Does Linux process exist information leakage?

夏业添 summerxyt at gmail.com
Wed Jan 11 21:14:24 EST 2012


Yeah, it is the countermeasure of a similar secure risk. But I know little
about Samba, and could you explain more precisely about how the attacker
seek the credentials? That is exactly what I want to test but failed...

Thanks!

2012/1/12 Scott Lovenberg <scott.lovenberg at gmail.com>

>
>
> On Wed, Jan 11, 2012 at 11:45, Dave Hylands <dhylands at gmail.com> wrote:
>
>> Hi,
>>
>> On Wed, Jan 11, 2012 at 4:53 AM, 夏业添 <summerxyt at gmail.com> wrote:
>> > Hi,
>> >    My tutor asked me to test whether one process leaves information in
>> > memory after it is dead. I tried to search some article about such
>> thing on
>> > the Internet but there seems to be no one discuss about it. And after
>> that,
>> > I tried to write some program in the User Mode to test it, using fork()
>> to
>> > create lots of processes and filling char 'a' into a 102400 bytes char
>> array
>> > in each process. Then I used malloc() to get some memory to seek char
>> 'a' in
>> > a new one process or many new processes, but failed. All memory I
>> malloced
>> > was full of zero.
>>
>> Yeah - so if it were possible for one process to get information about
>> another process like that you would have a security leak.
>>
>> >    As the man page of malloc said:"The memory is not initialized", I
>> believe
>> > that the memory which was got by malloc() could be used by other
>> process,
>> > and therefor information leakage exists. But how can I test it? Or
>> where can
>> > I get related information?
>>
>> All pages allocated from the OS will be initially zero'd, however,
>> once your process owns the page, if you filled it with Z's and then
>> freed it and reallocated you might very weill get your Z's back
>> instead of 0's. You'll never get data from another process though.
>>
>
> Real world example in C; I fixed a security bug in Samba that dealt with
> this exact problem.  Credential files were read to memory as the root user
> and then the memory was freed without being zeroed.  A user could therefore
> read the contents of a file that they didn't have permission to read
> because the whole thing was put in memory by a user that had permission to
> view the file.  Someone clever could churn through memory and find the
> credentials if they knew that the mount command was just run.
>
> I added a memset() to the end of the parsing function to zero out the
> memory before freeing back to the OS.
>
> http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=6c917ebf360b3dbbc4c7ad9af3e106170528aa3c  (you
> can skip to the end of the patch if you don't want to follow the entire
> flow of the code)
>
> Does this help express the idea any better?
> --
> Peace and Blessings,
> -Scott.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120112/7579e62e/attachment-0001.html 


More information about the Kernelnewbies mailing list