Re: md(4) (swap-base) disks not cleaned on creation

Tue, 06 Nov 2012 11:27:35 -0800 

On Tue, Nov 06, 2012 at 07:46:58PM +0100, Paul Schenkeveld wrote:
> Hi,
> 
> When creating a swap based md(4) it may contain data which to me feels
> like a security leak:
> 
>   # mdconfig -a -t swap -s 1m
>   md0
>   # hd /dev/md0
>   00000000  c0 9b a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  
> |?.?......\S.....|
>   00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  
> |................|
>   *
>   00000250  38 9f a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  
> |8.?......\S.....|
>   00000260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  
> |................|
>   *
>   00000330  88 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  
> |. ?......\S.....|
>   00000340  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  
> |................|
>   *
>   00000370  e8 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  
> |? ?......\S.....|
>   00000380  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  
> |................|
>   *
>   000005b0  48 a4 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  
> |H??......\S.....|
>   000005c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  
> |................|
>   *
>   ^C
>   # ls -l /dev/md0
>   crw-r-----  1 root  operator  0xc8 Nov  6 19:42 /dev/md0
>   #
> 
> Although not world-readable, it just doesn't feel right to me.
> 
> Any thoughts?

It is definitely not a security issue. The md device is not user-accessible,
as you noted. A filesystem run over the device need to ensure that user
process never get on-disk garbage without first initializing the blocks.

That said, the following patch should fix the nit. I am unsure about it,
because it fixes mostly non-issue by spending CPU time to zero a page which
would be either zeroed or overwritten right now anyway in normal usage.

diff --git a/sys/dev/md/md.c b/sys/dev/md/md.c
index a86c26a..80982cc 100644
--- a/sys/dev/md/md.c
+++ b/sys/dev/md/md.c
@@ -677,6 +677,9 @@ mdstart_swap(struct md_s *sc, struct bio *bp)
                                sched_unpin();
                                vm_page_wakeup(m);
                                break;
+                       } else if (rv == VM_PAGER_FAIL) {
+                               /* Pager does not have page */
+                               bzero((void *)sf_buf_kva(sf), PAGE_SIZE);
                        }
                        bcopy((void *)(sf_buf_kva(sf) + offs), p, len);
                        cpu_flush_dcache(p, len);

Attachment: pgpGzcN8UlunZ.pgp
Description: PGP signature

Reply via email to