From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 18:31:16 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C32D8F2C for ; Sun, 20 Apr 2014 18:31:16 +0000 (UTC) Received: from pacha.mail.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DDE21760 for ; Sun, 20 Apr 2014 18:31:16 +0000 (UTC) Received: from catnip.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) by pacha.mail.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id s3KIVCNt054779; Sun, 20 Apr 2014 19:31:13 +0100 (BST) (envelope-from jamie@catnip.dyslexicfish.net) Received: (from jamie@localhost) by catnip.dyslexicfish.net (8.14.5/8.14.5/Submit) id s3KIVCSY054778; Sun, 20 Apr 2014 19:31:12 +0100 (BST) (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201404201831.s3KIVCSY054778@catnip.dyslexicfish.net> Date: Sun, 20 Apr 2014 19:31:12 +0100 To: hcoin@quietfountain.com, freebsd-security@freebsd.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org> <201404200548.s3K5mV7N055244@catnip.dyslexicfish.net> <53540307.1070708@quietfountain.com> In-Reply-To: <53540307.1070708@quietfountain.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (pacha.mail.dyslexicfish.net [91.109.5.35]); Sun, 20 Apr 2014 19:31:13 +0100 (BST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 18:31:16 -0000 > I wonder how many security holes, both those known and as yet unrevealed > or unknown, would not be of any exploit value if in all security related > libraries and applications the routine to free allocated memory > allocation closest to the user app/library set the newly free memory to > a known pattern or something from /dev/random before returning. And, > similarly, a compiler option causing function returns using more than a > few dozen bytes of stack space to erase the newly freed stack region I'm probably being really dense here, and realise I can't delete this post once sent! But.... Once memory has been freed, I thought any attempt by a user process to access it would cause a SIGSEV. I thought the issue was with programs that inadvertantly expose (either to read or write) other parts of their active memory. Of course, if a process rolls it's own in-process implementation of malloc/free, then this point is moot, but once you free memory back to the system, isn't in no longer accessable anyway? Cheers, Jamie