Re: A bunch of memory allocation bugs in CGD

• Previous message: ALeine: "Re: A bunch of memory allocation bugs in CGD"
• In reply to: ALeine: "A bunch of memory allocation bugs in CGD"
• Next in thread: ALeine: "Re: A bunch of memory allocation bugs in CGD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "ALeine" <aleine@austrosearch.net>
Date: Wed, 30 Mar 2005 10:59:47 -0500

On 1112190917 seconds since the Beginning of the UNIX epoch
"ALeine" wrote:
>

>I took a quick look at the latest NetBSD CGD code and found
>out that out of 19 memory allocation operations 11 (almost 60%)
>are done in a way that could lead to a segmentation violation
>which would leave behind a core dump full of sensitive
>information that could be used to compromise a CGD encrypted
>disk. While this attack is not very practical since it requires
>the attacker to be able to cause resource starvation at a
>specific time when cgdconfig is used, it is still possible.
>Here are the details...

Thanks for having a look at that. I have checked in a fix.

I presume that you have addressed the cases in GBDE where malloc's
return code has not been checked? If so, perhaps cvsweb is a little
behind. It looks to me like 2 or 4 mallocs can use a buffer without
checking the return code.

I am not convinced that you'd be able to exploit these in either
CGD or GBDE because {Net,Free}BSD use an overcommit strategy for
memory allocation, so it is unlikely that the process will be denied
memory. It will just get killed without a core dump when it tries
to instantiate memory that does not exist.

All that said, I've fixed the problem and will be submitting a
pullup request for the next NetBSD release.

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

• Previous message: ALeine: "Re: A bunch of memory allocation bugs in CGD"
• In reply to: ALeine: "A bunch of memory allocation bugs in CGD"
• Next in thread: ALeine: "Re: A bunch of memory allocation bugs in CGD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages [PATCH 0/7] coredump: core dump masking support v5 ... This patch series is version 5 of the core dump masking feature, ... memory types and per-process flags. ... coredump_filter represents a bitmask of memory types, ... number of processes which share a huge shared memory are dumped at ... (Linux-Kernel) Re: Help! SIGBUS (object specifc hardware error) when call function getline ... These core dump can be ... When we debug it with dbx, dbx tells us it's a object specific hardware ... HAT information describes how a memory page is mapped ... After loading a byte from register o4 to ... (comp.unix.solaris) Re: PROFESSIONAL floating-point algorithms. ... )> You used the exact same fallacious logic to attack my point of view. ... forward by tight coupling of humor with instruction. ... I SAID, idiota, that the CPU changes variables by executing IO ... You only have to write the value *once*, then you can read it from memory ... (comp.programming) Re: IPv4 fragmentation --> The Rose Attack ... What you list above is, to an extent, different from this attack. ... attack stems from the very requirement to reassemble packets. ... IPv6, one is to keep fragments for 60 seconds. ... kernel memory for tens of minutes by sending two small packets. ... (Bugtraq) Re: Security Flaw in Popular Disk Encryption Technologies ... >> of these type of protections by using canned air to chill the ram and ... > memory; or have the daemon erase the key from memory every T minutes ... IMO the possibility of such attack is so remote that it doesn't really ... then modern disk encryption is fine. ... (freebsd-hackers)