From owner-freebsd-current@FreeBSD.ORG Thu Feb 12 12:14:18 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 464FB1065712 for ; Thu, 12 Feb 2009 12:14:18 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-fx0-f16.google.com (mail-fx0-f16.google.com [209.85.220.16]) by mx1.freebsd.org (Postfix) with ESMTP id 83A258FC0A for ; Thu, 12 Feb 2009 12:14:17 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: by fxm9 with SMTP id 9so157798fxm.19 for ; Thu, 12 Feb 2009 04:14:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=WEGKyCc+MK811c29ixNYAmSsU5Xpd5nDKs8YpYrr3Sg=; b=MR8RraeLPaZG3m2gu8Ve7669Xgp5y7yeebsk7B/uvWEhdVkysngexRn1/n/AcR0vNU GtICS0CwUPtRYU4l62bL2cXSgH3W6idKjOS6CaJihKe3YiPlvUd3xI/eI4QXK9cxd7+F FIO7A7fmcdhJanWqDvK8f11p5bqw6L92VcCvE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=I7r9vH3QLCdvbYQZEfHxDlYPqdJfglEB5GynyheApQKI2yFeV0oxnvCdben6fK6zYD KZuW9AQ6FtvYJmURMheRkJXa7VIaLI804W1oNBeXhhk9gtDXtun+kj4mDI/gRZ/RxRb/ nMQn/2JQzgiHCcw0ZBwFlwIpmj0m3J62MPJ2s= MIME-Version: 1.0 Received: by 10.103.11.5 with SMTP id o5mr307982mui.132.1234440660402; Thu, 12 Feb 2009 04:11:00 -0800 (PST) In-Reply-To: <6101e8c40901231246j264c3e43y7989d14fb9b77037@mail.gmail.com> References: <20090115144459.GA3154@a91-153-125-115.elisa-laajakaista.fi> <6101e8c40901231246j264c3e43y7989d14fb9b77037@mail.gmail.com> Date: Thu, 12 Feb 2009 13:11:00 +0100 Message-ID: <6101e8c40902120410p5b7aedf9j87efd75e1f3d2c59@mail.gmail.com> From: Oliver Pinter To: current@freebsd.org Content-Type: multipart/mixed; boundary=0016364169dd0f41fa0462b79d90 Cc: Subject: Fwd: [patch] libc Berkeley DB information leak X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 12:14:19 -0000 --0016364169dd0f41fa0462b79d90 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit ---------- Forwarded message ---------- From: Oliver Pinter Date: Fri, 23 Jan 2009 21:46:33 +0100 Subject: Re: [patch] libc Berkeley DB information leak To: Jaakko Heinonen Cc: freebsd-security@freebsd.org On 1/15/09, Jaakko Heinonen wrote: > > Hi, > > FreeBSD libc Berkeley DB can leak sensitive information to database > files. The problem is that it writes uninitialized memory obtained from > malloc(3) to database files. > > You can use this simple test program to reproduce the behavior: > > http://www.saunalahti.fi/~jh3/dbtest.c > > Run the program and see the resulting test.db file which will contain a > sequence of 0xa5 bytes directly from malloc(3). (See malloc(3) manual > page for the explanation for the "J" flag if you need more information.) > > This has been reported as PR 123529 > (http://www.freebsd.org/cgi/query-pr.cgi?pr=123529) which contains a > real information leak case. The PR is assigned to secteam and I have > also personally reported it to secteam but I haven't heard a word from > secteam members. > > A code to initialize malloc'd memory exists but the feature must be > enabled with PURIFY macro. With following patch applied > the test program doesn't output 0xa5 bytes to the database file: > > %%% > Index: lib/libc/db/hash/hash_buf.c > =================================================================== > --- lib/libc/db/hash/hash_buf.c (revision 187214) > +++ lib/libc/db/hash/hash_buf.c (working copy) > @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); > #include > #include > #include > +#include > > #ifdef DEBUG > #include > Index: lib/libc/db/Makefile.inc > =================================================================== > --- lib/libc/db/Makefile.inc (revision 187214) > +++ lib/libc/db/Makefile.inc (working copy) > @@ -3,6 +3,8 @@ > # > CFLAGS+=-D__DBINTERFACE_PRIVATE > > +CFLAGS+=-DPURIFY > + > .include "${.CURDIR}/db/btree/Makefile.inc" > .include "${.CURDIR}/db/db/Makefile.inc" > .include "${.CURDIR}/db/hash/Makefile.inc" > %%% > > Could someone consider committing this or some other fix for the > problem? > > -- > Jaakko > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > --0016364169dd0f41fa0462b79d90 Content-Type: text/x-diff; charset=US-ASCII; name="0001-fix-mem-info-leak.patch" Content-Disposition: attachment; filename="0001-fix-mem-info-leak.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: file0 RnJvbSA3YmIzYmIzOTU1Yjc1NDc4MTM1ZDhlMzcwYmYwNjgxOGJhNzA4ZWJmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBPbGl2ZXIgUGludGVyIDxwX2JwQG9saXZlcnAuKioqLmJtZS5o dT4KRGF0ZTogRnJpLCAyMyBKYW4gMjAwOSAwNDoyMjo0MSArMDEwMApTdWJqZWN0OiBbUEFUQ0hd IGZpeCBtZW0gaW5mbyBsZWFrCgotLS0KIGxpYi9saWJjL2RiL2hhc2gvaGFzaF9idWYuYyB8ICAg IDQgKystLQogMSBmaWxlcyBjaGFuZ2VkLCAyIGluc2VydGlvbnMoKyksIDIgZGVsZXRpb25zKC0p CgpkaWZmIC0tZ2l0IGEvbGliL2xpYmMvZGIvaGFzaC9oYXNoX2J1Zi5jIGIvbGliL2xpYmMvZGIv aGFzaC9oYXNoX2J1Zi5jCmluZGV4IGRiOGFkMWEuLjZjZmYxNWIgMTAwNjQ0Ci0tLSBhL2xpYi9s aWJjL2RiL2hhc2gvaGFzaF9idWYuYworKysgYi9saWIvbGliYy9kYi9oYXNoL2hhc2hfYnVmLmMK QEAgLTE3NCwxMiArMTc0LDEyIEBAIG5ld2J1ZihoYXNocCwgYWRkciwgcHJldl9icCkKIAkgKi8K IAlpZiAoaGFzaHAtPm5idWZzIHx8IChicC0+ZmxhZ3MgJiBCVUZfUElOKSkgewogCQkvKiBBbGxv Y2F0ZSBhIG5ldyBvbmUgKi8KLQkJaWYgKChicCA9IChCVUZIRUFEICopbWFsbG9jKHNpemVvZihC VUZIRUFEKSkpID09IE5VTEwpCisJCWlmICgoYnAgPSAoQlVGSEVBRCAqKWNhbGxvYygxLCBzaXpl b2YoQlVGSEVBRCkpKSA9PSBOVUxMKQogCQkJcmV0dXJuIChOVUxMKTsKICNpZmRlZiBQVVJJRlkK IAkJbWVtc2V0KGJwLCAweGZmLCBzaXplb2YoQlVGSEVBRCkpOwogI2VuZGlmCi0JCWlmICgoYnAt PnBhZ2UgPSAoY2hhciAqKW1hbGxvYyhoYXNocC0+QlNJWkUpKSA9PSBOVUxMKSB7CisJCWlmICgo YnAtPnBhZ2UgPSAoY2hhciAqKWNhbGxvYygxLCBoYXNocC0+QlNJWkUpKSA9PSBOVUxMKSB7CiAJ CQlmcmVlKGJwKTsKIAkJCXJldHVybiAoTlVMTCk7CiAJCX0KLS0gCjEuNi4wLjYKCg== --0016364169dd0f41fa0462b79d90--