From owner-freebsd-security@FreeBSD.ORG Fri Jan 23 21:15:07 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2503106566B for ; Fri, 23 Jan 2009 21:15:07 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.24]) by mx1.freebsd.org (Postfix) with ESMTP id 25D098FC19 for ; Fri, 23 Jan 2009 21:15:06 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: by ey-out-2122.google.com with SMTP id d26so639402eyd.7 for ; Fri, 23 Jan 2009 13:15:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=86YKqzwZ1bOntYTt02jbVenovA20C0V0fqJ1v68UAHA=; b=mev9akvAlV04lMCI4ABGPdXJp72DryVT76l3SVon4DzCuGMqSCLVoAbO+4cld00Tvr 7svFo46InptA0zb3jHG5EcTtaZZohgGbVnHfdvrY1RKUqm3xrPrAjrV1r4U95Orqg6jm kwGT8dhItxpXRos7bF9gmozFKuVlKETvMyzxM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ILeSFv0sSvI6q7I91ioXYdPPEKKwu4m1xgGVBY3WbGKyb6abY3TzbD7uvYra7Ni5sH vxyCPWQNL5sOOtvoxevWO8nFqSCkw807Y0I6A/doCoIde4TItwEbLUhBPOUwVlQ5e+J9 3hmHNOfjLSRKjauZ/6DIWw5RzmKQ/MEqhE/k8= MIME-Version: 1.0 Received: by 10.103.227.10 with SMTP id e10mr1584899mur.30.1232743593984; Fri, 23 Jan 2009 12:46:33 -0800 (PST) In-Reply-To: <20090115144459.GA3154@a91-153-125-115.elisa-laajakaista.fi> References: <20090115144459.GA3154@a91-153-125-115.elisa-laajakaista.fi> Date: Fri, 23 Jan 2009 21:46:33 +0100 Message-ID: <6101e8c40901231246j264c3e43y7989d14fb9b77037@mail.gmail.com> From: Oliver Pinter To: Jaakko Heinonen Content-Type: multipart/mixed; boundary=001636b430cb04c1df04612c7c72 Cc: freebsd-security@freebsd.org Subject: Re: [patch] libc Berkeley DB information leak X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2009 21:15:08 -0000 --001636b430cb04c1df04612c7c72 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 1/15/09, Jaakko Heinonen wrote: > > Hi, > > FreeBSD libc Berkeley DB can leak sensitive information to database > files. The problem is that it writes uninitialized memory obtained from > malloc(3) to database files. > > You can use this simple test program to reproduce the behavior: > > http://www.saunalahti.fi/~jh3/dbtest.c > > Run the program and see the resulting test.db file which will contain a > sequence of 0xa5 bytes directly from malloc(3). (See malloc(3) manual > page for the explanation for the "J" flag if you need more information.) > > This has been reported as PR 123529 > (http://www.freebsd.org/cgi/query-pr.cgi?pr=123529) which contains a > real information leak case. The PR is assigned to secteam and I have > also personally reported it to secteam but I haven't heard a word from > secteam members. > > A code to initialize malloc'd memory exists but the feature must be > enabled with PURIFY macro. With following patch applied > the test program doesn't output 0xa5 bytes to the database file: > > %%% > Index: lib/libc/db/hash/hash_buf.c > =================================================================== > --- lib/libc/db/hash/hash_buf.c (revision 187214) > +++ lib/libc/db/hash/hash_buf.c (working copy) > @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); > #include > #include > #include > +#include > > #ifdef DEBUG > #include > Index: lib/libc/db/Makefile.inc > =================================================================== > --- lib/libc/db/Makefile.inc (revision 187214) > +++ lib/libc/db/Makefile.inc (working copy) > @@ -3,6 +3,8 @@ > # > CFLAGS+=-D__DBINTERFACE_PRIVATE > > +CFLAGS+=-DPURIFY > + > .include "${.CURDIR}/db/btree/Makefile.inc" > .include "${.CURDIR}/db/db/Makefile.inc" > .include "${.CURDIR}/db/hash/Makefile.inc" > %%% > > Could someone consider committing this or some other fix for the > problem? > > -- > Jaakko > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > --001636b430cb04c1df04612c7c72 Content-Type: text/x-diff; charset=US-ASCII; name="0001-fix-mem-info-leak.patch" Content-Disposition: attachment; filename="0001-fix-mem-info-leak.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: file0 RnJvbSA3YmIzYmIzOTU1Yjc1NDc4MTM1ZDhlMzcwYmYwNjgxOGJhNzA4ZWJmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBPbGl2ZXIgUGludGVyIDxwX2JwQG9saXZlcnAuKioqLmJtZS5o dT4KRGF0ZTogRnJpLCAyMyBKYW4gMjAwOSAwNDoyMjo0MSArMDEwMApTdWJqZWN0OiBbUEFUQ0hd IGZpeCBtZW0gaW5mbyBsZWFrCgotLS0KIGxpYi9saWJjL2RiL2hhc2gvaGFzaF9idWYuYyB8ICAg IDQgKystLQogMSBmaWxlcyBjaGFuZ2VkLCAyIGluc2VydGlvbnMoKyksIDIgZGVsZXRpb25zKC0p CgpkaWZmIC0tZ2l0IGEvbGliL2xpYmMvZGIvaGFzaC9oYXNoX2J1Zi5jIGIvbGliL2xpYmMvZGIv aGFzaC9oYXNoX2J1Zi5jCmluZGV4IGRiOGFkMWEuLjZjZmYxNWIgMTAwNjQ0Ci0tLSBhL2xpYi9s aWJjL2RiL2hhc2gvaGFzaF9idWYuYworKysgYi9saWIvbGliYy9kYi9oYXNoL2hhc2hfYnVmLmMK QEAgLTE3NCwxMiArMTc0LDEyIEBAIG5ld2J1ZihoYXNocCwgYWRkciwgcHJldl9icCkKIAkgKi8K IAlpZiAoaGFzaHAtPm5idWZzIHx8IChicC0+ZmxhZ3MgJiBCVUZfUElOKSkgewogCQkvKiBBbGxv Y2F0ZSBhIG5ldyBvbmUgKi8KLQkJaWYgKChicCA9IChCVUZIRUFEICopbWFsbG9jKHNpemVvZihC VUZIRUFEKSkpID09IE5VTEwpCisJCWlmICgoYnAgPSAoQlVGSEVBRCAqKWNhbGxvYygxLCBzaXpl b2YoQlVGSEVBRCkpKSA9PSBOVUxMKQogCQkJcmV0dXJuIChOVUxMKTsKICNpZmRlZiBQVVJJRlkK IAkJbWVtc2V0KGJwLCAweGZmLCBzaXplb2YoQlVGSEVBRCkpOwogI2VuZGlmCi0JCWlmICgoYnAt PnBhZ2UgPSAoY2hhciAqKW1hbGxvYyhoYXNocC0+QlNJWkUpKSA9PSBOVUxMKSB7CisJCWlmICgo YnAtPnBhZ2UgPSAoY2hhciAqKWNhbGxvYygxLCBoYXNocC0+QlNJWkUpKSA9PSBOVUxMKSB7CiAJ CQlmcmVlKGJwKTsKIAkJCXJldHVybiAoTlVMTCk7CiAJCX0KLS0gCjEuNi4wLjYKCg== --001636b430cb04c1df04612c7c72--