From owner-freebsd-security  Wed Feb 19 12:21:56 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id MAA16197
          for security-outgoing; Wed, 19 Feb 1997 12:21:56 -0800 (PST)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id MAA16189
          for <security@freebsd.org>; Wed, 19 Feb 1997 12:21:44 -0800 (PST)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 0.56 #1)
	id E0vxIVb-0006Jf-00; Wed, 19 Feb 1997 13:20:55 -0700
To: Andrew Kosyakov <caseq@magrathea.chance.ru>
Subject: Re: Coredumps and setuids .. interesting.. 
Cc: rbezuide@oskar.nanoteq.co.za (Reinier Bezuidenhout), dg@root.com,
        jas@flyingfox.COM, security@freebsd.org
In-reply-to: Your message of "Wed, 19 Feb 1997 15:34:56 +0300."
		<199702191234.PAA10870@magrathea.chance.ru> 
References: <199702191234.PAA10870@magrathea.chance.ru>  
Date: Wed, 19 Feb 1997 13:20:55 -0700
From: Warner Losh <imp@village.org>
Message-Id: <E0vxIVb-0006Jf-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <199702191234.PAA10870@magrathea.chance.ru> Andrew Kosyakov writes:
: --- hash_buf.c.old	Tue Oct 15 14:24:48 1996
: +++ hash_buf.c	Tue Oct 15 14:24:13 1996
: @@ -324,7 +324,10 @@
:  		/* Check if we are freeing stuff */
:  		if (do_free) {
:  			if (bp->page)
: +			{
: +				memset(bp->page,0,hashp->BSIZE);
:  				free(bp->page);
: +			}
:  			BUF_REMOVE(bp);
:  			free(bp);
:  			bp = LRU;

I think this is an excellent idea, but an incomplete one.  I think
that we should do this, but hack the db code so that you have to
request that this be done.  Then the pw routines would set this flag.
Testing this flag is very cheap and no one would notice.  This would
also firewall the pw database somewhat at a very low cost.

I agree that keeping this from coredumping in the first place is by
far the best solution, limiting the damage when there are bugs in the
kernel should be done when the cost can be shown to be small for those
programs that use the same feature, but don't need the protection.

--- hash_buf.c.old	Tue Oct 15 14:24:48 1996
+++ hash_buf.c	Tue Oct 15 14:24:13 1996
@@ -324,7 +324,10 @@
  		/* Check if we are freeing stuff */
 		if (do_free) {
 			if (bp->page)
+			{
+				if (bp->flags & ZERO_ON_FREE)
+					memset(bp->page,0,hashp->BSIZE);
 				free(bp->page);
+			}
 			BUF_REMOVE(bp);
 			free(bp);
 			bp = LRU;


with other changes to propigate this flag, define it, that I've not
yet done.

Comments?

Warner