Does Linux process exist information leakage?

Scott Lovenberg scott.lovenberg at gmail.com
Thu Jan 19 09:47:35 EST 2012 

On Mon, Jan 16, 2012 at 18:45, Jonathan Neuschäfer <j.neuschaefer at gmx.net>wrote:

> On Mon, Jan 16, 2012 at 01:19:22PM -0500, Scott Lovenberg wrote:
> > Let me walk you guys through how this bug could be exploited.
> > The file that you want to access is blocked from you by file system
> > permissions.  The root user (uid==0) can access this file (that contains
> > credentials) and read it into memory that it has malloc()'ed.  After the
> > process running as root is done, it free()'s the memory without zeroing
> it
> > out.  Now you (you clever hacker) spawn a process that requests memory in
> > large hunks.  It then searches for the string "password=" in that memory.
> >  Since the memory was free()'ed back to the pool without being changed,
> it
> > still contains the original information that was in the file that you
> > cannot read.  Does this make sense, or should I go into t a bit more
> detail?
>
> But can you actually get this dirty memory on Linux?
>
> I know two sources of memory that are used by malloc. One is brk(), the
> other is mmapped pages of /dev/zero. With /dev/zero it's obvious that
> you get empty pages (all-zero); with brk I wasn't sure so I wrote the
> test program below and ran it. I didn't find any dirty (non-zero) memory.
>
> Thanks,
>        Jonathan Neuschäfer
>
>
> --
> #include <unistd.h>
> #include <stdio.h>
>
> #define BLOCKSZ (1024 * 1024) /* one Mibi */
>
> int main(void)
> {
>        int maxmb = 1024;
>        unsigned i;
>        void *BRK;
>
>        BRK = sbrk(0);
>
>        for (i = 0; i < maxmb; i++) {
>                void *block = sbrk(BLOCKSZ);
>                unsigned j, *p;
>
>                if (block == (void *) -1) {
>                        printf("sbrk failed after %u blocks (%u bytes)\n",
> i, i * BLOCKSZ);
>                        break;
>                }
>
>                for (p = block, j = BLOCKSZ/sizeof(unsigned int); j--; p++)
>                        if (*p)
>                                printf("found data at BRK+%p: %u\n", ((void
> *)p) - BRK, *p);
>        }
>
>        return 0;
> }
>

Thanks for posting this.  I'm embarrassed that I never even bothered to
check if dirty memory was given back.  I guess I just assumed.  You know
what they say about assumptions...  Anyways, I think this is a great
discussion. :)


-- 
Peace and Blessings,
-Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120119/61cecfd7/attachment.html

More information about the Kernelnewbies mailing list