OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround?
John Nielsen
lists at jnielsen.net
Thu Apr 10 22:58:11 UTC 2014
Apparently OpenSSL intentionally subverts malloc, which is why the issue exists at all... See also (cribbed, I confess, from Slashdot):
http://article.gmane.org/gmane.os.openbsd.misc/211963
http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf
http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse
On Apr 8, 2014, at 12:00 PM, Oliver Brandmueller <ob at e-Gitt.NET> wrote:
> Hi,
>
> till it's fixed in base (which I hope is very soon) (or you replace
> openssl in base with the fixed version from ports or patch manually):
>
> Would it probably help (with the performance impact in mind) to set
> malloc option junk:true to lower the risk of leakting information?
>
> manpage says:
>
> "opt.junk" (bool) r- [--enable-fill]
> Junk filling enabled/disabled. If enabled, each byte of
> uninitialized allocated memory will be initialized to 0xa5. All
> deallocated memory will be initialized to 0x5a. This is intended
> for debugging and will impact performance negatively. This option
> is disabled by default unless --enable-debug is specified during
> configuration, in which case it is enabled by default unless
> running inside Valgrind[2].
>
> as oppsosed to:
>
> "opt.zero" (bool) r- [--enable-fill]
> Zero filling enabled/disabled. If enabled, each byte of
> uninitialized allocated memory will be initialized to 0. Note that
> this initialization only happens once for each byte, so realloc and
> rallocm calls do not zero memory that was previously allocated.
> This is intended for debugging and will impact performance
> negatively. This option is disabled by default.
>
>
> Anyone with better insights could comment on that?
>
> - Oliver
>
>
> --
> | Oliver Brandmueller http://sysadm.in/ ob at sysadm.in |
> | Ich bin das Internet. Sowahr ich Gott helfe. |
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
More information about the freebsd-stable
mailing list