Fwd: [patch] libc Berkeley DB information leak

Oliver Pinter oliver.pntr at gmail.com
Thu Feb 12 04:14:19 PST 2009 

---------- Forwarded message ----------
From: Oliver Pinter <oliver.pntr at gmail.com>
Date: Fri, 23 Jan 2009 21:46:33 +0100
Subject: Re: [patch] libc Berkeley DB information leak
To: Jaakko Heinonen <jh at saunalahti.fi>
Cc: freebsd-security at freebsd.org

On 1/15/09, Jaakko Heinonen <jh at saunalahti.fi> wrote:
>
> Hi,
>
> FreeBSD libc Berkeley DB can leak sensitive information to database
> files. The problem is that it writes uninitialized memory obtained from
> malloc(3) to database files.
>
> You can use this simple test program to reproduce the behavior:
>
> http://www.saunalahti.fi/~jh3/dbtest.c
>
> Run the program and see the resulting test.db file which will contain a
> sequence of 0xa5 bytes directly from malloc(3). (See malloc(3) manual
> page for the explanation for the "J" flag if you need more information.)
>
> This has been reported as PR 123529
> (http://www.freebsd.org/cgi/query-pr.cgi?pr=123529) which contains a
> real information leak case. The PR is assigned to secteam and I have
> also personally reported it to secteam but I haven't heard a word from
> secteam members.
>
> A code to initialize malloc'd memory exists but the feature must be
> enabled with PURIFY macro. With following patch applied
> the test program doesn't output 0xa5 bytes to the database file:
>
> %%%
> Index: lib/libc/db/hash/hash_buf.c
> ===================================================================
> --- lib/libc/db/hash/hash_buf.c	(revision 187214)
> +++ lib/libc/db/hash/hash_buf.c	(working copy)
> @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$");
>  #include <stddef.h>
>  #include <stdio.h>
>  #include <stdlib.h>
> +#include <string.h>
>
>  #ifdef DEBUG
>  #include <assert.h>
> Index: lib/libc/db/Makefile.inc
> ===================================================================
> --- lib/libc/db/Makefile.inc	(revision 187214)
> +++ lib/libc/db/Makefile.inc	(working copy)
> @@ -3,6 +3,8 @@
>  #
>  CFLAGS+=-D__DBINTERFACE_PRIVATE
>
> +CFLAGS+=-DPURIFY
> +
>  .include "${.CURDIR}/db/btree/Makefile.inc"
>  .include "${.CURDIR}/db/db/Makefile.inc"
>  .include "${.CURDIR}/db/hash/Makefile.inc"
> %%%
>
> Could someone consider committing this or some other fix for the
> problem?
>
> --
> Jaakko
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-fix-mem-info-leak.patch
Type: text/x-diff
Size: 960 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20090212/bcf2527c/0001-fix-mem-info-leak.bin

More information about the freebsd-current mailing list