From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 21:00:43 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4CA4AECC for ; Sun, 20 Apr 2014 21:00:43 +0000 (UTC) Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D5EB4144C for ; Sun, 20 Apr 2014 21:00:42 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id x13so2082741wgg.33 for ; Sun, 20 Apr 2014 14:00:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=HLvjEGKzzT8MfeQdUI3nwM2SQd0ROqus1cvjIgxoDxI=; b=ncKdOvjANXYZqM3Iaj0X11BIKYv22biHyd1fV1AOvj3pZokucvC3mxDyd5I4bkdSsa 32lB42zHmdNnaboLmezhxn1eippKbtyWP8ve4aSnprI2R5CDAaIzAHw8eWhYa+cpcuS0 gzmEbY1MWUjrTcRZ0HuecXwNu5xsiWbNENJoxYyhl06n5tLPDYe4i7rAFCWd18eipYjE 0RFuGXejWnPlnddDk5oFTm4ejuzcdBbuO/wKtuC20YbQsnzhCnobjl3SEtU+rhGeKwr2 sr/guVgrDRzpoSrnOU2jurKUOpU8L2CtxaA4iffDoOhu1HbluYTpVIlMAEAUjl7Al3dv VOxg== X-Received: by 10.180.211.239 with SMTP id nf15mr11100859wic.9.1398027640937; Sun, 20 Apr 2014 14:00:40 -0700 (PDT) Received: from gumby.homeunix.com (5ec2dc28.skybroadband.com. [94.194.220.40]) by mx.google.com with ESMTPSA id go20sm26279196wjc.18.2014.04.20.14.00.40 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Sun, 20 Apr 2014 14:00:40 -0700 (PDT) Date: Sun, 20 Apr 2014 22:00:37 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? Message-ID: <20140420220037.076be9d0@gumby.homeunix.com> In-Reply-To: References: <534B11F0.9040400@paladin.bulgarpress.com> <201404141207.s3EC7IvT085450@chronos.org.uk> <201404141232.s3ECWFQ1081178@catnip.dyslexicfish.net> <53522186.9030207@FreeBSD.org> <201404200548.s3K5mV7N055244@catnip.dyslexicfish.net> <53540307.1070708@quietfountain.com> <201404201831.s3KIVCSY054778@catnip.dyslexicfish.net> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 21:00:43 -0000 On Sun, 20 Apr 2014 15:00:28 -0400 Nathan Dorfman wrote: > On Sun, Apr 20, 2014 at 2:31 PM, Jamie Landeg-Jones > wrote: > > Once memory has been freed, I thought any attempt by a user process > > to access it would cause a SIGSEV. > > > > I thought the issue was with programs that inadvertantly expose > > (either to read or write) other parts of their active memory. > > > > Of course, if a process rolls it's own in-process implementation > > of malloc/free, then this point is moot, but once you free memory > > back to the system, isn't in no longer accessable anyway? > > free() doesn't usually "free memory back to the system." It just puts > it back onto a "free list" managed by libc, entirely within the > process's address space. It can return the physical memory, but there are a couple of caveats. Firstly, it can only return whole pages. Secondly, it's not returned instantaneously to avoid the overhead of page-faults and zeroing pages if that region is remalloced. It's left to the page-daemon to recover the physical memory in its own time, and it remains readable by it's previous process until it's reassigned.