Date: Mon, 21 Apr 2014 11:13:24 -0400 From: "Garance A Drosehn" <drosih@rpi.edu> To: "Jamie Landeg-Jones" <jamie@dyslexicfish.net> Cc: hcoin@quietfountain.com, freebsd-security@freebsd.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? Message-ID: <5C4F945A-E156-4AAB-8C59-1D9385BE467A@rpi.edu> In-Reply-To: <201404210306.s3L36JfU020865@catnip.dyslexicfish.net> References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org> <201404200548.s3K5mV7N055244@catnip.dyslexicfish.net> <53540307.1070708@quietfountain.com> <20140421000122.GS43976@funkthat.com> <53546795.9050304@quietfountain.com> <201404210306.s3L36JfU020865@catnip.dyslexicfish.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20 Apr 2014, at 23:06, Jamie Landeg-Jones wrote: > "hcoin" <hcoin@quietfountain.com> wrote: > >> local variables) harms performance. It's also true doing both of these >> things would not fix the flaw that 'opened the window' onto these data. >> However it is true that doing so would make the exploit valueless as >> 'opening a window' onto erased data would reveal nothing and could erase >> trojan/virus 'hijack via code-injection then trampoline' opportunities. > > In the heartbleed case, was the bug returning stale freed memory, though? > Couldn't it just as easily have been that the over-read was returning any > other memory that the process has had allocated for other variables - data > that was still in use? The heardbleed case is totally an error in openssl, because it does not really use the system malloc/free. It mallocs a huge chunk of memory from the system when it starts up, and then it has it's own routines which manages that memory. As far as the operating system is concerned, it can't touch any of that memory, even though openssl is using it over-and-over for whatever it needs memory for. Openssl did this, of course, for performance reasons. So in the case of openssl, the problem was that the code *never* returned memory, no matter how stale and unreferenced the data was. -- Garance Alistair Drosehn = drosih@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5C4F945A-E156-4AAB-8C59-1D9385BE467A>