LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Debian vulnerability has widespread effects

Debian vulnerability has widespread effects

Posted May 15, 2008 2:23 UTC (Thu) by jamesh (guest, #1159)
Parent article: Debian vulnerability has widespread effects 

If the OpenSSL guys want to continue using uninitialised buffers as a source of entropy, it
might be worth sprinkling a few calls to VALGRIND_MAKE_MEM_DEFINED() in the appropriate
locations.

It is a no-op when no running under Valgrind and should be fairly cheap.  If the overhead is
small enough, it'd be useful to include in release builds on systems that support Valgrind.
Not being able to run a memory debugger on critical infrastructure like OpenSSL (or on
applications that use it) is a serious problem.

(Log in to post comments)

Debian vulnerability has widespread effects

Posted May 15, 2008 4:41 UTC (Thu) by proski (subscriber, #104) [Link]

I would prefer that only inputs definitely not controlled by attackers are used, and I'm not sure it can be guaranteed that uninitialized data is not manipulated in some way. There are sources of entropy that are harder to subvert. I think it's better to have less entropy but avoid giving attackers another possibility for exploits.

You don't use enemy's rivets to build your battleships. It may be just little pieces of metal that get a very different shape when used, but never underestimate those who are determined to harm you.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds