lockedpool: avoid sensitive data in core files (FreeBSD) #18443
Conversation
This is a followup to 23991ee / bitcoin#15600 to also use madvise(2) on FreeBSD to avoid sensitive data allocated with secure_allocator ending up in core files in addition to preventing it from going to the swap.
| #ifdef MADV_DONTDUMP | ||
| #if defined(MADV_DONTDUMP) // Linux | ||
| madvise(addr, len, MADV_DONTDUMP); | ||
| #elif defined(MADV_NOCORE) // FreeBSD |
There was a problem hiding this comment.
I think it would be preferable to use a new #ifdef here, just in case there's ever a system with both defined, but only one supported at runtime...
There was a problem hiding this comment.
As there are currently no such systems, and the flags do exactly the same thing, it seems unlikely that that would ever be an issue.
There was a problem hiding this comment.
even more if both defined this is "bizarro" territory and it might be better to fail the compile to reconsider what to do here, i don't think naively calling both in order (in what order?) is ever a good idea …
(but to be clear: leaving it like this is fine with me)
There was a problem hiding this comment.
I think if there is a system that defines MADV_DONTDUMP, but it is not supported at runtime (!?) then that system is badly broken. Regardless if it also defines MADV_NOCORE that works.
|
ACK f852030 if someone verifies this works as intended on *BSD. |
|
ACK f852030 Edit: I've verified that the call to |
|
I verified this works as intended on FreeBSD 12. Yes, the |
Ok good to know—if this was not the case, it would be better to have an autotools check instead. |
|
Code-review ACK f852030 assuming a reviewer with FreeBSD access verifies that the PR goal is achieved :) |
…FreeBSD) f852030 lockedpool: avoid sensitive data in core files (FreeBSD) (Vasil Dimov) Pull request description: This is a followup to 23991ee / bitcoin#15600 to also use madvise(2) on FreeBSD to avoid sensitive data allocated with secure_allocator ending up in core files in addition to preventing it from going to the swap. ACKs for top commit: sipa: ACK f852030 if someone verifies this works as intended on *BSD. laanwj: ACK f852030 practicalswift: Code-review ACK f852030 assuming a reviewer with FreeBSD access verifies that the PR goal is achieved :) Tree-SHA512: 2e6d4ab6a9fbe18732c8ba530eacc17f58128c97140758b80c905b5b838922a2bcaa5f9abc45ab69d5a1a2baa0cba322f006048b60a877228e089c7e64dadd2a
Locked memory manager Add a pool for locked memory chunks, replacing `LockedPageManager`. Cherry-picked from the following upstream PRs: - bitcoin/bitcoin#8321 - bitcoin/bitcoin#8753 - bitcoin/bitcoin#9063 - bitcoin/bitcoin#9070 - bitcoin/bitcoin#11385 - bitcoin/bitcoin#12048 - Excludes change to benchmark. - bitcoin/bitcoin#15117 - bitcoin/bitcoin#16161 - Excludes Travis CI changes. - Includes change from bitcoin/bitcoin#13163 - bitcoin/bitcoin#15600 - bitcoin/bitcoin#18443 - Assorted small changes from: - bitcoin/bitcoin#9233 - bitcoin/bitcoin#10483 - bitcoin/bitcoin#10645 - bitcoin/bitcoin#10969 - bitcoin/bitcoin#11351 - bitcoin/bitcoin#19111 - Excludes change to `src/rpc/server.cpp` - bitcoin/bitcoin#9804 - Only the commit for `src/key.cpp` - bitcoin/bitcoin#9598
Summary: > This is a followup to [[bitcoin/bitcoin#15600 | PR15600]] to also use madvise(2) on FreeBSD > to avoid sensitive data allocated with secure_allocator ending up > in core files in addition to preventing it from going to the swap. This is a backport of Core [[bitcoin/bitcoin#18443 | PR18443]] Depends on D8879 Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, deadalnix, Fabien Reviewed By: #bitcoin_abc, deadalnix, Fabien Differential Revision: https://reviews.bitcoinabc.org/D8880
…FreeBSD) f852030 lockedpool: avoid sensitive data in core files (FreeBSD) (Vasil Dimov) Pull request description: This is a followup to 23991ee / bitcoin#15600 to also use madvise(2) on FreeBSD to avoid sensitive data allocated with secure_allocator ending up in core files in addition to preventing it from going to the swap. ACKs for top commit: sipa: ACK f852030 if someone verifies this works as intended on *BSD. laanwj: ACK f852030 practicalswift: Code-review ACK f852030 assuming a reviewer with FreeBSD access verifies that the PR goal is achieved :) Tree-SHA512: 2e6d4ab6a9fbe18732c8ba530eacc17f58128c97140758b80c905b5b838922a2bcaa5f9abc45ab69d5a1a2baa0cba322f006048b60a877228e089c7e64dadd2a
…FreeBSD) f852030 lockedpool: avoid sensitive data in core files (FreeBSD) (Vasil Dimov) Pull request description: This is a followup to 23991ee / bitcoin#15600 to also use madvise(2) on FreeBSD to avoid sensitive data allocated with secure_allocator ending up in core files in addition to preventing it from going to the swap. ACKs for top commit: sipa: ACK f852030 if someone verifies this works as intended on *BSD. laanwj: ACK f852030 practicalswift: Code-review ACK f852030 assuming a reviewer with FreeBSD access verifies that the PR goal is achieved :) Tree-SHA512: 2e6d4ab6a9fbe18732c8ba530eacc17f58128c97140758b80c905b5b838922a2bcaa5f9abc45ab69d5a1a2baa0cba322f006048b60a877228e089c7e64dadd2a
353346c lockedpool: avoid sensitive data in core files (FreeBSD) (Vasil Dimov) 18ca764 lockedpool: When possible, use madvise to avoid including sensitive information in core dumps (Luke Dashjr) Pull request description: Backports of bitcoin#15600 and bitcoin#18443 patching [CVE-2019-15947](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947). ACKs for top commit: Fuzzbawls: utACK 353346c furszy: utACK 353346c and merging.. Tree-SHA512: 4e5108803be2881b2b25ed135ce498c04d0ee9b5444d506790f323a32d556497539e6bb139840eea101e33013475e0d2002d5fc4a0bbf03e3e5e388eeb7564c3
5 participants
This is a followup to
23991ee / #15600
to also use madvise(2) on FreeBSD to avoid sensitive data allocated
with secure_allocator ending up in core files in addition to preventing
it from going to the swap.