freebsd security - Nov 2012 - md(4) (swap-base) disks not cleaned on creation

Hi,

When creating a swap based md(4) it may contain data which to me feels
like a security leak:

  # mdconfig -a -t swap -s 1m
  md0
  # hd /dev/md0
  00000000  c0 9b a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |?.?......\S.....|
  00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  *
  00000250  38 9f a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |8.?......\S.....|
  00000260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  *
  00000330  88 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |.??......\S.....|
  00000340  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  *
  00000370  e8 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |???......\S.....|
  00000380  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  *
  000005b0  48 a4 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00  |H??......\S.....|
  000005c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  *
  ^C
  # ls -l /dev/md0
  crw-r-----  1 root  operator  0xc8 Nov  6 19:42 /dev/md0
  #

Although not world-readable, it just doesn't feel right to me.

Any thoughts?

With kind regards,

Paul Schenkeveld

On Tue, Nov 06, 2012 at 07:46:58PM +0100, Paul Schenkeveld
wrote:
> Hi,
> 
> When creating a swap based md(4) it may contain data which to me feels
> like a security leak:
> 
>   # mdconfig -a -t swap -s 1m
>   md0
>   # hd /dev/md0
>   00000000  c0 9b a8 00 08 00 00 00  00 5c 53 00 08 00 00 00 
|?.?......\S.....|
>   00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
|................|
>   *
>   00000250  38 9f a8 00 08 00 00 00  00 5c 53 00 08 00 00 00 
|8.?......\S.....|
>   00000260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
|................|
>   *
>   00000330  88 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00 
|.??......\S.....|
>   00000340  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
|................|
>   *
>   00000370  e8 a0 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00 
|???......\S.....|
>   00000380  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
|................|
>   *
>   000005b0  48 a4 a8 00 08 00 00 00  00 5c 53 00 08 00 00 00 
|H??......\S.....|
>   000005c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
|................|
>   *
>   ^C
>   # ls -l /dev/md0
>   crw-r-----  1 root  operator  0xc8 Nov  6 19:42 /dev/md0
>   #
> 
> Although not world-readable, it just doesn't feel right to me.
> 
> Any thoughts?
It is definitely not a security issue. The md device is not user-accessible,
as you noted. A filesystem run over the device need to ensure that user
process never get on-disk garbage without first initializing the blocks.

That said, the following patch should fix the nit. I am unsure about it,
because it fixes mostly non-issue by spending CPU time to zero a page which
would be either zeroed or overwritten right now anyway in normal usage.

diff --git a/sys/dev/md/md.c b/sys/dev/md/md.c
index a86c26a..80982cc 100644
--- a/sys/dev/md/md.c
+++ b/sys/dev/md/md.c
@@ -677,6 +677,9 @@ mdstart_swap(struct md_s *sc, struct bio *bp)
 				sched_unpin();
 				vm_page_wakeup(m);
 				break;
+			} else if (rv == VM_PAGER_FAIL) {
+				/* Pager does not have page */
+				bzero((void *)sf_buf_kva(sf), PAGE_SIZE);
 			}
 			bcopy((void *)(sf_buf_kva(sf) + offs), p, len);
 			cpu_flush_dcache(p, len);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20121106/5deccd0d/attachment.sig>

Paul, 
This is akin to dd if=/dev/ada0s1b of=/tmp/File 
Where ada01b is the swap partition and then reading through the output. Its
really nothing to be concerned about, and not worth
zeroing the page for :)

Regards, Dewayne.