Date: Thu, 12 Feb 2009 13:11:00 +0100 From: Oliver Pinter <oliver.pntr@gmail.com> To: current@freebsd.org Subject: Fwd: [patch] libc Berkeley DB information leak Message-ID: <6101e8c40902120410p5b7aedf9j87efd75e1f3d2c59@mail.gmail.com> In-Reply-To: <6101e8c40901231246j264c3e43y7989d14fb9b77037@mail.gmail.com> References: <20090115144459.GA3154@a91-153-125-115.elisa-laajakaista.fi> <6101e8c40901231246j264c3e43y7989d14fb9b77037@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0016364169dd0f41fa0462b79d90 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit ---------- Forwarded message ---------- From: Oliver Pinter <oliver.pntr@gmail.com> Date: Fri, 23 Jan 2009 21:46:33 +0100 Subject: Re: [patch] libc Berkeley DB information leak To: Jaakko Heinonen <jh@saunalahti.fi> Cc: freebsd-security@freebsd.org On 1/15/09, Jaakko Heinonen <jh@saunalahti.fi> wrote: > > Hi, > > FreeBSD libc Berkeley DB can leak sensitive information to database > files. The problem is that it writes uninitialized memory obtained from > malloc(3) to database files. > > You can use this simple test program to reproduce the behavior: > > http://www.saunalahti.fi/~jh3/dbtest.c > > Run the program and see the resulting test.db file which will contain a > sequence of 0xa5 bytes directly from malloc(3). (See malloc(3) manual > page for the explanation for the "J" flag if you need more information.) > > This has been reported as PR 123529 > (http://www.freebsd.org/cgi/query-pr.cgi?pr=123529) which contains a > real information leak case. The PR is assigned to secteam and I have > also personally reported it to secteam but I haven't heard a word from > secteam members. > > A code to initialize malloc'd memory exists but the feature must be > enabled with PURIFY macro. With following patch applied > the test program doesn't output 0xa5 bytes to the database file: > > %%% > Index: lib/libc/db/hash/hash_buf.c > =================================================================== > --- lib/libc/db/hash/hash_buf.c (revision 187214) > +++ lib/libc/db/hash/hash_buf.c (working copy) > @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); > #include <stddef.h> > #include <stdio.h> > #include <stdlib.h> > +#include <string.h> > > #ifdef DEBUG > #include <assert.h> > Index: lib/libc/db/Makefile.inc > =================================================================== > --- lib/libc/db/Makefile.inc (revision 187214) > +++ lib/libc/db/Makefile.inc (working copy) > @@ -3,6 +3,8 @@ > # > CFLAGS+=-D__DBINTERFACE_PRIVATE > > +CFLAGS+=-DPURIFY > + > .include "${.CURDIR}/db/btree/Makefile.inc" > .include "${.CURDIR}/db/db/Makefile.inc" > .include "${.CURDIR}/db/hash/Makefile.inc" > %%% > > Could someone consider committing this or some other fix for the > problem? > > -- > Jaakko > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > --0016364169dd0f41fa0462b79d90 Content-Type: text/x-diff; charset=US-ASCII; name="0001-fix-mem-info-leak.patch" Content-Disposition: attachment; filename="0001-fix-mem-info-leak.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: file0 RnJvbSA3YmIzYmIzOTU1Yjc1NDc4MTM1ZDhlMzcwYmYwNjgxOGJhNzA4ZWJmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBPbGl2ZXIgUGludGVyIDxwX2JwQG9saXZlcnAuKioqLmJtZS5o dT4KRGF0ZTogRnJpLCAyMyBKYW4gMjAwOSAwNDoyMjo0MSArMDEwMApTdWJqZWN0OiBbUEFUQ0hd IGZpeCBtZW0gaW5mbyBsZWFrCgotLS0KIGxpYi9saWJjL2RiL2hhc2gvaGFzaF9idWYuYyB8ICAg IDQgKystLQogMSBmaWxlcyBjaGFuZ2VkLCAyIGluc2VydGlvbnMoKyksIDIgZGVsZXRpb25zKC0p CgpkaWZmIC0tZ2l0IGEvbGliL2xpYmMvZGIvaGFzaC9oYXNoX2J1Zi5jIGIvbGliL2xpYmMvZGIv aGFzaC9oYXNoX2J1Zi5jCmluZGV4IGRiOGFkMWEuLjZjZmYxNWIgMTAwNjQ0Ci0tLSBhL2xpYi9s aWJjL2RiL2hhc2gvaGFzaF9idWYuYworKysgYi9saWIvbGliYy9kYi9oYXNoL2hhc2hfYnVmLmMK QEAgLTE3NCwxMiArMTc0LDEyIEBAIG5ld2J1ZihoYXNocCwgYWRkciwgcHJldl9icCkKIAkgKi8K IAlpZiAoaGFzaHAtPm5idWZzIHx8IChicC0+ZmxhZ3MgJiBCVUZfUElOKSkgewogCQkvKiBBbGxv Y2F0ZSBhIG5ldyBvbmUgKi8KLQkJaWYgKChicCA9IChCVUZIRUFEICopbWFsbG9jKHNpemVvZihC VUZIRUFEKSkpID09IE5VTEwpCisJCWlmICgoYnAgPSAoQlVGSEVBRCAqKWNhbGxvYygxLCBzaXpl b2YoQlVGSEVBRCkpKSA9PSBOVUxMKQogCQkJcmV0dXJuIChOVUxMKTsKICNpZmRlZiBQVVJJRlkK IAkJbWVtc2V0KGJwLCAweGZmLCBzaXplb2YoQlVGSEVBRCkpOwogI2VuZGlmCi0JCWlmICgoYnAt PnBhZ2UgPSAoY2hhciAqKW1hbGxvYyhoYXNocC0+QlNJWkUpKSA9PSBOVUxMKSB7CisJCWlmICgo YnAtPnBhZ2UgPSAoY2hhciAqKWNhbGxvYygxLCBoYXNocC0+QlNJWkUpKSA9PSBOVUxMKSB7CiAJ CQlmcmVlKGJwKTsKIAkJCXJldHVybiAoTlVMTCk7CiAJCX0KLS0gCjEuNi4wLjYKCg== --0016364169dd0f41fa0462b79d90--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6101e8c40902120410p5b7aedf9j87efd75e1f3d2c59>