Date: Tue, 05 Sep 2017 19:47:22 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 222077] geli(8) writing uninitialized memory out to disk Message-ID: <bug-222077-8-LGdGwCApt1@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-222077-8@https.bugs.freebsd.org/bugzilla/> References: <bug-222077-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222077 --- Comment #2 from Conrad Meyer <cem@freebsd.org> --- It seems like the math in g_eli_auth_run (g_eli_integrity.c) is kind of dubious, even ignoring the data leak. Does it even work? I think it is ma= king some invalid assumptions about C division rounding. It looks like the logic was copied from g_eli_crypto_run (g_eli_privacy.c). I suspect this change wouldn't hurt, but I don't think it fixes the problem: --- a/sys/geom/eli/g_eli_integrity.c +++ b/sys/geom/eli/g_eli_integrity.c @@ -445,7 +445,7 @@ g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp) size +=3D sizeof(*crda) * nsec; size +=3D G_ELI_AUTH_SECKEYLEN * nsec; size +=3D sizeof(uintptr_t); /* Space for alignment. */ - data =3D malloc(size, M_ELI, M_WAITOK); + data =3D malloc(size, M_ELI, M_WAITOK | M_ZERO); bp->bio_driver2 =3D data; p =3D data + encr_secsize * nsec; } I think "nsec" is calculated wrong (and differently!) in both g_eli_auth_write_done and g_eli_auth_run. Probably avoid using geli in integrity mode if you care about privacy, for = now. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-222077-8-LGdGwCApt1>