From owner-freebsd-security@FreeBSD.ORG Thu Jan 15 15:02:49 2009 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38510106567E for ; Thu, 15 Jan 2009 15:02:49 +0000 (UTC) (envelope-from jh@saunalahti.fi) Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) by mx1.freebsd.org (Postfix) with ESMTP id E91CE8FC19 for ; Thu, 15 Jan 2009 15:02:48 +0000 (UTC) (envelope-from jh@saunalahti.fi) Received: from saunalahti-vams (vs3-10.mail.saunalahti.fi [62.142.5.94]) by emh06-2.mail.saunalahti.fi (Postfix) with SMTP id 4165AC82F4 for ; Thu, 15 Jan 2009 16:45:01 +0200 (EET) Received: from emh07.mail.saunalahti.fi ([62.142.5.117]) by vs3-10.mail.saunalahti.fi ([62.142.5.94]) with SMTP (gateway) id A04CA83F2C8; Thu, 15 Jan 2009 16:45:01 +0200 Received: from a91-153-125-115.elisa-laajakaista.fi (a91-153-125-115.elisa-laajakaista.fi [91.153.125.115]) by emh07.mail.saunalahti.fi (Postfix) with SMTP id 2F13B1C638F for ; Thu, 15 Jan 2009 16:45:00 +0200 (EET) Date: Thu, 15 Jan 2009 16:45:00 +0200 From: Jaakko Heinonen To: freebsd-security@FreeBSD.org Message-ID: <20090115144459.GA3154@a91-153-125-115.elisa-laajakaista.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-Antivirus: VAMS Cc: Subject: [patch] libc Berkeley DB information leak X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2009 15:02:49 -0000 Hi, FreeBSD libc Berkeley DB can leak sensitive information to database files. The problem is that it writes uninitialized memory obtained from malloc(3) to database files. You can use this simple test program to reproduce the behavior: http://www.saunalahti.fi/~jh3/dbtest.c Run the program and see the resulting test.db file which will contain a sequence of 0xa5 bytes directly from malloc(3). (See malloc(3) manual page for the explanation for the "J" flag if you need more information.) This has been reported as PR 123529 (http://www.freebsd.org/cgi/query-pr.cgi?pr=123529) which contains a real information leak case. The PR is assigned to secteam and I have also personally reported it to secteam but I haven't heard a word from secteam members. A code to initialize malloc'd memory exists but the feature must be enabled with PURIFY macro. With following patch applied the test program doesn't output 0xa5 bytes to the database file: %%% Index: lib/libc/db/hash/hash_buf.c =================================================================== --- lib/libc/db/hash/hash_buf.c (revision 187214) +++ lib/libc/db/hash/hash_buf.c (working copy) @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #ifdef DEBUG #include Index: lib/libc/db/Makefile.inc =================================================================== --- lib/libc/db/Makefile.inc (revision 187214) +++ lib/libc/db/Makefile.inc (working copy) @@ -3,6 +3,8 @@ # CFLAGS+=-D__DBINTERFACE_PRIVATE +CFLAGS+=-DPURIFY + .include "${.CURDIR}/db/btree/Makefile.inc" .include "${.CURDIR}/db/db/Makefile.inc" .include "${.CURDIR}/db/hash/Makefile.inc" %%% Could someone consider committing this or some other fix for the problem? -- Jaakko