On Mon, Jan 16, 2012 at 18:45, Jonathan Neuschäfer <j.neuschae...@gmx.net>wrote:
> On Mon, Jan 16, 2012 at 01:19:22PM -0500, Scott Lovenberg wrote: > > Let me walk you guys through how this bug could be exploited. > > The file that you want to access is blocked from you by file system > > permissions. The root user (uid==0) can access this file (that contains > > credentials) and read it into memory that it has malloc()'ed. After the > > process running as root is done, it free()'s the memory without zeroing > it > > out. Now you (you clever hacker) spawn a process that requests memory in > > large hunks. It then searches for the string "password=" in that memory. > > Since the memory was free()'ed back to the pool without being changed, > it > > still contains the original information that was in the file that you > > cannot read. Does this make sense, or should I go into t a bit more > detail? > > But can you actually get this dirty memory on Linux? > > I know two sources of memory that are used by malloc. One is brk(), the > other is mmapped pages of /dev/zero. With /dev/zero it's obvious that > you get empty pages (all-zero); with brk I wasn't sure so I wrote the > test program below and ran it. I didn't find any dirty (non-zero) memory. > > Thanks, > Jonathan Neuschäfer > > > -- > #include <unistd.h> > #include <stdio.h> > > #define BLOCKSZ (1024 * 1024) /* one Mibi */ > > int main(void) > { > int maxmb = 1024; > unsigned i; > void *BRK; > > BRK = sbrk(0); > > for (i = 0; i < maxmb; i++) { > void *block = sbrk(BLOCKSZ); > unsigned j, *p; > > if (block == (void *) -1) { > printf("sbrk failed after %u blocks (%u bytes)\n", > i, i * BLOCKSZ); > break; > } > > for (p = block, j = BLOCKSZ/sizeof(unsigned int); j--; p++) > if (*p) > printf("found data at BRK+%p: %u\n", ((void > *)p) - BRK, *p); > } > > return 0; > } > Thanks for posting this. I'm embarrassed that I never even bothered to check if dirty memory was given back. I guess I just assumed. You know what they say about assumptions... Anyways, I think this is a great discussion. :) -- Peace and Blessings, -Scott.
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies