Date: Wed, 30 Mar 2005 10:59:47 -0500 From: Roland Dowdeswell <elric@imrryr.org> To: "ALeine" <aleine@austrosearch.net> Cc: tech-security@netbsd.org Subject: Re: A bunch of memory allocation bugs in CGD Message-ID: <20050330155947.1AE6837010@arioch.imrryr.org> In-Reply-To: Your message of "Wed, 30 Mar 2005 05:55:17 PST." <200503301355.j2UDtHrV005944@marlena.vvi.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1112190917 seconds since the Beginning of the UNIX epoch "ALeine" wrote: > >I took a quick look at the latest NetBSD CGD code and found >out that out of 19 memory allocation operations 11 (almost 60%) >are done in a way that could lead to a segmentation violation >which would leave behind a core dump full of sensitive >information that could be used to compromise a CGD encrypted >disk. While this attack is not very practical since it requires >the attacker to be able to cause resource starvation at a >specific time when cgdconfig is used, it is still possible. >Here are the details... Thanks for having a look at that. I have checked in a fix. I presume that you have addressed the cases in GBDE where malloc's return code has not been checked? If so, perhaps cvsweb is a little behind. It looks to me like 2 or 4 mallocs can use a buffer without checking the return code. I am not convinced that you'd be able to exploit these in either CGD or GBDE because {Net,Free}BSD use an overcommit strategy for memory allocation, so it is unlikely that the process will be denied memory. It will just get killed without a core dump when it tries to instantiate memory that does not exist. All that said, I've fixed the problem and will be submitting a pullup request for the next NetBSD release. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050330155947.1AE6837010>