Date: Thu, 10 Apr 2014 16:52:13 -0600 From: John Nielsen <lists@jnielsen.net> To: Oliver Brandmueller <ob@e-Gitt.NET> Cc: FreeBSD stable <freebsd-stable@freebsd.org> Subject: Re: OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround? Message-ID: <FD87881F-D274-4F1D-9B10-F55F25B3EBD9@jnielsen.net> In-Reply-To: <20140408180026.GC2676@e-Gitt.NET> References: <20140408180026.GC2676@e-Gitt.NET>
next in thread | previous in thread | raw e-mail | index | archive | help
Apparently OpenSSL intentionally subverts malloc, which is why the issue exists at all... See also (cribbed, I confess, from Slashdot): http://article.gmane.org/gmane.os.openbsd.misc/211963 http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse On Apr 8, 2014, at 12:00 PM, Oliver Brandmueller <ob@e-Gitt.NET> wrote: > Hi, > > till it's fixed in base (which I hope is very soon) (or you replace > openssl in base with the fixed version from ports or patch manually): > > Would it probably help (with the performance impact in mind) to set > malloc option junk:true to lower the risk of leakting information? > > manpage says: > > "opt.junk" (bool) r- [--enable-fill] > Junk filling enabled/disabled. If enabled, each byte of > uninitialized allocated memory will be initialized to 0xa5. All > deallocated memory will be initialized to 0x5a. This is intended > for debugging and will impact performance negatively. This option > is disabled by default unless --enable-debug is specified during > configuration, in which case it is enabled by default unless > running inside Valgrind[2]. > > as oppsosed to: > > "opt.zero" (bool) r- [--enable-fill] > Zero filling enabled/disabled. If enabled, each byte of > uninitialized allocated memory will be initialized to 0. Note that > this initialization only happens once for each byte, so realloc and > rallocm calls do not zero memory that was previously allocated. > This is intended for debugging and will impact performance > negatively. This option is disabled by default. > > > Anyone with better insights could comment on that? > > - Oliver > > > -- > | Oliver Brandmueller http://sysadm.in/ ob@sysadm.in | > | Ich bin das Internet. Sowahr ich Gott helfe. | > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FD87881F-D274-4F1D-9B10-F55F25B3EBD9>