Thread (20 messages) 20 messages, 8 authors, 2012-01-20

Does Linux process exist information leakage?

From: Scott Lovenberg <hidden>
Date: 2012-01-19 14:47:35 

On Mon, Jan 16, 2012 at 18:45, Jonathan Neusch?fer [off-list ref]wrote:

On Mon, Jan 16, 2012 at 01:19:22PM -0500, Scott Lovenberg wrote:
quoted
Let me walk you guys through how this bug could be exploited.
The file that you want to access is blocked from you by file system
permissions.  The root user (uid==0) can access this file (that contains
credentials) and read it into memory that it has malloc()'ed.  After the
process running as root is done, it free()'s the memory without zeroing
it
quoted
out.  Now you (you clever hacker) spawn a process that requests memory in
large hunks.  It then searches for the string "password=" in that memory.
 Since the memory was free()'ed back to the pool without being changed,
it
quoted
still contains the original information that was in the file that you
cannot read.  Does this make sense, or should I go into t a bit more
detail?

But can you actually get this dirty memory on Linux?

I know two sources of memory that are used by malloc. One is brk(), the
other is mmapped pages of /dev/zero. With /dev/zero it's obvious that
you get empty pages (all-zero); with brk I wasn't sure so I wrote the
test program below and ran it. I didn't find any dirty (non-zero) memory.

Thanks,
       Jonathan Neusch?fer


--
#include <unistd.h>
#include <stdio.h>

#define BLOCKSZ (1024 * 1024) /* one Mibi */

int main(void)
{
       int maxmb = 1024;
       unsigned i;
       void *BRK;

       BRK = sbrk(0);

       for (i = 0; i < maxmb; i++) {
               void *block = sbrk(BLOCKSZ);
               unsigned j, *p;

               if (block == (void *) -1) {
                       printf("sbrk failed after %u blocks (%u bytes)\n",
i, i * BLOCKSZ);
                       break;
               }

               for (p = block, j = BLOCKSZ/sizeof(unsigned int); j--; p++)
                       if (*p)
                               printf("found data at BRK+%p: %u\n", ((void
*)p) - BRK, *p);
       }

       return 0;
}
Thanks for posting this.  I'm embarrassed that I never even bothered to
check if dirty memory was given back.  I guess I just assumed.  You know
what they say about assumptions...  Anyways, I think this is a great
discussion. :)


-- 
Peace and Blessings,
-Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120119/61cecfd7/attachment.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help