Date: Wed, 30 Mar 2005 10:59:47 -0500 From: Roland Dowdeswell <elric@imrryr.org> To: "ALeine" <aleine@austrosearch.net> Cc: tech-security@netbsd.org Subject: Re: A bunch of memory allocation bugs in CGD Message-ID: <20050330155947.1AE6837010@arioch.imrryr.org> In-Reply-To: Your message of "Wed, 30 Mar 2005 05:55:17 PST." <200503301355.j2UDtHrV005944@marlena.vvi.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1112190917 seconds since the Beginning of the UNIX epoch
"ALeine" wrote:
>
>I took a quick look at the latest NetBSD CGD code and found
>out that out of 19 memory allocation operations 11 (almost 60%)
>are done in a way that could lead to a segmentation violation
>which would leave behind a core dump full of sensitive
>information that could be used to compromise a CGD encrypted
>disk. While this attack is not very practical since it requires
>the attacker to be able to cause resource starvation at a
>specific time when cgdconfig is used, it is still possible.
>Here are the details...
Thanks for having a look at that. I have checked in a fix.
I presume that you have addressed the cases in GBDE where malloc's
return code has not been checked? If so, perhaps cvsweb is a little
behind. It looks to me like 2 or 4 mallocs can use a buffer without
checking the return code.
I am not convinced that you'd be able to exploit these in either
CGD or GBDE because {Net,Free}BSD use an overcommit strategy for
memory allocation, so it is unlikely that the process will be denied
memory. It will just get killed without a core dump when it tries
to instantiate memory that does not exist.
All that said, I've fixed the problem and will be submitting a
pullup request for the next NetBSD release.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050330155947.1AE6837010>