Does Linux process exist information leakage?

Scott Lovenberg scott.lovenberg at gmail.com
Wed Jan 11 12:52:33 EST 2012


On Wed, Jan 11, 2012 at 11:45, Dave Hylands <dhylands at gmail.com> wrote:

> Hi,
>
> On Wed, Jan 11, 2012 at 4:53 AM, 夏业添 <summerxyt at gmail.com> wrote:
> > Hi,
> >    My tutor asked me to test whether one process leaves information in
> > memory after it is dead. I tried to search some article about such thing
> on
> > the Internet but there seems to be no one discuss about it. And after
> that,
> > I tried to write some program in the User Mode to test it, using fork()
> to
> > create lots of processes and filling char 'a' into a 102400 bytes char
> array
> > in each process. Then I used malloc() to get some memory to seek char
> 'a' in
> > a new one process or many new processes, but failed. All memory I
> malloced
> > was full of zero.
>
> Yeah - so if it were possible for one process to get information about
> another process like that you would have a security leak.
>
> >    As the man page of malloc said:"The memory is not initialized", I
> believe
> > that the memory which was got by malloc() could be used by other process,
> > and therefor information leakage exists. But how can I test it? Or where
> can
> > I get related information?
>
> All pages allocated from the OS will be initially zero'd, however,
> once your process owns the page, if you filled it with Z's and then
> freed it and reallocated you might very weill get your Z's back
> instead of 0's. You'll never get data from another process though.
>

Real world example in C; I fixed a security bug in Samba that dealt with
this exact problem.  Credential files were read to memory as the root user
and then the memory was freed without being zeroed.  A user could therefore
read the contents of a file that they didn't have permission to read
because the whole thing was put in memory by a user that had permission to
view the file.  Someone clever could churn through memory and find the
credentials if they knew that the mount command was just run.

I added a memset() to the end of the parsing function to zero out the
memory before freeing back to the OS.
http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=6c917ebf360b3dbbc4c7ad9af3e106170528aa3c
 (you
can skip to the end of the patch if you don't want to follow the entire
flow of the code)

Does this help express the idea any better?
-- 
Peace and Blessings,
-Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120111/dcc74a46/attachment.html 


More information about the Kernelnewbies mailing list