From owner-freebsd-hackers@FreeBSD.ORG Wed Mar 30 16:00:24 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E6B716A4CE for ; Wed, 30 Mar 2005 16:00:24 +0000 (GMT) Received: from arioch.imrryr.org (arioch.imrryr.org [216.254.67.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8605343D2F for ; Wed, 30 Mar 2005 16:00:23 +0000 (GMT) (envelope-from elric@imrryr.org) Received: from imrryr.org (localhost [127.0.0.1]) by arioch.imrryr.org (Postfix) with ESMTP id 1AE6837010; Wed, 30 Mar 2005 10:59:47 -0500 (EST) To: "ALeine" In-reply-to: Your message of "Wed, 30 Mar 2005 05:55:17 PST." <200503301355.j2UDtHrV005944@marlena.vvi.at> Organization: The Fall of Imrryr User-Agent: nmh-1.0.4 (NetBSD/alpha) X-Copyright: Copyright 2004, R. C. Dowdeswell. All Rights Reserved. X-Window-System: Release 6.3 Date: Wed, 30 Mar 2005 10:59:47 -0500 From: Roland Dowdeswell Message-Id: <20050330155947.1AE6837010@arioch.imrryr.org> cc: freebsd-hackers@freebsd.org cc: phk@phk.freebsd.dk cc: tech-security@netbsd.org Subject: Re: A bunch of memory allocation bugs in CGD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2005 16:00:24 -0000 On 1112190917 seconds since the Beginning of the UNIX epoch "ALeine" wrote: > >I took a quick look at the latest NetBSD CGD code and found >out that out of 19 memory allocation operations 11 (almost 60%) >are done in a way that could lead to a segmentation violation >which would leave behind a core dump full of sensitive >information that could be used to compromise a CGD encrypted >disk. While this attack is not very practical since it requires >the attacker to be able to cause resource starvation at a >specific time when cgdconfig is used, it is still possible. >Here are the details... Thanks for having a look at that. I have checked in a fix. I presume that you have addressed the cases in GBDE where malloc's return code has not been checked? If so, perhaps cvsweb is a little behind. It looks to me like 2 or 4 mallocs can use a buffer without checking the return code. I am not convinced that you'd be able to exploit these in either CGD or GBDE because {Net,Free}BSD use an overcommit strategy for memory allocation, so it is unlikely that the process will be denied memory. It will just get killed without a core dump when it tries to instantiate memory that does not exist. All that said, I've fixed the problem and will be submitting a pullup request for the next NetBSD release. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/