Re: De Raadt + FBSD + OpenSSH + hole?

On 20 Apr 2014, at 23:06, Jamie Landeg-Jones wrote:

> "hcoin" <hcoin@quietfountain.com> wrote:
>
>> local variables) harms performance.   It's also true doing both of these
>> things would not fix the flaw that 'opened the window' onto these data.
>> However it is true that doing so would make the exploit valueless as
>> 'opening a window' onto erased data would reveal nothing and could erase
>> trojan/virus 'hijack via code-injection then trampoline' opportunities.
>
> In the heartbleed case, was the bug returning stale freed memory, though?
> Couldn't it just as easily have been that the over-read was returning any
> other memory that the process has had allocated for other variables - data
> that was still in use?

The heardbleed case is totally an error in openssl, because it does not
really use the system malloc/free.  It mallocs a huge chunk of memory from
the system when it starts up, and then it has it's own routines which manages
that memory.  As far as the operating system is concerned, it can't touch any
of that memory, even though openssl is using it over-and-over for whatever it
needs memory for.  Openssl did this, of course, for performance reasons.

So in the case of openssl, the problem was that the code *never* returned
memory, no matter how stale and unreferenced the data was.

-- 
Garance Alistair Drosehn                =     drosih@rpi.edu
Senior Systems Programmer               or   gad@FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"