From owner-freebsd-stable@FreeBSD.ORG Thu Apr 10 22:58:11 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C2652BF7 for ; Thu, 10 Apr 2014 22:58:11 +0000 (UTC) Received: from secure.freebsdsolutions.net (secure.freebsdsolutions.net [69.55.234.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 890541E6A for ; Thu, 10 Apr 2014 22:58:11 +0000 (UTC) Received: from [10.10.1.198] (office.betterlinux.com [199.58.199.60]) (authenticated bits=0) by secure.freebsdsolutions.net (8.14.4/8.14.4) with ESMTP id s3AMoOuj030673 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 10 Apr 2014 18:50:26 -0400 (EDT) (envelope-from lists@jnielsen.net) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround? From: John Nielsen In-Reply-To: <20140408180026.GC2676@e-Gitt.NET> Date: Thu, 10 Apr 2014 16:52:13 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20140408180026.GC2676@e-Gitt.NET> To: Oliver Brandmueller X-Mailer: Apple Mail (2.1874) X-DCC-Etherboy-Metrics: ns1.jnielsen.net 1002; Body=2 Fuz1=2 Fuz2=2 X-Virus-Scanned: clamav-milter 0.97.8 at ns1.jnielsen.net X-Virus-Status: Clean Cc: FreeBSD stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 22:58:11 -0000 Apparently OpenSSL intentionally subverts malloc, which is why the issue = exists at all... See also (cribbed, I confess, from Slashdot): http://article.gmane.org/gmane.os.openbsd.misc/211963 http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse On Apr 8, 2014, at 12:00 PM, Oliver Brandmueller wrote: > Hi, >=20 > till it's fixed in base (which I hope is very soon) (or you replace=20 > openssl in base with the fixed version from ports or patch manually): >=20 > Would it probably help (with the performance impact in mind) to set=20 > malloc option junk:true to lower the risk of leakting information? >=20 > manpage says: >=20 > "opt.junk" (bool) r- [--enable-fill] > Junk filling enabled/disabled. If enabled, each byte of > uninitialized allocated memory will be initialized to 0xa5. = All > deallocated memory will be initialized to 0x5a. This is = intended > for debugging and will impact performance negatively. This = option > is disabled by default unless --enable-debug is specified = during > configuration, in which case it is enabled by default unless > running inside Valgrind[2]. >=20 > as oppsosed to: >=20 > "opt.zero" (bool) r- [--enable-fill] > Zero filling enabled/disabled. If enabled, each byte of > uninitialized allocated memory will be initialized to 0. = Note that > this initialization only happens once for each byte, so = realloc and > rallocm calls do not zero memory that was previously = allocated. > This is intended for debugging and will impact performance > negatively. This option is disabled by default. >=20 >=20 > Anyone with better insights could comment on that? >=20 > - Oliver >=20 >=20 > --=20 > | Oliver Brandmueller http://sysadm.in/ ob@sysadm.in = | > | Ich bin das Internet. Sowahr ich Gott helfe. = | > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org" >=20