From owner-freebsd-security@FreeBSD.ORG Tue Nov 6 18:47:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3D26E125 for ; Tue, 6 Nov 2012 18:47:06 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a]) by mx1.freebsd.org (Postfix) with ESMTP id DF8B68FC0A for ; Tue, 6 Nov 2012 18:47:05 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154]) by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id qA6Ikw4p024494 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 6 Nov 2012 19:47:03 +0100 (CET) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id qA6Ikw3Z024493 for freebsd-security@freebsd.org; Tue, 6 Nov 2012 19:46:58 +0100 (CET) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Tue, 6 Nov 2012 19:46:58 +0100 From: Paul Schenkeveld To: freebsd-security@freebsd.org Subject: md(4) (swap-base) disks not cleaned on creation Message-ID: <20121106184658.GA24262@psconsult.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Nov 2012 18:47:06 -0000 Hi, When creating a swap based md(4) it may contain data which to me feels like a security leak: # mdconfig -a -t swap -s 1m md0 # hd /dev/md0 00000000 c0 9b a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |À.¨......\S.....| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000250 38 9f a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |8.¨......\S.....| 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000330 88 a0 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |. ¨......\S.....| 00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000370 e8 a0 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |è ¨......\S.....| 00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000005b0 48 a4 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |H¤¨......\S.....| 000005c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * ^C # ls -l /dev/md0 crw-r----- 1 root operator 0xc8 Nov 6 19:42 /dev/md0 # Although not world-readable, it just doesn't feel right to me. Any thoughts? With kind regards, Paul Schenkeveld From owner-freebsd-security@FreeBSD.ORG Tue Nov 6 19:27:12 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6DE79E8C for ; Tue, 6 Nov 2012 19:27:12 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 0BE318FC0C for ; Tue, 6 Nov 2012 19:27:11 +0000 (UTC) Received: from tom.home (localhost [127.0.0.1]) by kib.kiev.ua (8.14.5/8.14.5) with ESMTP id qA6JR46C050337; Tue, 6 Nov 2012 21:27:04 +0200 (EET) (envelope-from kostikbel@gmail.com) X-DKIM: OpenDKIM Filter v2.5.2 kib.kiev.ua qA6JR46C050337 Received: (from kostik@localhost) by tom.home (8.14.5/8.14.5/Submit) id qA6JR4p8050336; Tue, 6 Nov 2012 21:27:04 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 6 Nov 2012 21:27:04 +0200 From: Konstantin Belousov To: Paul Schenkeveld Subject: Re: md(4) (swap-base) disks not cleaned on creation Message-ID: <20121106192704.GM73505@kib.kiev.ua> References: <20121106184658.GA24262@psconsult.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MXJOg2djshNyWgx2" Content-Disposition: inline In-Reply-To: <20121106184658.GA24262@psconsult.nl> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=0.2 required=5.0 tests=ALL_TRUSTED, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Nov 2012 19:27:12 -0000 --MXJOg2djshNyWgx2 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 06, 2012 at 07:46:58PM +0100, Paul Schenkeveld wrote: > Hi, >=20 > When creating a swap based md(4) it may contain data which to me feels > like a security leak: >=20 > # mdconfig -a -t swap -s 1m > md0 > # hd /dev/md0 > 00000000 c0 9b a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |?.?......\= S.....| > 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |..........= =2E.....| > * > 00000250 38 9f a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |8.?......\= S.....| > 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |..........= =2E.....| > * > 00000330 88 a0 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |.=9A?.....= =2E\S.....| > 00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |..........= =2E.....| > * > 00000370 e8 a0 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |?=9A?.....= =2E\S.....| > 00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |..........= =2E.....| > * > 000005b0 48 a4 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |H??......\= S.....| > 000005c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |..........= =2E.....| > * > ^C > # ls -l /dev/md0 > crw-r----- 1 root operator 0xc8 Nov 6 19:42 /dev/md0 > # >=20 > Although not world-readable, it just doesn't feel right to me. >=20 > Any thoughts? It is definitely not a security issue. The md device is not user-accessible, as you noted. A filesystem run over the device need to ensure that user process never get on-disk garbage without first initializing the blocks. That said, the following patch should fix the nit. I am unsure about it, because it fixes mostly non-issue by spending CPU time to zero a page which would be either zeroed or overwritten right now anyway in normal usage. diff --git a/sys/dev/md/md.c b/sys/dev/md/md.c index a86c26a..80982cc 100644 --- a/sys/dev/md/md.c +++ b/sys/dev/md/md.c @@ -677,6 +677,9 @@ mdstart_swap(struct md_s *sc, struct bio *bp) sched_unpin(); vm_page_wakeup(m); break; + } else if (rv =3D=3D VM_PAGER_FAIL) { + /* Pager does not have page */ + bzero((void *)sf_buf_kva(sf), PAGE_SIZE); } bcopy((void *)(sf_buf_kva(sf) + offs), p, len); cpu_flush_dcache(p, len); --MXJOg2djshNyWgx2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlCZZIgACgkQC3+MBN1Mb4jJ6gCcDBoqsZufIeTJ+KBmKvhhLn8C wcUAoIAkbCg4TpAFmdXAcMFeUr9WZ/FN =YQ79 -----END PGP SIGNATURE----- --MXJOg2djshNyWgx2-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 6 19:59:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 85446163 for ; Tue, 6 Nov 2012 19:59:43 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a]) by mx1.freebsd.org (Postfix) with ESMTP id 3039D8FC14 for ; Tue, 6 Nov 2012 19:59:42 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154]) by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id qA6Jxa06054718 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 6 Nov 2012 20:59:41 +0100 (CET) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id qA6Jxap9054717 for freebsd-security@freebsd.org; Tue, 6 Nov 2012 20:59:36 +0100 (CET) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Tue, 6 Nov 2012 20:59:36 +0100 From: Paul Schenkeveld To: freebsd-security@freebsd.org Subject: Re: md(4) (swap-base) disks not cleaned on creation Message-ID: <20121106195936.GA54581@psconsult.nl> References: <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20121106192704.GM73505@kib.kiev.ua> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Nov 2012 19:59:43 -0000 On Tue, Nov 06, 2012 at 09:27:04PM +0200, Konstantin Belousov wrote: > On Tue, Nov 06, 2012 at 07:46:58PM +0100, Paul Schenkeveld wrote: > > Hi, > > > > When creating a swap based md(4) it may contain data which to me feels > > like a security leak: > > > > # mdconfig -a -t swap -s 1m > > md0 > > # hd /dev/md0 > > 00000000 c0 9b a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |?.?......\S.....| > > 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > 00000250 38 9f a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |8.?......\S.....| > > 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > 00000330 88 a0 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |.š?......\S.....| > > 00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > 00000370 e8 a0 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |?š?......\S.....| > > 00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > 000005b0 48 a4 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |H??......\S.....| > > 000005c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > ^C > > # ls -l /dev/md0 > > crw-r----- 1 root operator 0xc8 Nov 6 19:42 /dev/md0 > > # > > > > Although not world-readable, it just doesn't feel right to me. > > > > Any thoughts? > > It is definitely not a security issue. The md device is not user-accessible, > as you noted. A filesystem run over the device need to ensure that user > process never get on-disk garbage without first initializing the blocks. What about this scenario: - Root uses nanobsd.sh to make an image - The .conf file has NANO_MD_BACKING="swap" (I believe phk@ was against this feature but it is in nanobsd.sh now) - Root places the image on a public FTP site and this way exposes swap data. -- Paul Schenkeveld From owner-freebsd-security@FreeBSD.ORG Wed Nov 7 12:36:57 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4EF5FE7 for ; Wed, 7 Nov 2012 12:36:57 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 54F198FC0C for ; Wed, 7 Nov 2012 12:36:57 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 3EC2C658A; Wed, 7 Nov 2012 13:36:56 +0100 (CET) Received: by ds4.des.no (Postfix, from userid 1001) id 0503B9093; Wed, 7 Nov 2012 13:36:55 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Konstantin Belousov Subject: Re: md(4) (swap-base) disks not cleaned on creation References: <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua> Date: Wed, 07 Nov 2012 13:36:55 +0100 In-Reply-To: <20121106192704.GM73505@kib.kiev.ua> (Konstantin Belousov's message of "Tue, 6 Nov 2012 21:27:04 +0200") Message-ID: <86fw4lio7s.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Paul Schenkeveld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Nov 2012 12:36:58 -0000 Konstantin Belousov writes: > It is definitely not a security issue. I disagree. There may be legitimate reasons for root to create an md and give read access to an unprivileged user, under the assumption that it is zeroed; or to allow root in a jail to create mds. > That said, the following patch should fix the nit. I am unsure about > it, because it fixes mostly non-issue by spending CPU time to zero a > page which would be either zeroed or overwritten right now anyway in > normal usage. You can at least partly mitigate this by adding VM_ALLOC_ZERO to the flags passed to vm_page_grab() on line 666 and then checking the PG_ZERO bit in m->flags. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Nov 7 06:47:33 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3A555EF0 for ; Wed, 7 Nov 2012 06:47:33 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from nskntmtas05p.mx.bigpond.com (nskntmtas05p.mx.bigpond.com [61.9.168.149]) by mx1.freebsd.org (Postfix) with ESMTP id AD42B8FC0A for ; Wed, 7 Nov 2012 06:47:30 +0000 (UTC) Received: from nskntotgx03p.mx.bigpond.com ([58.172.113.247]) by nskntmtas05p.mx.bigpond.com with ESMTP id <20121107064724.TFRL24726.nskntmtas05p.mx.bigpond.com@nskntotgx03p.mx.bigpond.com> for ; Wed, 7 Nov 2012 06:47:24 +0000 Received: from hermes.heuristicsystems.com.au ([58.172.113.247]) by nskntotgx03p.mx.bigpond.com with ESMTP id <20121107064723.OQZA27134.nskntotgx03p.mx.bigpond.com@hermes.heuristicsystems.com.au> for ; Wed, 7 Nov 2012 06:47:23 +0000 Received: from black (black.hs [10.0.5.1]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id qA76j5W1003283 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for ; Wed, 7 Nov 2012 17:45:15 +1100 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) From: "Dewayne Geraghty" To: "'Paul Schenkeveld'" References: <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua> Subject: RE: md(4) (swap-base) disks not cleaned on creation Date: Wed, 7 Nov 2012 17:45:05 +1100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <20121106192704.GM73505@kib.kiev.ua> Thread-Index: Ac28VM5qhMZ1ifIfTTyyJQor9cYfjAAXdDPA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 X-Mailman-Approved-At: Wed, 07 Nov 2012 12:40:35 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Nov 2012 06:47:33 -0000 Paul, This is akin to dd if=/dev/ada0s1b of=/tmp/File Where ada01b is the swap partition and then reading through the output. Its really nothing to be concerned about, and not worth zeroing the page for :) Regards, Dewayne. From owner-freebsd-security@FreeBSD.ORG Wed Nov 7 07:07:32 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8391039C for ; Wed, 7 Nov 2012 07:07:32 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from nskntmtas05p.mx.bigpond.com (nskntmtas05p.mx.bigpond.com [61.9.168.149]) by mx1.freebsd.org (Postfix) with ESMTP id 00ECF8FC0C for ; Wed, 7 Nov 2012 07:07:31 +0000 (UTC) Received: from nskntotgx04p.mx.bigpond.com ([58.172.113.247]) by nskntmtas05p.mx.bigpond.com with ESMTP id <20121107070730.WBZB24726.nskntmtas05p.mx.bigpond.com@nskntotgx04p.mx.bigpond.com> for ; Wed, 7 Nov 2012 07:07:30 +0000 Received: from hermes.heuristicsystems.com.au ([58.172.113.247]) by nskntotgx04p.mx.bigpond.com with ESMTP id <20121107070730.BDLP9417.nskntotgx04p.mx.bigpond.com@hermes.heuristicsystems.com.au> for ; Wed, 7 Nov 2012 07:07:30 +0000 Received: from black (black.hs [10.0.5.1]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id qA773kNE003598 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for ; Wed, 7 Nov 2012 18:03:47 +1100 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) From: "Dewayne Geraghty" To: "'Paul Schenkeveld'" References: <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua> <20121106195936.GA54581@psconsult.nl> Subject: RE: md(4) (swap-base) disks not cleaned on creation Date: Wed, 7 Nov 2012 18:03:46 +1100 Message-ID: <78F4278EFF694CCE85CA45D844D4A7BB@black> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <20121106195936.GA54581@psconsult.nl> Thread-Index: Ac28WVi1JBoxcJl+Q8CgFDlsB4rGiQAWwNbA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 X-Mailman-Approved-At: Wed, 07 Nov 2012 12:40:50 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Nov 2012 07:07:32 -0000 An excellent example of where swap shouldn't be used. It isn't the use of the swap file that is the issue, it is how the output of using swap is used. PHK was right in his advice to not use swap. Good catch, nanobsd.sh should be changed. From owner-freebsd-security@FreeBSD.ORG Wed Nov 7 13:14:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 962C7D29 for ; Wed, 7 Nov 2012 13:14:43 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a]) by mx1.freebsd.org (Postfix) with ESMTP id 43D838FC12 for ; Wed, 7 Nov 2012 13:14:42 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154]) by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id qA7DEaW7010051 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 7 Nov 2012 14:14:41 +0100 (CET) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id qA7DEaVa010050 for freebsd-security@freebsd.org; Wed, 7 Nov 2012 14:14:36 +0100 (CET) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Wed, 7 Nov 2012 14:14:36 +0100 From: Paul Schenkeveld To: freebsd-security@freebsd.org Subject: Re: md(4) (swap-base) disks not cleaned on creation Message-ID: <20121107131436.GA9838@psconsult.nl> References: <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua> <20121106195936.GA54581@psconsult.nl> <78F4278EFF694CCE85CA45D844D4A7BB@black> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <78F4278EFF694CCE85CA45D844D4A7BB@black> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Nov 2012 13:14:43 -0000 On Wed, Nov 07, 2012 at 06:03:46PM +1100, Dewayne Geraghty wrote: > An excellent example of where swap shouldn't be used. It isn't the use of the swap file that is the issue, it is how the output of > using swap is used. PHK was right in his advice to not use swap. > > Good catch, nanobsd.sh should be changed. I tend to disagree. Nanobsd.sh is just an example but there may be more uses of swap-based md(4) devices where ultimately swap contents are leaked to unprivileged users or processes. Des@ mentioned md(4) devices made available to jails where the root inside the jail is definately not the same as the root outside the jail. All of us (I hope) have been educated with the wisdom that memory returned by malloc() and friends is safe to use which may raise the expectation (at least it did to me) that mdconfig'd memory follows the same principles of security. -- Paul Schenkeveld From owner-freebsd-security@FreeBSD.ORG Wed Nov 7 13:44:54 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8FF666B2 for ; Wed, 7 Nov 2012 13:44:54 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id EBEB18FC08 for ; Wed, 7 Nov 2012 13:44:53 +0000 (UTC) Received: from tom.home (localhost [127.0.0.1]) by kib.kiev.ua (8.14.5/8.14.5) with ESMTP id qA7DilIA056136; Wed, 7 Nov 2012 15:44:47 +0200 (EET) (envelope-from kostikbel@gmail.com) X-DKIM: OpenDKIM Filter v2.5.2 kib.kiev.ua qA7DilIA056136 Received: (from kostik@localhost) by tom.home (8.14.5/8.14.5/Submit) id qA7DilaW056135; Wed, 7 Nov 2012 15:44:47 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 7 Nov 2012 15:44:47 +0200 From: Konstantin Belousov To: Paul Schenkeveld Subject: Re: md(4) (swap-base) disks not cleaned on creation Message-ID: <20121107134447.GO73505@kib.kiev.ua> References: <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua> <20121106195936.GA54581@psconsult.nl> <78F4278EFF694CCE85CA45D844D4A7BB@black> <20121107131436.GA9838@psconsult.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZjlDoLon7m/fln42" Content-Disposition: inline In-Reply-To: <20121107131436.GA9838@psconsult.nl> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=0.2 required=5.0 tests=ALL_TRUSTED, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Nov 2012 13:44:54 -0000 --ZjlDoLon7m/fln42 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 07, 2012 at 02:14:36PM +0100, Paul Schenkeveld wrote: > On Wed, Nov 07, 2012 at 06:03:46PM +1100, Dewayne Geraghty wrote: > > An excellent example of where swap shouldn't be used. It isn't the use= of the swap file that is the issue, it is how the output of > > using swap is used. PHK was right in his advice to not use swap. > >=20 > > Good catch, nanobsd.sh should be changed. >=20 > I tend to disagree. Nanobsd.sh is just an example but there may be more > uses of swap-based md(4) devices where ultimately swap contents are > leaked to unprivileged users or processes. Des@ mentioned md(4) devices > made available to jails where the root inside the jail is definately not > the same as the root outside the jail. >=20 > All of us (I hope) have been educated with the wisdom that memory > returned by malloc() and friends is safe to use which may raise the > expectation (at least it did to me) that mdconfig'd memory follows the > same principles of security. It is reverse, malloc-ed memory is not guaranteed to have any predefined content. But is content does not cross security boundaries. --ZjlDoLon7m/fln42 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlCaZc8ACgkQC3+MBN1Mb4iuUwCfRMHpeqVcwmRoX3rCGgR0XJHK MpkAoMd+C6Jd3gIjWxVFMwfu68MoiTPI =fF/Q -----END PGP SIGNATURE----- --ZjlDoLon7m/fln42-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 7 13:47:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7FEE5978 for ; Wed, 7 Nov 2012 13:47:10 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id DDE1C8FC08 for ; Wed, 7 Nov 2012 13:47:09 +0000 (UTC) Received: from tom.home (localhost [127.0.0.1]) by kib.kiev.ua (8.14.5/8.14.5) with ESMTP id qA7Dl18Z056616; Wed, 7 Nov 2012 15:47:01 +0200 (EET) (envelope-from kostikbel@gmail.com) X-DKIM: OpenDKIM Filter v2.5.2 kib.kiev.ua qA7Dl18Z056616 Received: (from kostik@localhost) by tom.home (8.14.5/8.14.5/Submit) id qA7Dl1d6056615; Wed, 7 Nov 2012 15:47:01 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 7 Nov 2012 15:47:01 +0200 From: Konstantin Belousov To: Dag-Erling Sm??rgrav Subject: Re: md(4) (swap-base) disks not cleaned on creation Message-ID: <20121107134701.GP73505@kib.kiev.ua> References: <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua> <86fw4lio7s.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jmbcokH0GrqI2Ucc" Content-Disposition: inline In-Reply-To: <86fw4lio7s.fsf@ds4.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=0.2 required=5.0 tests=ALL_TRUSTED, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-security@freebsd.org, Paul Schenkeveld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Nov 2012 13:47:10 -0000 --jmbcokH0GrqI2Ucc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 07, 2012 at 01:36:55PM +0100, Dag-Erling Sm??rgrav wrote: > Konstantin Belousov writes: > > It is definitely not a security issue. >=20 > I disagree. There may be legitimate reasons for root to create an md > and give read access to an unprivileged user, under the assumption that > it is zeroed; or to allow root in a jail to create mds. I disagree, but lets this settle. I will commit a fix today. >=20 > DES > --=20 > Dag-Erling Sm??rgrav - des@des.no >=20 > > That said, the following patch should fix the nit. I am unsure about > > it, because it fixes mostly non-issue by spending CPU time to zero a > > page which would be either zeroed or overwritten right now anyway in > > normal usage. >=20 > You can at least partly mitigate this by adding VM_ALLOC_ZERO to the > flags passed to vm_page_grab() on line 666 and then checking the PG_ZERO > bit in m->flags. This is worse, since now you deprive the zero pool even for the case when the page is successfully read from the swap later. My patch only zeroes pages which do not have any content to fill. --jmbcokH0GrqI2Ucc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlCaZlQACgkQC3+MBN1Mb4hN+wCgtePtQOrIyjlSRxa5ZEeC4UlT cowAoIlDN7Fkt7oZzbco+TvwsERBtvtM =F0UV -----END PGP SIGNATURE----- --jmbcokH0GrqI2Ucc--