Re: Serious OpenSSL vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 13 Apr 2014 15:48:23 +0200 Suvayu Ali <fatkasuvayu
+linux@xxxxxxxxx> wrote:

> On Sun, Apr 13, 2014 at 08:38:11AM -0500, Ranjan Maitra wrote:
> > On Sun, 13 Apr 2014 09:15:04 -0400 Rahul Sundaram <metherid@xxxxxxxxx>
> > wrote:
> > 
> > > Hi
> > > 
> > > 
> > > On Sun, Apr 13, 2014 at 6:23 AM, Timothy Murphy wrote:
> > > 
> > > > Roger wrote:
> > > >
> > > > > It happened. It was known for years.
> > > >
> > > > Everything I have seen says it has been known for about 1 week.
> > > >
> > > > Incidentally, I am no programmer but I would have thought
> > > > it would be relatively simple to set up a test
> > > > to see if a "malloc"-ed space could be transgressed.
> > > >
> > > 
> > > Not in this case.  openssl uses a custom malloc
> > > 
> > 
> > So, a valgrind -tool=memcheck --leak-check=yes --show-reachable=yes
> > --track-fds=yes --track-origins=yes would not have helped?
> 
> AFAIU this is not a memory leak; it is a buffer overflow: lack of bounds
> checking.  I do not think valgrind (or any other tool) can help with
> that.  Feel free to correct me if I am wrong.

Actually, in my experience, valgrind has picked up everything pretty
much, including (amazingly!) logically incorrect statements (even
when there was no memory leak). In other words, it reports no leaks
possible but some errors. And if you go look with the -v option (on a
-g compiled executable) one gets the line number and finds errors from
there. 

Of course, I understand that this is no guarantee.

Here is an example (on F20):


/*  file: testrealloc.c (note the access in the last element) */

#include <stdio.h>
#include <stdlib.h>

int main(void) {
	int n = 50;
	double *a, *p;

	a = malloc(n * sizeof( *a));
	
	for (int i = 0; i < n; i++)
		a[i] = i;

	p = realloc(a, (n - 2) * sizeof( *p));

	for (int i = (n - 4); i < (n - 1); i++)
		printf("%f ", p[i]);
	free(p);

	return EXIT_SUCCESS;

}

/* compile with:

gcc -o testrealloc testrealloc.c -std=c99 -Wall -pedantic

run valgrind:

valgrind --tool=memcheck --leak-check=yes --show-reachable=yes
--track-fds=yes --track-origins=yes   -v ./testrealloc 

Here are the results:

......snipped....
--12324-- REDIR: 0x35bd018380 (index) redirected to 0x4a08f60 (index)
--12324-- REDIR: 0x35bd018400 (strcmp) redirected to 0x4a0a040 (strcmp)
--12324-- Reading syms from /usr/lib64/libc-2.18.so
--12324-- REDIR: 0x35bd489b90 (strcasecmp) redirected to 0x4801716
(_vgnU_ifunc_wrapper)
--12324-- REDIR: 0x35bd48be80 (strncasecmp) redirected to 0x4801716
(_vgnU_ifunc_wrapper)
--12324-- REDIR: 0x35bd489360 (memcpy@GLIBC_2.2.5) redirected to
0x4801716 (_vgnU_ifunc_wrapper)
--12324-- REDIR: 0x35bd488340 (__GI_strrchr) redirected to 0x4a08d80
(__GI_strrchr)
--12324-- REDIR: 0x35bd47ff10 (malloc) redirected to 0x4a063d6 (malloc)
--12324-- REDIR: 0x35bd480410 (realloc) redirected to 0x4a082e0
(realloc)
--12324-- REDIR: 0x35bd48fe40 (strchrnul) redirected to 0x4a0bd30
(strchrnul)
--12324-- REDIR: 0x35bd4865f0 (strlen) redirected to 0x4a092f0 (strlen)
==12324== Invalid read of size 8
==12324==    at 0x4006A8: main (in /tmp/testrealloc)
==12324==  Address 0x4c2a390 is 0 bytes after a block of size 384
alloc'd ==12324==    at 0x4A083AA: realloc
(in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==12324==
by 0x400684: main (in /tmp/testrealloc) ==12324== 
--12324-- REDIR: 0x35bd480330 (free) redirected to 0x4a074f0 (free)
46.000000 47.000000 0.000000 ==12324== 
==12324== FILE DESCRIPTORS: 3 open at exit.
==12324== Open file descriptor 2: /dev/pts/8
==12324==    <inherited from parent>
==12324== 
==12324== Open file descriptor 1: /dev/pts/8
==12324==    <inherited from parent>
==12324== 
==12324== Open file descriptor 0: /dev/pts/8
==12324==    <inherited from parent>
==12324== 
==12324== 
==12324== HEAP SUMMARY:
==12324==     in use at exit: 0 bytes in 0 blocks
==12324==   total heap usage: 2 allocs, 2 frees, 784 bytes allocated
==12324== 
==12324== All heap blocks were freed -- no leaks are possible
==12324== 
==12324== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)
==12324== 
==12324== 1 errors in context 1 of 1:
==12324== Invalid read of size 8
==12324==    at 0x4006A8: main (in /tmp/testrealloc)
==12324==  Address 0x4c2a390 is 0 bytes after a block of size 384
alloc'd ==12324==    at 0x4A083AA: realloc
(in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==12324==
by 0x400684: main (in /tmp/testrealloc) ==12324== 
--12324-- 
--12324-- used_suppression:      2
glibc-2.5.x-on-SUSE-10.2-(PPC)-2a /usr/lib64/valgrind/default.supp:1286
==12324== ==12324== ERROR SUMMARY: 1 errors from 1 contexts
(suppressed: 2 from 2)

*/

Btw, there are always 2 suppressed errors (from the compiled standard
library, I guess). I wish that someone could look into these).

I have become a great fan of valgrind. Of course, that in itself may be
a problem if it lulls one to a false sense of complacency.

Best wishes,
Ranjan

____________________________________________________________
FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop!
Check it out at http://www.inbox.com/marineaquarium


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org




[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux