From owner-freebsd-security@FreeBSD.ORG Wed Nov 7 13:44:54 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8FF666B2 for ; Wed, 7 Nov 2012 13:44:54 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id EBEB18FC08 for ; Wed, 7 Nov 2012 13:44:53 +0000 (UTC) Received: from tom.home (localhost [127.0.0.1]) by kib.kiev.ua (8.14.5/8.14.5) with ESMTP id qA7DilIA056136; Wed, 7 Nov 2012 15:44:47 +0200 (EET) (envelope-from kostikbel@gmail.com) X-DKIM: OpenDKIM Filter v2.5.2 kib.kiev.ua qA7DilIA056136 Received: (from kostik@localhost) by tom.home (8.14.5/8.14.5/Submit) id qA7DilaW056135; Wed, 7 Nov 2012 15:44:47 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 7 Nov 2012 15:44:47 +0200 From: Konstantin Belousov To: Paul Schenkeveld Subject: Re: md(4) (swap-base) disks not cleaned on creation Message-ID: <20121107134447.GO73505@kib.kiev.ua> References: <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua> <20121106195936.GA54581@psconsult.nl> <78F4278EFF694CCE85CA45D844D4A7BB@black> <20121107131436.GA9838@psconsult.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZjlDoLon7m/fln42" Content-Disposition: inline In-Reply-To: <20121107131436.GA9838@psconsult.nl> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=0.2 required=5.0 tests=ALL_TRUSTED, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Nov 2012 13:44:54 -0000 --ZjlDoLon7m/fln42 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 07, 2012 at 02:14:36PM +0100, Paul Schenkeveld wrote: > On Wed, Nov 07, 2012 at 06:03:46PM +1100, Dewayne Geraghty wrote: > > An excellent example of where swap shouldn't be used. It isn't the use= of the swap file that is the issue, it is how the output of > > using swap is used. PHK was right in his advice to not use swap. > >=20 > > Good catch, nanobsd.sh should be changed. >=20 > I tend to disagree. Nanobsd.sh is just an example but there may be more > uses of swap-based md(4) devices where ultimately swap contents are > leaked to unprivileged users or processes. Des@ mentioned md(4) devices > made available to jails where the root inside the jail is definately not > the same as the root outside the jail. >=20 > All of us (I hope) have been educated with the wisdom that memory > returned by malloc() and friends is safe to use which may raise the > expectation (at least it did to me) that mdconfig'd memory follows the > same principles of security. It is reverse, malloc-ed memory is not guaranteed to have any predefined content. But is content does not cross security boundaries. --ZjlDoLon7m/fln42 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlCaZc8ACgkQC3+MBN1Mb4iuUwCfRMHpeqVcwmRoX3rCGgR0XJHK MpkAoMd+C6Jd3gIjWxVFMwfu68MoiTPI =fF/Q -----END PGP SIGNATURE----- --ZjlDoLon7m/fln42--