Re: OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround?

看板FB_stable作者時間11年前 (2014/04/11 07:01), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串2/3 (看更多)
Apparently OpenSSL intentionally subverts malloc, which is why the issue exists at all... See also (cribbed, I confess, from Slashdot): http://article.gmane.org/gmane.os.openbsd.misc/211963 http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse On Apr 8, 2014, at 12:00 PM, Oliver Brandmueller <ob@e-Gitt.NET> wrote: > Hi, > > till it's fixed in base (which I hope is very soon) (or you replace > openssl in base with the fixed version from ports or patch manually): > > Would it probably help (with the performance impact in mind) to set > malloc option junk:true to lower the risk of leakting information? > > manpage says: > > "opt.junk" (bool) r- [--enable-fill] > Junk filling enabled/disabled. If enabled, each byte of > uninitialized allocated memory will be initialized to 0xa5. All > deallocated memory will be initialized to 0x5a. This is intended > for debugging and will impact performance negatively. This option > is disabled by default unless --enable-debug is specified during > configuration, in which case it is enabled by default unless > running inside Valgrind[2]. > > as oppsosed to: > > "opt.zero" (bool) r- [--enable-fill] > Zero filling enabled/disabled. If enabled, each byte of > uninitialized allocated memory will be initialized to 0. Note that > this initialization only happens once for each byte, so realloc and > rallocm calls do not zero memory that was previously allocated. > This is intended for debugging and will impact performance > negatively. This option is disabled by default. > > > Anyone with better insights could comment on that? > > - Oliver > > > -- > | Oliver Brandmueller http://sysadm.in/ ob@sysadm.in | > | Ich bin das Internet. Sowahr ich Gott helfe. | > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
更多 lists. 的文章
文章代碼(AID): #1JHoAleo (FB_stable)
更多 lists. 的文章
文章代碼(AID): #1JHoAleo (FB_stable)