Date: Thu, 10 Apr 2014 16:52:13 -0600 From: John Nielsen <lists@jnielsen.net> To: Oliver Brandmueller <ob@e-Gitt.NET> Cc: FreeBSD stable <freebsd-stable@freebsd.org> Subject: Re: OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround? Message-ID: <FD87881F-D274-4F1D-9B10-F55F25B3EBD9@jnielsen.net> In-Reply-To: <20140408180026.GC2676@e-Gitt.NET> References: <20140408180026.GC2676@e-Gitt.NET>
next in thread | previous in thread | raw e-mail | index | archive | help
Apparently OpenSSL intentionally subverts malloc, which is why the issue = exists at all... See also (cribbed, I confess, from Slashdot): http://article.gmane.org/gmane.os.openbsd.misc/211963 http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse On Apr 8, 2014, at 12:00 PM, Oliver Brandmueller <ob@e-Gitt.NET> wrote: > Hi, >=20 > till it's fixed in base (which I hope is very soon) (or you replace=20 > openssl in base with the fixed version from ports or patch manually): >=20 > Would it probably help (with the performance impact in mind) to set=20 > malloc option junk:true to lower the risk of leakting information? >=20 > manpage says: >=20 > "opt.junk" (bool) r- [--enable-fill] > Junk filling enabled/disabled. If enabled, each byte of > uninitialized allocated memory will be initialized to 0xa5. = All > deallocated memory will be initialized to 0x5a. This is = intended > for debugging and will impact performance negatively. This = option > is disabled by default unless --enable-debug is specified = during > configuration, in which case it is enabled by default unless > running inside Valgrind[2]. >=20 > as oppsosed to: >=20 > "opt.zero" (bool) r- [--enable-fill] > Zero filling enabled/disabled. If enabled, each byte of > uninitialized allocated memory will be initialized to 0. = Note that > this initialization only happens once for each byte, so = realloc and > rallocm calls do not zero memory that was previously = allocated. > This is intended for debugging and will impact performance > negatively. This option is disabled by default. >=20 >=20 > Anyone with better insights could comment on that? >=20 > - Oliver >=20 >=20 > --=20 > | Oliver Brandmueller http://sysadm.in/ ob@sysadm.in = | > | Ich bin das Internet. Sowahr ich Gott helfe. = | > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org" >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FD87881F-D274-4F1D-9B10-F55F25B3EBD9>