[patch] libc Berkeley DB information leak

Brooks Davis brooks at freebsd.org
Thu Jan 15 08:44:52 PST 2009 

On Thu, Jan 15, 2009 at 05:21:42PM +0100, Arnar Mar Sig wrote:
> Would it not be better to remove the PURITY define all together and always 
> have the memset()'s there or changing the malloc()s to calloc() if there is 
> no special reason for the 0xFF in memset.
> 
> Can anyone say they would rather have the possibility of sensitive 
> information leek from every app using dbopen versus the small speed down 
> from always having the memset?

Given that people who care about performance are almost certaintly using one of
the newer BDB release from ports, this seems logical to me.

-- Brooks

> Greets
> 	Arnar Mar Sig
> 	Valka ehf
> 
> On Jan 15, 2009, at 3:45 PM, Jaakko Heinonen wrote:
> 
>> 
>> Hi,
>> 
>> FreeBSD libc Berkeley DB can leak sensitive information to database
>> files. The problem is that it writes uninitialized memory obtained from
>> malloc(3) to database files.
>> 
>> You can use this simple test program to reproduce the behavior:
>> 
>> http://www.saunalahti.fi/~jh3/dbtest.c
>> 
>> Run the program and see the resulting test.db file which will contain a
>> sequence of 0xa5 bytes directly from malloc(3). (See malloc(3) manual
>> page for the explanation for the "J" flag if you need more information.)
>> 
>> This has been reported as PR 123529
>> (http://www.freebsd.org/cgi/query-pr.cgi?pr=123529) which contains a
>> real information leak case. The PR is assigned to secteam and I have
>> also personally reported it to secteam but I haven't heard a word from
>> secteam members.
>> 
>> A code to initialize malloc'd memory exists but the feature must be
>> enabled with PURIFY macro. With following patch applied
>> the test program doesn't output 0xa5 bytes to the database file:
>> 
>> %%%
>> Index: lib/libc/db/hash/hash_buf.c
>> ===================================================================
>> --- lib/libc/db/hash/hash_buf.c	(revision 187214)
>> +++ lib/libc/db/hash/hash_buf.c	(working copy)
>> @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$");
>> #include <stddef.h>
>> #include <stdio.h>
>> #include <stdlib.h>
>> +#include <string.h>
>> 
>> #ifdef DEBUG
>> #include <assert.h>
>> Index: lib/libc/db/Makefile.inc
>> ===================================================================
>> --- lib/libc/db/Makefile.inc	(revision 187214)
>> +++ lib/libc/db/Makefile.inc	(working copy)
>> @@ -3,6 +3,8 @@
>> #
>> CFLAGS+=-D__DBINTERFACE_PRIVATE
>> 
>> +CFLAGS+=-DPURIFY
>> +
>> .include "${.CURDIR}/db/btree/Makefile.inc"
>> .include "${.CURDIR}/db/db/Makefile.inc"
>> .include "${.CURDIR}/db/hash/Makefile.inc"
>> %%%
>> 
>> Could someone consider committing this or some other fix for the
>> problem?
>> 
>> -- 
>> Jaakko
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to 
>> "freebsd-security-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090115/f1dc82eb/attachment.pgp

More information about the freebsd-security mailing list