On Thu, Jan 15, 2009 at 05:21:42PM +0100, Arnar Mar Sig wrote: > Would it not be better to remove the PURITY define all together and always > have the memset()'s there or changing the malloc()s to calloc() if there is > no special reason for the 0xFF in memset. > > Can anyone say they would rather have the possibility of sensitive > information leek from every app using dbopen versus the small speed down > from always having the memset?
Given that people who care about performance are almost certaintly using one of the newer BDB release from ports, this seems logical to me. -- Brooks > Greets > Arnar Mar Sig > Valka ehf > > On Jan 15, 2009, at 3:45 PM, Jaakko Heinonen wrote: > >> >> Hi, >> >> FreeBSD libc Berkeley DB can leak sensitive information to database >> files. The problem is that it writes uninitialized memory obtained from >> malloc(3) to database files. >> >> You can use this simple test program to reproduce the behavior: >> >> http://www.saunalahti.fi/~jh3/dbtest.c >> >> Run the program and see the resulting test.db file which will contain a >> sequence of 0xa5 bytes directly from malloc(3). (See malloc(3) manual >> page for the explanation for the "J" flag if you need more information.) >> >> This has been reported as PR 123529 >> (http://www.freebsd.org/cgi/query-pr.cgi?pr=123529) which contains a >> real information leak case. The PR is assigned to secteam and I have >> also personally reported it to secteam but I haven't heard a word from >> secteam members. >> >> A code to initialize malloc'd memory exists but the feature must be >> enabled with PURIFY macro. With following patch applied >> the test program doesn't output 0xa5 bytes to the database file: >> >> %%% >> Index: lib/libc/db/hash/hash_buf.c >> =================================================================== >> --- lib/libc/db/hash/hash_buf.c (revision 187214) >> +++ lib/libc/db/hash/hash_buf.c (working copy) >> @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); >> #include <stddef.h> >> #include <stdio.h> >> #include <stdlib.h> >> +#include <string.h> >> >> #ifdef DEBUG >> #include <assert.h> >> Index: lib/libc/db/Makefile.inc >> =================================================================== >> --- lib/libc/db/Makefile.inc (revision 187214) >> +++ lib/libc/db/Makefile.inc (working copy) >> @@ -3,6 +3,8 @@ >> # >> CFLAGS+=-D__DBINTERFACE_PRIVATE >> >> +CFLAGS+=-DPURIFY >> + >> .include "${.CURDIR}/db/btree/Makefile.inc" >> .include "${.CURDIR}/db/db/Makefile.inc" >> .include "${.CURDIR}/db/hash/Makefile.inc" >> %%% >> >> Could someone consider committing this or some other fix for the >> problem? >> >> -- >> Jaakko >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscr...@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org" >
pgpnxtuFCrG3S.pgp
Description: PGP signature
