Fwd: [patch] libc Berkeley DB information leak

From: Oliver Pinter <oliver.pntr_at_gmail.com> Date: Thu, 12 Feb 2009 13:11:00 +0100 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:42 UTC

---------- Forwarded message ----------
From: Oliver Pinter <oliver.pntr_at_gmail.com>
Date: Fri, 23 Jan 2009 21:46:33 +0100
Subject: Re: [patch] libc Berkeley DB information leak
To: Jaakko Heinonen <jh_at_saunalahti.fi>
Cc: freebsd-security_at_freebsd.org

On 1/15/09, Jaakko Heinonen <jh_at_saunalahti.fi> wrote:
>
> Hi,
>
> FreeBSD libc Berkeley DB can leak sensitive information to database
> files. The problem is that it writes uninitialized memory obtained from
> malloc(3) to database files.
>
> You can use this simple test program to reproduce the behavior:
>
> http://www.saunalahti.fi/~jh3/dbtest.c
>
> Run the program and see the resulting test.db file which will contain a
> sequence of 0xa5 bytes directly from malloc(3). (See malloc(3) manual
> page for the explanation for the "J" flag if you need more information.)
>
> This has been reported as PR 123529
> (http://www.freebsd.org/cgi/query-pr.cgi?pr=123529) which contains a
> real information leak case. The PR is assigned to secteam and I have
> also personally reported it to secteam but I haven't heard a word from
> secteam members.
>
> A code to initialize malloc'd memory exists but the feature must be
> enabled with PURIFY macro. With following patch applied
> the test program doesn't output 0xa5 bytes to the database file:
>
> %%%
> Index: lib/libc/db/hash/hash_buf.c
> ===================================================================
> --- lib/libc/db/hash/hash_buf.c	(revision 187214)
> +++ lib/libc/db/hash/hash_buf.c	(working copy)
> _at__at_ -57,6 +57,7 _at__at_ __FBSDID("$FreeBSD$");
>  #include <stddef.h>
>  #include <stdio.h>
>  #include <stdlib.h>
> +#include <string.h>
>
>  #ifdef DEBUG
>  #include <assert.h>
> Index: lib/libc/db/Makefile.inc
> ===================================================================
> --- lib/libc/db/Makefile.inc	(revision 187214)
> +++ lib/libc/db/Makefile.inc	(working copy)
> _at__at_ -3,6 +3,8 _at__at_
>  #
>  CFLAGS+=-D__DBINTERFACE_PRIVATE
>
> +CFLAGS+=-DPURIFY
> +
>  .include "${.CURDIR}/db/btree/Makefile.inc"
>  .include "${.CURDIR}/db/db/Makefile.inc"
>  .include "${.CURDIR}/db/hash/Makefile.inc"
> %%%
>
> Could someone consider committing this or some other fix for the
> problem?
>
> --
> Jaakko
> _______________________________________________
> freebsd-security_at_freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe_at_freebsd.org"
>