Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 6 Nov 2012 20:59:36 +0100
From:      Paul Schenkeveld <freebsd@psconsult.nl>
To:        freebsd-security@freebsd.org
Subject:   Re: md(4) (swap-base) disks not cleaned on creation
Message-ID:  <20121106195936.GA54581@psconsult.nl>
In-Reply-To: <20121106192704.GM73505@kib.kiev.ua>
References:  <20121106184658.GA24262@psconsult.nl> <20121106192704.GM73505@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Nov 06, 2012 at 09:27:04PM +0200, Konstantin Belousov wrote:
> On Tue, Nov 06, 2012 at 07:46:58PM +0100, Paul Schenkeveld wrote:
> > Hi,
> > 
> > When creating a swap based md(4) it may contain data which to me feels
> > like a security leak:
> > 
> >   # mdconfig -a -t swap -s 1m
> >   md0
> >   # hd /dev/md0
> >   00000000  c0 9b a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |?.?......\S.....|
> >   00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> >   *
> >   00000250  38 9f a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |8.?......\S.....|
> >   00000260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> >   *
> >   00000330  88 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |.š?......\S.....|
> >   00000340  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> >   *
> >   00000370  e8 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |?š?......\S.....|
> >   00000380  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> >   *
> >   000005b0  48 a4 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |H??......\S.....|
> >   000005c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> >   *
> >   ^C
> >   # ls -l /dev/md0
> >   crw-r-----  1 root  operator  0xc8 Nov  6 19:42 /dev/md0
> >   #
> > 
> > Although not world-readable, it just doesn't feel right to me.
> > 
> > Any thoughts?
> 
> It is definitely not a security issue. The md device is not user-accessible,
> as you noted. A filesystem run over the device need to ensure that user
> process never get on-disk garbage without first initializing the blocks.

What about this scenario:

 - Root uses nanobsd.sh to make an image
 - The .conf file has NANO_MD_BACKING="swap" (I believe phk@ was against
   this feature but it is in nanobsd.sh now)
 - Root places the image on a public FTP site and this way exposes swap
   data.

--
Paul Schenkeveld

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121106195936.GA54581>