From owner-freebsd-security@FreeBSD.ORG  Tue Nov  6 19:27:12 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 6DE79E8C
 for <freebsd-security@freebsd.org>; Tue,  6 Nov 2012 19:27:12 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 by mx1.freebsd.org (Postfix) with ESMTP id 0BE318FC0C
 for <freebsd-security@freebsd.org>; Tue,  6 Nov 2012 19:27:11 +0000 (UTC)
Received: from tom.home (localhost [127.0.0.1])
 by kib.kiev.ua (8.14.5/8.14.5) with ESMTP id qA6JR46C050337;
 Tue, 6 Nov 2012 21:27:04 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
X-DKIM: OpenDKIM Filter v2.5.2 kib.kiev.ua qA6JR46C050337
Received: (from kostik@localhost)
 by tom.home (8.14.5/8.14.5/Submit) id qA6JR4p8050336;
 Tue, 6 Nov 2012 21:27:04 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Tue, 6 Nov 2012 21:27:04 +0200
From: Konstantin Belousov <kostikbel@gmail.com>
To: Paul Schenkeveld <freebsd@psconsult.nl>
Subject: Re: md(4) (swap-base) disks not cleaned on creation
Message-ID: <20121106192704.GM73505@kib.kiev.ua>
References: <20121106184658.GA24262@psconsult.nl>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="MXJOg2djshNyWgx2"
Content-Disposition: inline
In-Reply-To: <20121106184658.GA24262@psconsult.nl>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Status: No, score=0.2 required=5.0 tests=ALL_TRUSTED,
 DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no
 version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 19:27:12 -0000


--MXJOg2djshNyWgx2
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 06, 2012 at 07:46:58PM +0100, Paul Schenkeveld wrote:
> Hi,
>=20
> When creating a swap based md(4) it may contain data which to me feels
> like a security leak:
>=20
>   # mdconfig -a -t swap -s 1m
>   md0
>   # hd /dev/md0
>   00000000  c0 9b a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |?.?......\=
S.....|
>   00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |..........=
=2E.....|
>   *
>   00000250  38 9f a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |8.?......\=
S.....|
>   00000260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |..........=
=2E.....|
>   *
>   00000330  88 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |.=9A?.....=
=2E\S.....|
>   00000340  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |..........=
=2E.....|
>   *
>   00000370  e8 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |?=9A?.....=
=2E\S.....|
>   00000380  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |..........=
=2E.....|
>   *
>   000005b0  48 a4 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |H??......\=
S.....|
>   000005c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |..........=
=2E.....|
>   *
>   ^C
>   # ls -l /dev/md0
>   crw-r-----  1 root  operator  0xc8 Nov  6 19:42 /dev/md0
>   #
>=20
> Although not world-readable, it just doesn't feel right to me.
>=20
> Any thoughts?

It is definitely not a security issue. The md device is not user-accessible,
as you noted. A filesystem run over the device need to ensure that user
process never get on-disk garbage without first initializing the blocks.

That said, the following patch should fix the nit. I am unsure about it,
because it fixes mostly non-issue by spending CPU time to zero a page which
would be either zeroed or overwritten right now anyway in normal usage.

diff --git a/sys/dev/md/md.c b/sys/dev/md/md.c
index a86c26a..80982cc 100644
--- a/sys/dev/md/md.c
+++ b/sys/dev/md/md.c
@@ -677,6 +677,9 @@ mdstart_swap(struct md_s *sc, struct bio *bp)
 				sched_unpin();
 				vm_page_wakeup(m);
 				break;
+			} else if (rv =3D=3D VM_PAGER_FAIL) {
+				/* Pager does not have page */
+				bzero((void *)sf_buf_kva(sf), PAGE_SIZE);
 			}
 			bcopy((void *)(sf_buf_kva(sf) + offs), p, len);
 			cpu_flush_dcache(p, len);

--MXJOg2djshNyWgx2
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlCZZIgACgkQC3+MBN1Mb4jJ6gCcDBoqsZufIeTJ+KBmKvhhLn8C
wcUAoIAkbCg4TpAFmdXAcMFeUr9WZ/FN
=YQ79
-----END PGP SIGNATURE-----

--MXJOg2djshNyWgx2--