[Bug 222077] geli(8) writing uninitialized memory out to disk
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Sep 5 19:47:23 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222077
--- Comment #2 from Conrad Meyer <cem at freebsd.org> ---
It seems like the math in g_eli_auth_run (g_eli_integrity.c) is kind of
dubious, even ignoring the data leak. Does it even work? I think it is making
some invalid assumptions about C division rounding. It looks like the logic
was copied from g_eli_crypto_run (g_eli_privacy.c).
I suspect this change wouldn't hurt, but I don't think it fixes the problem:
--- a/sys/geom/eli/g_eli_integrity.c
+++ b/sys/geom/eli/g_eli_integrity.c
@@ -445,7 +445,7 @@ g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp)
size += sizeof(*crda) * nsec;
size += G_ELI_AUTH_SECKEYLEN * nsec;
size += sizeof(uintptr_t); /* Space for alignment. */
- data = malloc(size, M_ELI, M_WAITOK);
+ data = malloc(size, M_ELI, M_WAITOK | M_ZERO);
bp->bio_driver2 = data;
p = data + encr_secsize * nsec;
}
I think "nsec" is calculated wrong (and differently!) in both
g_eli_auth_write_done and g_eli_auth_run.
Probably avoid using geli in integrity mode if you care about privacy, for now.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list