Thread (20 messages) 20 messages, 8 authors, 2012-01-20

Does Linux process exist information leakage?

From: Scott Lovenberg <hidden>
Date: 2012-01-11 17:52:33 

On Wed, Jan 11, 2012 at 11:45, Dave Hylands [off-list ref] wrote:

Hi,

On Wed, Jan 11, 2012 at 4:53 AM, ??? [off-list ref] wrote:
quoted
Hi,
   My tutor asked me to test whether one process leaves information in
memory after it is dead. I tried to search some article about such thing
on
quoted
the Internet but there seems to be no one discuss about it. And after
that,
quoted
I tried to write some program in the User Mode to test it, using fork()
to
quoted
create lots of processes and filling char 'a' into a 102400 bytes char
array
quoted
in each process. Then I used malloc() to get some memory to seek char
'a' in
quoted
a new one process or many new processes, but failed. All memory I
malloced
quoted
was full of zero.
Yeah - so if it were possible for one process to get information about
another process like that you would have a security leak.
quoted
   As the man page of malloc said:"The memory is not initialized", I
believe
quoted
that the memory which was got by malloc() could be used by other process,
and therefor information leakage exists. But how can I test it? Or where
can
quoted
I get related information?
All pages allocated from the OS will be initially zero'd, however,
once your process owns the page, if you filled it with Z's and then
freed it and reallocated you might very weill get your Z's back
instead of 0's. You'll never get data from another process though.
Real world example in C; I fixed a security bug in Samba that dealt with
this exact problem.  Credential files were read to memory as the root user
and then the memory was freed without being zeroed.  A user could therefore
read the contents of a file that they didn't have permission to read
because the whole thing was put in memory by a user that had permission to
view the file.  Someone clever could churn through memory and find the
credentials if they knew that the mount command was just run.

I added a memset() to the end of the parsing function to zero out the
memory before freeing back to the OS.
http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=6c917ebf360b3dbbc4c7ad9af3e106170528aa3c
 (you
can skip to the end of the patch if you don't want to follow the entire
flow of the code)

Does this help express the idea any better?
-- 
Peace and Blessings,
-Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120111/dcc74a46/attachment.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help