A bunch of memory allocation bugs in CGD
Roland Dowdeswell
elric at imrryr.org
Wed Mar 30 08:00:24 PST 2005
On 1112190917 seconds since the Beginning of the UNIX epoch
"ALeine" wrote:
>
>I took a quick look at the latest NetBSD CGD code and found
>out that out of 19 memory allocation operations 11 (almost 60%)
>are done in a way that could lead to a segmentation violation
>which would leave behind a core dump full of sensitive
>information that could be used to compromise a CGD encrypted
>disk. While this attack is not very practical since it requires
>the attacker to be able to cause resource starvation at a
>specific time when cgdconfig is used, it is still possible.
>Here are the details...
Thanks for having a look at that. I have checked in a fix.
I presume that you have addressed the cases in GBDE where malloc's
return code has not been checked? If so, perhaps cvsweb is a little
behind. It looks to me like 2 or 4 mallocs can use a buffer without
checking the return code.
I am not convinced that you'd be able to exploit these in either
CGD or GBDE because {Net,Free}BSD use an overcommit strategy for
memory allocation, so it is unlikely that the process will be denied
memory. It will just get killed without a core dump when it tries
to instantiate memory that does not exist.
All that said, I've fixed the problem and will be submitting a
pullup request for the next NetBSD release.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the freebsd-hackers
mailing list