tech-security: Re: A bunch of memory allocation bugs in CGD

Subject: Re: A bunch of memory allocation bugs in CGD
To: ALeine <aleine@austrosearch.net>
From: Roland Dowdeswell <elric@imrryr.org>
List: tech-security
Date: 03/30/2005 15:53:19

On 1112207393 seconds since the Beginning of the UNIX epoch
"ALeine" wrote:
>

>Thanks for responding so quickly.

No problem.

>- the first bug is in cmd_nuke() and could not be seen as much
>  of a bug because cmd_nuke() is used to destroy lock sectors.
>  If this fails due to memory starvation no sensitive information
>  is leaked, only a write(2) call fails and gbde terminates
>  correctly upon catching and reporting the write error.

Having a quick read it looks like the call to cmd_nuke() is preceded
by a cmd_open().  cmd_open() loads the decrypted decoded contents
of the lock sector into memory which contain all of the information
needed to decrypt the disk.  In cmd_nuke(), the malloc is followed
immediately by a memset(3) which could core dump. 

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/