From owner-freebsd-security@FreeBSD.ORG Tue Nov 6 19:59:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 85446163 for ; Tue, 6 Nov 2012 19:59:43 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a]) by mx1.freebsd.org (Postfix) with ESMTP id 3039D8FC14 for ; Tue, 6 Nov 2012 19:59:42 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154]) by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id qA6Jxa06054718 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 6 Nov 2012 20:59:41 +0100 (CET) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id qA6Jxap9054717 for freebsd-security@freebsd.org; Tue, 6 Nov 2012 20:59:36 +0100 (CET) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Tue, 6 Nov 2012 20:59:36 +0100 From: Paul Schenkeveld To: freebsd-security@freebsd.org Subject: Re: md(4) (swap-base) disks not cleaned on creation Message-ID: <20121106195936.GA54581@psconsult.nl> References: <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20121106192704.GM73505@kib.kiev.ua> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Nov 2012 19:59:43 -0000 On Tue, Nov 06, 2012 at 09:27:04PM +0200, Konstantin Belousov wrote: > On Tue, Nov 06, 2012 at 07:46:58PM +0100, Paul Schenkeveld wrote: > > Hi, > > > > When creating a swap based md(4) it may contain data which to me feels > > like a security leak: > > > > # mdconfig -a -t swap -s 1m > > md0 > > # hd /dev/md0 > > 00000000 c0 9b a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |?.?......\S.....| > > 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > 00000250 38 9f a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |8.?......\S.....| > > 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > 00000330 88 a0 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |.š?......\S.....| > > 00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > 00000370 e8 a0 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |?š?......\S.....| > > 00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > 000005b0 48 a4 a8 00 08 00 00 00 00 5c 53 00 08 00 00 00 |H??......\S.....| > > 000005c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > > * > > ^C > > # ls -l /dev/md0 > > crw-r----- 1 root operator 0xc8 Nov 6 19:42 /dev/md0 > > # > > > > Although not world-readable, it just doesn't feel right to me. > > > > Any thoughts? > > It is definitely not a security issue. The md device is not user-accessible, > as you noted. A filesystem run over the device need to ensure that user > process never get on-disk garbage without first initializing the blocks. What about this scenario: - Root uses nanobsd.sh to make an image - The .conf file has NANO_MD_BACKING="swap" (I believe phk@ was against this feature but it is in nanobsd.sh now) - Root places the image on a public FTP site and this way exposes swap data. -- Paul Schenkeveld