Re: Serious OpenSSL vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Suvayu Ali writes:


On Sun, Apr 13, 2014 at 08:38:11AM -0500, Ranjan Maitra wrote:
> On Sun, 13 Apr 2014 09:15:04 -0400 Rahul Sundaram <metherid@xxxxxxxxx>
> wrote:
>
> > Hi
> >
> >
> > On Sun, Apr 13, 2014 at 6:23 AM, Timothy Murphy wrote:
> >
> > > Roger wrote:
> > >
> > > > It happened. It was known for years.
> > >
> > > Everything I have seen says it has been known for about 1 week.
> > >
> > > Incidentally, I am no programmer but I would have thought
> > > it would be relatively simple to set up a test
> > > to see if a "malloc"-ed space could be transgressed.
> > >
> >
> > Not in this case.  openssl uses a custom malloc
> >
>
> So, a valgrind -tool=memcheck --leak-check=yes --show-reachable=yes
> --track-fds=yes --track-origins=yes would not have helped?

AFAIU this is not a memory leak; it is a buffer overflow: lack of bounds
checking.  I do not think valgrind (or any other tool) can help with
that.  Feel free to correct me if I am wrong.
For this particular vulnerability, it is not technically a buffer overflow. The vulnerable code merely reads past the end of an allocated buffer. A buffer overflow gets exploited by writing past the allocated buffer.
If you want to classify this, the best classification here would be an information leak, and not a buffer overflow.
The chances of valgrind catching this exploit are quite small. The only possible way I see valgrind could've complained would be if the original buffer that was allocated for the TLS ping message got padded by malloc() by a non-significant amount, and valgrind would've complained about reading uninitialized memory.
And ven in that case, valgrind() tends to complain about uninitialized memory only if its value is used to branch on. There's lots of code that ends up reading uninitialized memory without resulting in undefined behavior, for one reason or another. valgrind() doesn't typically complain reading a few uninitialized bytes after a range that's been legally malloc()ed, unless its value is used for branching, or something.

Attachment: pgpM7Ef2vha_R.pgp
Description: PGP signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux