De Raadt + FBSD + OpenSSH + hole?

[Kimmo Paasiala]

On 21.4.2014, at 6.06, Jamie Landeg-Jones <jamie at dyslexicfish.net> wrote:

> "hcoin" <hcoin at quietfountain.com> wrote:
> 
>> local variables) harms performance.   It's also true doing both of these 
>> things would not fix the flaw that 'opened the window' onto these data.  
>> However it is true that doing so would make the exploit valueless as 
>> 'opening a window' onto erased data would reveal nothing and could erase 
>> trojan/virus 'hijack via code-injection then trampoline' opportunities.
> 
> In the heartbleed case, was the bug returning stale freed memory, though?
> Couldn't it just as easily have been that the over-read was returning any
> other memory that the process has had allocated for other variables - data
> that was still in use?

No, the problem was another type of programming error that is endemic in C programming. It’s called failure to validate input parameters before using the input parameters or derived values from the input parameters as array indices. 

https://en.wikipedia.org/wiki/Bounds_checking

The bug allowed an attacker to request any number of bytes from memory that followed the buffer that the client was usually allowed to access (depending on how the index was interpreted it might have been possible to request memory before the buffer as well). The part of memory that followed the buffer very probably contained some very sensitive information, possibly secret keys that were loaded in memory (memory that was constantly in use and not free()’d until the process terminates) in unprotected form (plain text essentially) for fast access during encryption and decryption.

-Kimmo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140421/dc7e964d/attachment.sig>