% > > Could someone consider committing this or some other fix for the > problem? > > -- > Jaakko > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > [-- Attachment #2 --] From 7bb3bb3955b75478135d8e370bf06818ba708ebf Mon Sep 17 00:00:00 2001 From: Oliver Pinter <p_bp@oliverp.***.bme.hu> Date: Fri, 23 Jan 2009 04:22:41 +0100 Subject: [PATCH] fix mem info leak --- lib/libc/db/hash/hash_buf.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libc/db/hash/hash_buf.c b/lib/libc/db/hash/hash_buf.c index db8ad1a..6cff15b 100644 --- a/lib/libc/db/hash/hash_buf.c +++ b/lib/libc/db/hash/hash_buf.c @@ -174,12 +174,12 @@ newbuf(hashp, addr, prev_bp) */ if (hashp->nbufs || (bp->flags & BUF_PIN)) { /* Allocate a new one */ - if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL) + if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL) return (NULL); #ifdef PURIFY memset(bp, 0xff, sizeof(BUFHEAD)); #endif - if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) { + if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) { free(bp); return (NULL); } -- 1.6.0.6
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6101e8c40901231246j264c3e43y7989d14fb9b77037>