From owner-freebsd-security@FreeBSD.ORG Mon Apr 21 15:16:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 68AB8C3A for ; Mon, 21 Apr 2014 15:16:10 +0000 (UTC) Received: from smtp10.server.rpi.edu (smtp10.server.rpi.edu [128.113.2.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0764511F5 for ; Mon, 21 Apr 2014 15:16:09 +0000 (UTC) Received: from smtp-auth1.server.rpi.edu (smtp-auth1.server.rpi.edu [128.113.2.231]) by smtp10.server.rpi.edu (8.14.3/8.14.3/Debian-9.4) with ESMTP id s3LFDcC8001682; Mon, 21 Apr 2014 11:13:38 -0400 Received: from smtp-auth1.server.rpi.edu (localhost [127.0.0.1]) by smtp-auth1.server.rpi.edu (Postfix) with ESMTP id 6AF6E5812E; Mon, 21 Apr 2014 11:13:38 -0400 (EDT) Received: from [172.16.61.1] (gilead.netel.rpi.edu [128.113.124.121]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: drosih) by smtp-auth1.server.rpi.edu (Postfix) with ESMTPSA id 3C4FE58127; Mon, 21 Apr 2014 11:13:37 -0400 (EDT) From: "Garance A Drosehn" To: "Jamie Landeg-Jones" Subject: Re: De Raadt + FBSD + OpenSSH + hole? Date: Mon, 21 Apr 2014 11:13:24 -0400 Message-ID: <5C4F945A-E156-4AAB-8C59-1D9385BE467A@rpi.edu> In-Reply-To: <201404210306.s3L36JfU020865@catnip.dyslexicfish.net> References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org> <201404200548.s3K5mV7N055244@catnip.dyslexicfish.net> <53540307.1070708@quietfountain.com> <20140421000122.GS43976@funkthat.com> <53546795.9050304@quietfountain.com> <201404210306.s3L36JfU020865@catnip.dyslexicfish.net> MIME-Version: 1.0 X-Mailer: MailMate (1.7.2r3905) X-Virus-Scanned: ClamAV using ClamSMTP X-Bayes-Prob: 0.0002 (Score 0, tokens from: outgoing, @@RPTN) X-Spam-Score: -0.01 () [Hold at 15.10] T_RP_MATCHES_RCVD:-0.01 X-CanIt-Incident-Id: 03LQDdCoU X-CanIt-Geo: ip=128.113.124.121; country=US; region=New York; city=Troy; latitude=42.7495; longitude=-73.5951; http://maps.google.com/maps?q=42.7495,-73.5951&z=6 X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.230 Cc: hcoin@quietfountain.com, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2014 15:16:10 -0000 On 20 Apr 2014, at 23:06, Jamie Landeg-Jones wrote: > "hcoin" wrote: > >> local variables) harms performance. It's also true doing both of these >> things would not fix the flaw that 'opened the window' onto these data. >> However it is true that doing so would make the exploit valueless as >> 'opening a window' onto erased data would reveal nothing and could erase >> trojan/virus 'hijack via code-injection then trampoline' opportunities. > > In the heartbleed case, was the bug returning stale freed memory, though? > Couldn't it just as easily have been that the over-read was returning any > other memory that the process has had allocated for other variables - data > that was still in use? The heardbleed case is totally an error in openssl, because it does not really use the system malloc/free. It mallocs a huge chunk of memory from the system when it starts up, and then it has it's own routines which manages that memory. As far as the operating system is concerned, it can't touch any of that memory, even though openssl is using it over-and-over for whatever it needs memory for. Openssl did this, of course, for performance reasons. So in the case of openssl, the problem was that the code *never* returned memory, no matter how stale and unreferenced the data was. -- Garance Alistair Drosehn = drosih@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA