From owner-freebsd-hackers@FreeBSD.ORG  Wed Mar 30 20:53:56 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 26C8B16A4CE
	for <freebsd-hackers@freebsd.org>;
	Wed, 30 Mar 2005 20:53:56 +0000 (GMT)
Received: from arioch.imrryr.org (arioch.imrryr.org [216.254.67.142])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C892A43D39
	for <freebsd-hackers@freebsd.org>;
	Wed, 30 Mar 2005 20:53:55 +0000 (GMT)
	(envelope-from elric@imrryr.org)
Received: from imrryr.org (localhost [127.0.0.1])
	by arioch.imrryr.org (Postfix) with ESMTP id 2C0BD3700F;
	Wed, 30 Mar 2005 15:53:19 -0500 (EST)
To: "ALeine" <aleine@austrosearch.net>
In-reply-to: Your message of "Wed, 30 Mar 2005 10:29:53 PST."
             <200503301829.j2UITrlt010221@marlena.vvi.at> 
Organization: The Fall of Imrryr
User-Agent: nmh-1.0.4 (NetBSD/alpha)
X-Copyright: Copyright 2004, R. C. Dowdeswell. All Rights Reserved.
X-Window-System: Release 6.3
Date: Wed, 30 Mar 2005 15:53:19 -0500
From: Roland Dowdeswell <elric@imrryr.org>
Message-Id: <20050330205319.2C0BD3700F@arioch.imrryr.org>
cc: freebsd-hackers@freebsd.org
cc: phk@phk.freebsd.dk
cc: tech-security@netbsd.org
Subject: Re: A bunch of memory allocation bugs in CGD 
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2005 20:53:56 -0000

On 1112207393 seconds since the Beginning of the UNIX epoch
"ALeine" wrote:
>

>Thanks for responding so quickly.

No problem.

>- the first bug is in cmd_nuke() and could not be seen as much
>  of a bug because cmd_nuke() is used to destroy lock sectors.
>  If this fails due to memory starvation no sensitive information
>  is leaked, only a write(2) call fails and gbde terminates
>  correctly upon catching and reporting the write error.

Having a quick read it looks like the call to cmd_nuke() is preceded
by a cmd_open().  cmd_open() loads the decrypted decoded contents
of the lock sector into memory which contain all of the information
needed to decrypt the disk.  In cmd_nuke(), the malloc is followed
immediately by a memset(3) which could core dump. 

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/