From owner-freebsd-security@FreeBSD.ORG Sun Sep 13 12:42:36 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C4C61065672 for ; Sun, 13 Sep 2009 12:42:36 +0000 (UTC) (envelope-from elsiddik@gmail.com) Received: from mail-bw0-f206.google.com (mail-bw0-f206.google.com [209.85.218.206]) by mx1.freebsd.org (Postfix) with ESMTP id C57448FC12 for ; Sun, 13 Sep 2009 12:42:35 +0000 (UTC) Received: by bwz2 with SMTP id 2so1482516bwz.43 for ; Sun, 13 Sep 2009 05:42:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=cNlFslwaVvmBhH9YiCdj22m5IMxZs0owaRLbfWjPRIreb9e1HjUsRVc3vYzaas3sn5 Zn/5VDuGrdUF7ywwzh4GboXJHyAGkdjbjh7B0AxIVmBTMTd7oXCsIBsL1nk0XjQ6UeZZ TVZ+eUzPNBR9khYEW5dZQyo7M2rz/w71bFvjA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=V4s4H23ROFq+3LdApDmvCcPVcD/0cH/Ra4DzgXcsAveMNfxnMRnEZc7Q9p1NAzcIi2 o+9W7QvpDrU5ARsapSSgNbUDIB7cZr42jm7vkCQmyGMVd3Hgur8U6Tmz9vLrRuLBMkco hJoVe/jT8FH98fn+MoWerUlRTnwFns1JjWnHo= MIME-Version: 1.0 Received: by 10.103.125.35 with SMTP id c35mr2192975mun.30.1252844545068; Sun, 13 Sep 2009 05:22:25 -0700 (PDT) From: "M.Z.el-Siddik" Date: Sun, 13 Sep 2009 14:22:05 +0200 Message-ID: <4738a3900909130522p16ed833el6015e1279349f8f3@mail.gmail.com> To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: (no subject) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Sep 2009 12:42:36 -0000 From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 08:01:13 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1BA0106566C for ; Tue, 15 Sep 2009 08:01:13 +0000 (UTC) (envelope-from frederique@isafeelin.org) Received: from srv0008.pine.nl (srv0008.pine.nl [213.156.9.4]) by mx1.freebsd.org (Postfix) with ESMTP id 743A08FC17 for ; Tue, 15 Sep 2009 08:01:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by srv0008.pine.nl (Postfix) with ESMTP id 234FD3A3BC1 for ; Tue, 15 Sep 2009 09:43:54 +0200 (CEST) X-Virus-Scanned: amavisd-new at pine.nl Received: from srv0008.pine.nl ([127.0.0.1]) by localhost (srv0008.pine.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id G75GBCEzniYj for ; Tue, 15 Sep 2009 09:43:48 +0200 (CEST) Received: from fileserver.pine.nl (ip4da3f0f4.direct-adsl.nl [77.163.240.244]) by srv0008.pine.nl (Postfix) with ESMTP id 985753A3A0A for ; Tue, 15 Sep 2009 09:43:48 +0200 (CEST) Received: from freelt.pine.nl (unknown [172.16.0.46]) by fileserver.pine.nl (Postfix) with ESMTP id 7D50A130E9E for ; Tue, 15 Sep 2009 09:43:48 +0200 (CEST) Message-ID: <4AAF45B4.60307@isafeelin.org> Date: Tue, 15 Sep 2009 09:43:48 +0200 From: Frederique Rijsdijk User-Agent: Thunderbird 2.0.0.23 (X11/20090825) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 08:01:13 -0000 Hi, Any info on this subject on http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/ -- Frederique From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 08:03:49 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E6BE106566C for ; Tue, 15 Sep 2009 08:03:49 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3B3708FC19 for ; Tue, 15 Sep 2009 08:03:49 +0000 (UTC) Received: from [88.159.10.42] (unknown [88.159.10.42]) by mail.thelostparadise.com (Postfix) with ESMTP id 69EE561C4B for ; Tue, 15 Sep 2009 10:03:48 +0200 (CEST) Message-ID: <4AAF4A64.3080906@thedarkside.nl> Date: Tue, 15 Sep 2009 10:03:48 +0200 From: Pieter de Boer MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 08:03:49 -0000 All, Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD kernel that have been discovered of late, I've started looking at a way to generically protect against the code execution possibilities of such bugs. By disallowing userland to map pages at address 0x0 (and a bit beyond), it is possible to make such NULL-pointer deref bugs mere DoS'es instead of code execution bugs. Linux has implemented such a protection for a long while now, by disallowing page mappings on 0x0 - 0xffff. On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536 downgrades a whole class of code execution vulnerabilities to DoS vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM. This made at least the mmap() method to map at 0x0 fail. So: - How do you feel about disallowing such mappings to protect against NULL-pointer deref code executions? - Is bumping VM_MIN_ADDRESS enough to protect against all methods of creating such mappings (on all supported platforms)? - Are there unwanted side-effects of raising VM_MIN_ADDRESS? - Should I file a PR to get this into FreeBSD? Lemme know, Pieter From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 09:08:53 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 525F71065672 for ; Tue, 15 Sep 2009 09:08:53 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id EBAE78FC20 for ; Tue, 15 Sep 2009 09:08:52 +0000 (UTC) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id A7D855C06F for ; Tue, 15 Sep 2009 17:08:51 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 73BDE55CE028; Tue, 15 Sep 2009 17:08:51 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id ey2D4tBpeyhM; Tue, 15 Sep 2009 17:08:45 +0800 (CST) Received: from charlie.delphij.net (c-69-181-136-105.hsd1.ca.comcast.net [69.181.136.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 8C51055CE019; Tue, 15 Sep 2009 17:08:44 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=dPvbNQh7rVue5CLJJ2gtl/vqFyCBPydEJLdMdFy6oOT18gMg4VgLJwStU4rROhfhv pHBBsNW5c+Y+vRzbzAlfg== Message-ID: <4AAF5999.7020501@delphij.net> Date: Tue, 15 Sep 2009 02:08:41 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090803) MIME-Version: 1.0 To: Frederique Rijsdijk References: <4AAF45B4.60307@isafeelin.org> In-Reply-To: <4AAF45B4.60307@isafeelin.org> X-Enigmail-Version: 0.96.0 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 09:08:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Frederique Rijsdijk wrote: > Hi, > > Any info on this subject on > > http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/ Currently we (secteam@) are testing the correction patch and do peer-review on the security advisory draft, the bug was found and fixed on -HEAD and 7-STABLE before 7.1-RELEASE during some stress test but was not recognized as a security vulnerability at that time. The exploit code has to be executed locally, i.e. either by an untrusted local user, or be exploited in conjunction with some remote vulnerability on applications that allow the attacker to inject their own code. We can not release further details about the problem at this time, though, but I think we will likely to publish the advisory and correction patch this patch Wednesday. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkqvWZgACgkQi+vbBBjt66DAwACdHwj+VB8Ak0oRwhiH7X16+2Wl nU0An2bMd4Y40DqCUJI+DEmNmozmm7fz =+LtQ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 09:11:02 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC905106566B for ; Tue, 15 Sep 2009 09:11:02 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: from mail-yw0-f229.google.com (mail-yw0-f229.google.com [209.85.211.229]) by mx1.freebsd.org (Postfix) with ESMTP id A34E88FC50 for ; Tue, 15 Sep 2009 09:11:02 +0000 (UTC) Received: by ywh18 with SMTP id 18so3004104ywh.3 for ; Tue, 15 Sep 2009 02:11:02 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <4AAF45B4.60307@isafeelin.org> Received: by 10.216.88.4 with SMTP id z4mr48369wee.25.1253002808919; Tue, 15 Sep 2009 01:20:08 -0700 (PDT) Message-ID: <0016e6d99efa540b8b047399738b@google.com> Date: Tue, 15 Sep 2009 08:20:08 +0000 From: utisoft@googlemail.com To: Frederique Rijsdijk , freebsd-security@freebsd.org X-Mailman-Approved-At: Tue, 15 Sep 2009 11:32:24 +0000 Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 09:11:02 -0000 On 15 Sep 2009 08:43, Frederique Rijsdijk wrote: > Hi, > Any info on this subject on > http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/ It appears to only affect 6.x.... and requires local access. If an attacker has local access to a machine you're screwed anyway. Chris From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 12:06:35 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3D751065670 for ; Tue, 15 Sep 2009 12:06:35 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id A74D88FC1A for ; Tue, 15 Sep 2009 12:06:35 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id AA0AA6D41B; Tue, 15 Sep 2009 12:06:34 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 81108844F3; Tue, 15 Sep 2009 14:06:34 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Pieter de Boer References: <4AAF4A64.3080906@thedarkside.nl> Date: Tue, 15 Sep 2009 14:06:34 +0200 In-Reply-To: <4AAF4A64.3080906@thedarkside.nl> (Pieter de Boer's message of "Tue, 15 Sep 2009 10:03:48 +0200") Message-ID: <86ab0w2z05.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 12:06:36 -0000 Pieter de Boer writes: > Given the amount of NULL-pointer dereference vulnerabilities in the > FreeBSD kernel that have been discovered of late, Specify "amount" and define "of late". > By disallowing userland to map pages at address 0x0 (and a bit beyond), > it is possible to make such NULL-pointer deref bugs mere DoS'es instead > of code execution bugs. Linux has implemented such a protection for a > long while now, by disallowing page mappings on 0x0 - 0xffff. Yes, that really worked out great for them: http://isc.sans.org/diary.html?storyid=3D6820 DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 12:24:23 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64339106566C for ; Tue, 15 Sep 2009 12:24:23 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2E8BC8FC0C for ; Tue, 15 Sep 2009 12:24:23 +0000 (UTC) Received: from [88.159.10.42] (unknown [88.159.10.42]) by mail.thelostparadise.com (Postfix) with ESMTP id 2F43261C4B; Tue, 15 Sep 2009 14:24:22 +0200 (CEST) Message-ID: <4AAF8775.7000002@thedarkside.nl> Date: Tue, 15 Sep 2009 14:24:21 +0200 From: Pieter de Boer MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> In-Reply-To: <86ab0w2z05.fsf@ds4.des.no> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 12:24:23 -0000 Dag-Erling Smørgrav wrote: >> Given the amount of NULL-pointer dereference vulnerabilities in the >> FreeBSD kernel that have been discovered of late, > Specify "amount" and define "of late". 'amount' => 2, 'of late' is more figure of speech than anything else. For me, amount was high enough to get interested and 'of late' may be because I've not been looking long enough. >> By disallowing userland to map pages at address 0x0 (and a bit beyond), >> it is possible to make such NULL-pointer deref bugs mere DoS'es instead >> of code execution bugs. Linux has implemented such a protection for a >> long while now, by disallowing page mappings on 0x0 - 0xffff. > > Yes, that really worked out great for them: > > http://isc.sans.org/diary.html?storyid=6820 I was aware of that issue, and was expecting your comment as well. While SELinux (and iirc SysV compatibility) effectively killed the "don't map at 0x0" feature, that does not mean such a feature is useless in of itself. If it is possible to attain a high enough level of confidence that such a feature would actually work, without negative side-effects, I feel that it would be beneficial to FreeBSD. I'd be interested in hearing your and other's opinions, specifically on the topics my original questions hinted at. -- Pieter From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 12:42:29 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA2841065695 for ; Tue, 15 Sep 2009 12:42:29 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id AC0F68FC13 for ; Tue, 15 Sep 2009 12:42:29 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id C24A06D41B; Tue, 15 Sep 2009 12:42:28 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 8748E8449F; Tue, 15 Sep 2009 14:42:28 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Pieter de Boer References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> <4AAF8775.7000002@thedarkside.nl> Date: Tue, 15 Sep 2009 14:42:28 +0200 In-Reply-To: <4AAF8775.7000002@thedarkside.nl> (Pieter de Boer's message of "Tue, 15 Sep 2009 14:24:21 +0200") Message-ID: <8663bk2xcb.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 12:42:30 -0000 Pieter de Boer writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Pieter de Boer writes: > > > Given the amount of NULL-pointer dereference vulnerabilities in > > > the FreeBSD kernel that have been discovered of late, > > Specify "amount" and define "of late". > 'amount' =3D> 2, 'of late' is more figure of speech than anything > else. For me, amount was high enough to get interested and 'of late' > may be because I've not been looking long enough. A search of FreeBSD security advisories shows two in the last four years, plus the current unreleased issue. I agree that there is no reason to allow applications to mmap() at address 0, but surely there must be a better way to make your case than to sow FUD? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 13:01:00 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 624901065693 for ; Tue, 15 Sep 2009 13:01:00 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2BFB38FC1B for ; Tue, 15 Sep 2009 13:01:00 +0000 (UTC) Received: from [88.159.10.42] (unknown [88.159.10.42]) by mail.thelostparadise.com (Postfix) with ESMTP id 52A8761C4B; Tue, 15 Sep 2009 15:00:59 +0200 (CEST) Message-ID: <4AAF900B.8010900@thedarkside.nl> Date: Tue, 15 Sep 2009 15:00:59 +0200 From: Pieter de Boer MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> <4AAF8775.7000002@thedarkside.nl> <8663bk2xcb.fsf@ds4.des.no> In-Reply-To: <8663bk2xcb.fsf@ds4.des.no> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 13:01:00 -0000 Dag-Erling Smørgrav wrote: >> 'amount' => 2, 'of late' is more figure of speech than anything >> else. For me, amount was high enough to get interested and 'of late' >> may be because I've not been looking long enough. > > A search of FreeBSD security advisories shows two in the last four > years, plus the current unreleased issue. I agree that there is no > reason to allow applications to mmap() at address 0, but surely there > must be a better way to make your case than to sow FUD? I have no intention to sow FUD. Three such advisories is not much, but if there is a simple/inexpensive way to ensure that such bugs are not exploitable to gain root, I think 'we' should consider it. -- Pieter From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 14:20:43 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED5AC1065695 for ; Tue, 15 Sep 2009 14:20:43 +0000 (UTC) (envelope-from jon@passki.us) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by mx1.freebsd.org (Postfix) with ESMTP id B3C2B8FC22 for ; Tue, 15 Sep 2009 14:20:43 +0000 (UTC) Received: by qw-out-2122.google.com with SMTP id 3so1158225qwe.7 for ; Tue, 15 Sep 2009 07:20:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.54.143 with SMTP id q15mr2292784qcg.74.1253023100493; Tue, 15 Sep 2009 06:58:20 -0700 (PDT) X-Originating-IP: [209.98.139.33] In-Reply-To: <86ab0w2z05.fsf@ds4.des.no> References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> Date: Tue, 15 Sep 2009 08:58:20 -0500 Message-ID: From: Jon Passki To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Pieter de Boer Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 14:20:44 -0000 2009/9/15 Dag-Erling Sm=F8rgrav > > Pieter de Boer writes: > > Given the amount of NULL-pointer dereference vulnerabilities in the > > FreeBSD kernel that have been discovered of late, > > Specify "amount" and define "of late". > > > By disallowing userland to map pages at address 0x0 (and a bit beyond), > > it is possible to make such NULL-pointer deref bugs mere DoS'es instead > > of code execution bugs. Linux has implemented such a protection for a > > long while now, by disallowing page mappings on 0x0 - 0xffff. > > Yes, that really worked out great for them: > > http://isc.sans.org/diary.html?storyid=3D6820 As I assume you know, one reason (not the only reason) the exploit works is because the SELinux default policy allowed (allows?) users to map at NULL, regardless of the protections offered by the OS (e.g. Redhat w/ mmap_min_addr). His later exploit framework abuses SELinux another way by downgrading protection by going into libselinux and uses a context such as wine_t to execute at NULL [1]. It's not that mmap_min_addr failed (which it doesn't on some distros of Linux); it's that other mechanisms exist that can undo the control put into place. Cheers, Jon Passki [1] http://grsecurity.net/~spender/enlightenment.tgz, exploit.c, pa__init() From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 14:24:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39D3B106566B for ; Tue, 15 Sep 2009 14:24:42 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f206.google.com (mail-bw0-f206.google.com [209.85.218.206]) by mx1.freebsd.org (Postfix) with ESMTP id A80CC8FC0C for ; Tue, 15 Sep 2009 14:24:41 +0000 (UTC) Received: by bwz2 with SMTP id 2so2668112bwz.43 for ; Tue, 15 Sep 2009 07:24:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=E/TUUfxzsfo4Cfa6RwAr1OAs+3dmbNg4eTLLNpGlSHw=; b=OYos6AWY+d4TwmJFSpT5mNA6ZwI83Lr1M8kIrWXqGkze3SXZJcRj6fIjqLTMo2R4cl ILIyBY/qGSrmnc4r8C/4NlTHcUf4QIgiIU6y0PePebCE8+xlb3DAeNxf82AVnBFyd9QY oWP8BTJtt11P9eAi5l2Aeb/T9r07+T3z2d0Yo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=lIzvkD18perqf26n91Pp1W3XA3KvKfyYq6lx7bf5wjcdu5oWWVueKufG/0QoPBztnL PVgodulnilSx2r/Ppgdc6mJjQbxKBGtNs1dCw3DlquOeKeXbtvgUhRvV6VX8uAd84IzV P057onyvCJGlRtW6a5LauT01LKHzIo/zqJOa4= MIME-Version: 1.0 Received: by 10.204.34.18 with SMTP id j18mr6193285bkd.38.1253024679893; Tue, 15 Sep 2009 07:24:39 -0700 (PDT) In-Reply-To: References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> Date: Tue, 15 Sep 2009 15:24:39 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: Jon Passki Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= , Pieter de Boer , freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 14:24:42 -0000 hehe this is the "install another security layer to introduce less security= " model 2009/9/15 Jon Passki > 2009/9/15 Dag-Erling Sm=F8rgrav > > > > Pieter de Boer writes: > > > Given the amount of NULL-pointer dereference vulnerabilities in the > > > FreeBSD kernel that have been discovered of late, > > > > Specify "amount" and define "of late". > > > > > By disallowing userland to map pages at address 0x0 (and a bit beyond= ), > > > it is possible to make such NULL-pointer deref bugs mere DoS'es inste= ad > > > of code execution bugs. Linux has implemented such a protection for a > > > long while now, by disallowing page mappings on 0x0 - 0xffff. > > > > Yes, that really worked out great for them: > > > > http://isc.sans.org/diary.html?storyid=3D6820 > > As I assume you know, one reason (not the only reason) the exploit > works is because the SELinux default policy allowed (allows?) users to > map at NULL, regardless of the protections offered by the OS (e.g. > Redhat w/ mmap_min_addr). His later exploit framework abuses SELinux > another way by downgrading protection by going into libselinux and > uses a context such as wine_t to execute at NULL [1]. It's not that > mmap_min_addr failed (which it doesn't on some distros of Linux); it's > that other mechanisms exist that can undo the control put into place. > > Cheers, > > Jon Passki > > [1] http://grsecurity.net/~spender/enlightenment.tgz, > exploit.c, pa__init() > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > --=20 the sun shines for all From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 15:22:31 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4244106566C for ; Tue, 15 Sep 2009 15:22:31 +0000 (UTC) (envelope-from matt@chronos.org.uk) Received: from chronos.org.uk (chronos-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:12b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 256E08FC1C for ; Tue, 15 Sep 2009 15:22:30 +0000 (UTC) Received: from workstation1.localnet (workstation1.local.chronos.org.uk [IPv6:2001:470:1f09:12b::20]) (authenticated bits=0) by chronos.org.uk (8.14.3/8.14.3) with ESMTP id n8FFMREn011370 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 15 Sep 2009 16:22:28 +0100 (BST) (envelope-from matt@chronos.org.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 chronos.org.uk n8FFMREn011370 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=chronos.org.uk; s=mail; t=1253028148; bh=Rck+iG2R1Nt4BGpusyJlQIa0gsrxf8pbJgH3wbfz0+4=; h=From:To:Subject:Date:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Message-Id; b=pglsajQ0CtbDy02JK1p/kMt4LfGXNq0SyTISRXnHyQOSL4BBNRXF7bR7LteYYJ+FZ 6wXlz8Mpp50xddkaalBIxsKk3Qyeew9vSWVREhjIzCaDINCL32fZE0AL5qCsS1e/gq fQUNtm59NAFFhD2HoPETo93peC33OOTaj4VyDGig= From: Matt Dawson To: freebsd-security@freebsd.org Date: Tue, 15 Sep 2009 16:22:26 +0100 User-Agent: KMail/1.12.1 (FreeBSD/7.2-RELEASE-p3; KDE/4.3.1; amd64; ; ) References: <4AAF4A64.3080906@thedarkside.nl> <4AAF8775.7000002@thedarkside.nl> <8663bk2xcb.fsf@ds4.des.no> In-Reply-To: <8663bk2xcb.fsf@ds4.des.no> X-Face: Uq{{&_!oO{M&ydj?-f%{D]bN7/|/]a+utod35[+IyH#R>F~YPffK,=?utf-8?q?=25=60=7D=25=0A?=FTMbmzo,]0X3K:N&{h7],FI{?EkORzB; f:V3"vKXsUNw5Yh`}ef4MZ*a4,=?utf-8?q?ObuJ=5F=26=5B1S=27zP=5CK0wcKZP=0A?==?utf-8?q?_=60=23L=25=5Dq*OUPQ-4T=3FHZ=7EAKX0=7D3W=25o=3DP?= X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (chronos.org.uk [IPv6:2001:470:1f09:12b::1]); Tue, 15 Sep 2009 16:22:28 +0100 (BST) X-Virus-Scanned: clamav-milter 0.95.2 at central.local.chronos.org.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.1 required=3.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_96_XX,NO_RELAYS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on central.local.chronos.org.uk Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 15:22:31 -0000 On Tuesday 15 Sep 2009 13:42:28 Dag-Erling Sm=C3=B8rgrav wrote: > there must be a better way to make your case than to sow FUD? Where? To paraphrase yourself: Please define "sowing FUD." There's an issue= ;=20 there have been two previously. Nobody is blaming anyone, blowing it out of= =20 proportion, leaving FBSD in droves or pointing fingers. We know it's local = and=20 we're all well aware of the axiom "if someone else has physical access to y= our=20 box, it isn't your box any more." I don't see or feel any fear, uncertainty= or=20 doubt. I just see a concerned but dedicated FBSD user discussing an issue=20 sensibly with the information currently to hand. Providing it does not seriously affect anything else (Pieter has already as= ked=20 for information and opinions before the thread went off on this tangent), i= f=20 setting this #define downgrades arbitrary code execution vulnerabilities an= d=20 privilege escalations to crashes where system and, more importantly IMHO, h= ost=20 integrity is preserved then I am all for it. I'd certainly rather have a Do= S=20 and the risk of cached data loss than a potential information leak or a=20 reputation-destroying spamming session run. That we don't have multiple pla= ces=20 that this could be overridden/reset similar to the SELinux issue also inspi= res=20 confidence in Pieter's method. As simple as it seems, it would appear to be= =20 (sorry, buzzword-that-fits coming up) proactive in its approach, addressing= =20 and mitigating any future issues of this type and limiting the possible=20 damage. Also worth thinking about: Do we need to consider -fno-delete-null-pointer- checks or a downgrade to -O for kernel/world optimisation level for now unt= il=20 we're sure there are no more of these lurking? Linux found out the hard way= =20 that code order matters when compiling at >-O and that perfectly acceptable= =20 code coupled with assumptions made by the compiler can bite you in the=20 backside. =2D-=20 Matt Dawson MTD15-RIPE matt@chronos.org.uk From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 15:52:10 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97E54106566B for ; Tue, 15 Sep 2009 15:52:10 +0000 (UTC) (envelope-from przemyslaw@frasunek.com) Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [193.138.118.3]) by mx1.freebsd.org (Postfix) with ESMTP id 556718FC16 for ; Tue, 15 Sep 2009 15:52:10 +0000 (UTC) Received: from [193.138.118.98] (ip-193-138-118-98.nette.pl [193.138.118.98]) by lagoon.freebsd.lublin.pl (Postfix) with ESMTPSA id 2C451C54C08; Tue, 15 Sep 2009 17:36:15 +0200 (CEST) Message-ID: <4AAFB465.4010901@frasunek.com> Date: Tue, 15 Sep 2009 17:36:05 +0200 From: Przemyslaw Frasunek User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> <4AAF8775.7000002@thedarkside.nl> <8663bk2xcb.fsf@ds4.des.no> In-Reply-To: <8663bk2xcb.fsf@ds4.des.no> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, Pieter de Boer Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 15:52:10 -0000 Dag-Erling Smørgrav: > A search of FreeBSD security advisories shows two in the last four > years, plus the current unreleased issue. There are three NULL pointer dereference issues, that I found in last month, but probably more to come, so implementing some kind of zero page protection should be considered. The first one affects 6.1 and it was made public in August: http://www.frasunek.com/kqueue.txt Another one affects 6.4 and is currently handled by secteam. Advisory will be released on Wednesday. The last one, as demonstrated on http://www.vimeo.com/6580991 affects 7.x up to 7.2 and 6.x up to 6.4. I'm not going to disclose any details before official security advisory. From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 16:07:36 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B73D2106566B for ; Tue, 15 Sep 2009 16:07:36 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 793CD8FC1D for ; Tue, 15 Sep 2009 16:07:36 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 8525F6D41B; Tue, 15 Sep 2009 16:07:35 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 5C6558449F; Tue, 15 Sep 2009 18:07:35 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Matt Dawson References: <4AAF4A64.3080906@thedarkside.nl> <4AAF8775.7000002@thedarkside.nl> <8663bk2xcb.fsf@ds4.des.no> <200909151622.26589.matt@chronos.org.uk> Date: Tue, 15 Sep 2009 18:07:35 +0200 In-Reply-To: <200909151622.26589.matt@chronos.org.uk> (Matt Dawson's message of "Tue, 15 Sep 2009 16:22:26 +0100") Message-ID: <863a6our7c.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 16:07:36 -0000 Matt Dawson writes: > Dag-Erling Sm=C3=B8rgrav writes: > > there must be a better way to make your case than to sow FUD? > Where? To paraphrase yourself: Please define "sowing FUD." There's an iss= ue;=20 > there have been two previously. Pieter strongly implied that there had been *numerous* such cases, when in fact there hasn't. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 16:08:22 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F2EB1065672 for ; Tue, 15 Sep 2009 16:08:22 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 201EF8FC17 for ; Tue, 15 Sep 2009 16:08:22 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 6BD406D44C; Tue, 15 Sep 2009 16:08:21 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 503A18449F; Tue, 15 Sep 2009 18:08:21 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Przemyslaw Frasunek References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> <4AAF8775.7000002@thedarkside.nl> <8663bk2xcb.fsf@ds4.des.no> <4AAFB465.4010901@frasunek.com> Date: Tue, 15 Sep 2009 18:08:21 +0200 In-Reply-To: <4AAFB465.4010901@frasunek.com> (Przemyslaw Frasunek's message of "Tue, 15 Sep 2009 17:36:05 +0200") Message-ID: <86y6ogtclm.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Pieter de Boer Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 16:08:22 -0000 Przemyslaw Frasunek writes: > Dag-Erling Sm=C3=B8rgrav writes: > > A search of FreeBSD security advisories shows two in the last four > > years, plus the current unreleased issue. > There are three NULL pointer dereference issues, that I found in last > month, but probably more to come, so implementing some kind of zero page > protection should be considered. Feel free to *actually read what Pieter wrote and what I wrote in reply* EOD DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 17:35:25 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B86081065670 for ; Tue, 15 Sep 2009 17:35:25 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id A1FBB8FC23 for ; Tue, 15 Sep 2009 17:35:25 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id C758C775171; Tue, 15 Sep 2009 10:17:42 -0700 (PDT) Date: Tue, 15 Sep 2009 10:17:42 -0700 From: Chris Palmer To: Pieter de Boer , freebsd-security@freebsd.org Message-ID: <20090915171742.GB24361@noncombatant.org> References: <4AAF4A64.3080906@thedarkside.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4AAF4A64.3080906@thedarkside.nl> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 17:35:25 -0000 Pieter's approach to the problem seems reasonable. If it provides some safety without breaking any/too many applications, why not adopt it? I wonder how many of these kinds of issues could also be caught with unit tests/regression tests. See also: the CanSecWest 2009 FreeBSD bugs by Christer Oberg and Neil Kettle. -- http://www.noncombatant.org/ http://hemiolesque.blogspot.com/ From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 18:08:18 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5883B106566B for ; Tue, 15 Sep 2009 18:08:18 +0000 (UTC) (envelope-from matt@chronos.org.uk) Received: from chronos.org.uk (chronos-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:12b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 9B6BA8FC18 for ; Tue, 15 Sep 2009 18:08:17 +0000 (UTC) Received: from workstation1.localnet (workstation1.local.chronos.org.uk [IPv6:2001:470:1f09:12b::20]) (authenticated bits=0) by chronos.org.uk (8.14.3/8.14.3) with ESMTP id n8FI8BHC051218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 15 Sep 2009 19:08:12 +0100 (BST) (envelope-from matt@chronos.org.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 chronos.org.uk n8FI8BHC051218 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=chronos.org.uk; s=mail; t=1253038092; bh=WA1ipLWY5fGGQtZd++mP/KP3KPi0yja+0KMtMgmQXgA=; h=From:To:Subject:Date:References:In-Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Message-Id; b=js/Is9rZcOTPUBd+2FAVB9VjgEVGLQCqIgrhQW92IHuW5pYBpvQWdg2Z25DzuafCQ zBTXzz/iVMPQF3QX2TY/s5C/fTfoOW2C/cNImtCwSK3XAehc3b8/d+7sBa0eMGTOqD yblGeKMiqS7QISFx69g8flfenVSx+Os5blRdebhw= From: Matt Dawson To: freebsd-security@freebsd.org Date: Tue, 15 Sep 2009 19:08:09 +0100 User-Agent: KMail/1.12.1 (FreeBSD/7.2-RELEASE-p3; KDE/4.3.1; amd64; ; ) References: <4AAF4A64.3080906@thedarkside.nl> <200909151622.26589.matt@chronos.org.uk> <863a6our7c.fsf@ds4.des.no> In-Reply-To: <863a6our7c.fsf@ds4.des.no> X-Face: Uq{{&_!oO{M&ydj?-f%{D]bN7/|/]a+utod35[+IyH#R>F~YPffK,=?utf-8?q?=25=60=7D=25=0A?=FTMbmzo,]0X3K:N&{h7],FI{?EkORzB; f:V3"vKXsUNw5Yh`}ef4MZ*a4,=?utf-8?q?ObuJ=5F=26=5B1S=27zP=5CK0wcKZP=0A?==?utf-8?q?_=60=23L=25=5Dq*OUPQ-4T=3FHZ=7EAKX0=7D3W=25o=3DP?= X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (chronos.org.uk [IPv6:2001:470:1f09:12b::1]); Tue, 15 Sep 2009 19:08:12 +0100 (BST) X-Virus-Scanned: clamav-milter 0.95.2 at central.local.chronos.org.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.1 required=3.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_96_XX,NO_RELAYS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on central.local.chronos.org.uk Cc: des@des.no Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 18:08:18 -0000 On Tuesday 15 Sep 2009 17:07:35 Dag-Erling Sm=C3=B8rgrav wrote: > Pieter strongly implied that there had been numerous such cases, when > in fact there hasn't. Yes, DES, it could be read that way and I apologise. Without trying to=20 wiggle out of that apology, it just seemed a bit harsh when I doubt what=20 was written was meant as "the code is riddled with these things! RIDDLED!"= =20 given the fact that Pieter proposed a possible mitigation instead of the=20 expected "El Reg says it's broken! EL REG! Fix it now, goddammit!" ;o) @All: Having put both feet in my mouth and had to publicly apologise, we now have= =20 a little more information from Przemyslaw on what is potentially broken and= =20 what isn't (7.2, the current production release). That "probably more to=20 come," while still vague and very much unverified, makes me wonder if=20 Pieter's interim mitigation or something very much like it isn't needed=20 Right Now [TM] as he says. So, is there any technically sound reason why=20 raising VM_MIN_ADDRESS to 65536 would not be a good trade-off (or even just= =20 a good idea) in security terms until we're sure there are no more of these= =20 lurking? A few of us paranoid security types might want to do so manually=20 in the interim if there are no objections. =2D-=20 Matt Dawson MTD15-RIPE matt@chronos.org.uk From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 20:26:55 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D55D106566B for ; Tue, 15 Sep 2009 20:26:55 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 234518FC2A for ; Tue, 15 Sep 2009 20:26:55 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id CA09B775171; Tue, 15 Sep 2009 13:27:03 -0700 (PDT) Date: Tue, 15 Sep 2009 13:27:03 -0700 From: Chris Palmer To: utisoft@googlemail.com, freebsd-security@freebsd.org Message-ID: <20090915202703.GF24361@noncombatant.org> References: <4AAF45B4.60307@isafeelin.org> <0016e6d99efa540b8b047399738b@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0016e6d99efa540b8b047399738b@google.com> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 20:26:55 -0000 utisoft@googlemail.com writes: > It appears to only affect 6.x.... and requires local access. If an > attacker has local access to a machine you're screwed anyway. No, the thing you're screwed anyway by is local *physical* access. Merely running a process as a non-root local user should *not* be a "you're screwed anyway" scenario. The fundamental security guarantee of a modern operating system is that different principals cannot affect each other's resources (user chris cannot read or write user jane's email -- let alone root's email). This bug breaks that guarantee, and is definitely not a ho-hum bug. Remote exploits, which I agree are even worse, are in a sense a special case of breaking the same guarantee: the pseudo-principal "anonymous maniac from the Internet" can affect user root's (or whoever's) resources. Some operating systems even have an explicit "anonymous" user, but the point is the same either way. -- http://www.noncombatant.org/ http://hemiolesque.blogspot.com/ From owner-freebsd-security@FreeBSD.ORG Wed Sep 16 00:02:28 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55837106566B for ; Wed, 16 Sep 2009 00:02:28 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id F3B228FC22 for ; Wed, 16 Sep 2009 00:02:27 +0000 (UTC) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id D58AF5C06F for ; Wed, 16 Sep 2009 08:02:26 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id A223355CD9EF; Wed, 16 Sep 2009 08:02:26 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id Wsmkj4RnVr9F; Wed, 16 Sep 2009 08:02:21 +0800 (CST) Received: from charlie.delphij.net (unknown [12.130.152.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id B968455CE037; Wed, 16 Sep 2009 08:02:20 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=AYeV3wH93hdItLuMQRtfL75N5OxgCK3mWINA7fY0iCGZHktGrDyMfdj9O5gAGXEEC AUaOzLiSkYIJAtJopH43Q== Message-ID: <4AB02B07.8050404@delphij.net> Date: Tue, 15 Sep 2009 17:02:15 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090803) MIME-Version: 1.0 To: utisoft@googlemail.com References: <0016e6d99efa540b8b047399738b@google.com> In-Reply-To: <0016e6d99efa540b8b047399738b@google.com> X-Enigmail-Version: 0.96.0 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Frederique Rijsdijk Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 00:02:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 utisoft@googlemail.com wrote: > It appears to only affect 6.x.... and requires local access. If an > attacker has local access to a machine you're screwed anyway. 'local' here means login as a local user, i.e. ssh/telnet/etc, not console access which seems to be what you mean by 'local access'. Note that, in order to successfully exploit this vulnerability, a remote attacker still need someone or something to run the code on their behalf, typically this would have to be used in conjunction with some other remote vulnerability (i.e. some popular remote admin tool that allows you to upload and run something on web server's context, etc). We are still working on this one, it looks like that we would need to patch some other problems altogether. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkqwKwcACgkQi+vbBBjt66BtawCgsDhrON8DzvX7A6M1O37A2Qw6 /54An0CAgPeTTJcJKcdkVWcF9qX0FVuY =EeKO -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 16 00:06:03 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8101106568F for ; Wed, 16 Sep 2009 00:06:03 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6144B8FC08 for ; Wed, 16 Sep 2009 00:06:03 +0000 (UTC) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id A91305C025 for ; Wed, 16 Sep 2009 08:06:02 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 6F75955CE02F; Wed, 16 Sep 2009 08:06:02 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id JrdV6+gsjkln; Wed, 16 Sep 2009 08:05:57 +0800 (CST) Received: from charlie.delphij.net (unknown [12.130.152.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 8CF4555CD9EF; Wed, 16 Sep 2009 08:05:56 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=PppaAz1Koc7XcSf42Oa7Xm0lUeKHk2zzBJE4Clj0q03sUWo8pKVFuqlQXaqRZ1b0s p5M4JMLTgQekhODr5sY0Q== Message-ID: <4AB02BE0.1030305@delphij.net> Date: Tue, 15 Sep 2009 17:05:52 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090803) MIME-Version: 1.0 To: Chris Palmer References: <4AAF45B4.60307@isafeelin.org> <0016e6d99efa540b8b047399738b@google.com> <20090915202703.GF24361@noncombatant.org> In-Reply-To: <20090915202703.GF24361@noncombatant.org> X-Enigmail-Version: 0.96.0 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, utisoft@googlemail.com Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 00:06:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Palmer wrote: > utisoft@googlemail.com writes: > >> It appears to only affect 6.x.... and requires local access. If an >> attacker has local access to a machine you're screwed anyway. > > No, the thing you're screwed anyway by is local *physical* access. Merely > running a process as a non-root local user should *not* be a "you're screwed > anyway" scenario. The fundamental security guarantee of a modern operating > system is that different principals cannot affect each other's resources > (user chris cannot read or write user jane's email -- let alone root's > email). This bug breaks that guarantee, and is definitely not a ho-hum bug. Exactly. This type of vulnerability could turn into a serious threat if being used with some other vulnerabilities that allows code injection, which is worse. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkqwK+AACgkQi+vbBBjt66Cu2gCfQWDWssPUTP+YESUOS7pJXCal TY0An332WH2WDUiF1vhlgOW+QUk9U0rk =S2nD -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 16 15:37:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEB82106566C for ; Wed, 16 Sep 2009 15:37:45 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: from mail-fx0-f210.google.com (mail-fx0-f210.google.com [209.85.220.210]) by mx1.freebsd.org (Postfix) with ESMTP id 7E8968FC08 for ; Wed, 16 Sep 2009 15:37:45 +0000 (UTC) Received: by fxm6 with SMTP id 6so3428590fxm.43 for ; Wed, 16 Sep 2009 08:37:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=HXIywA7gLm7/RbticyyNhodC5e+1eOntOGh4qcyS+Cw=; b=JQohsqg1R4AFVWiI81qFapfviQIwE2wQH907JhjiG30848UD5pnjcSv12aasJLk0O2 LpILc603WYkXJjAn1xQ4WT8O5/tOJc+Fj1Id8Wvy/8qJN8LuqhCnbJeIzqJz20JpUy3s LGm0FfSxrRcXKiRCTzO2htrEKQso/l6qMsvGI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; b=pwcS7Tx51rpXBRGT3DBnZRbgmvAQRdl6MeE/W6L8K/L5sUCo1eDApyDcfonFzJvt3h dnaLtBVM3X5jChYtiVEHPV/1wgI8YlTycgC48z+Re13os34EPJgNmK+/OB3zzj1/HdHS +RwRZZQd33O+Jnyhu//jSHtMA94vZiOCidb4M= MIME-Version: 1.0 Received: by 10.204.156.213 with SMTP id y21mr7515394bkw.109.1253115464202; Wed, 16 Sep 2009 08:37:44 -0700 (PDT) In-Reply-To: <4AB02BE0.1030305@delphij.net> References: <4AAF45B4.60307@isafeelin.org> <0016e6d99efa540b8b047399738b@google.com> <20090915202703.GF24361@noncombatant.org> <4AB02BE0.1030305@delphij.net> From: Chris Rees Date: Wed, 16 Sep 2009 16:37:24 +0100 Message-ID: To: d@delphij.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Chris Palmer , freebsd-security@freebsd.org Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 15:37:46 -0000 2009/9/16 Xin LI : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chris Palmer wrote: >> utisoft@googlemail.com writes: >> >>> It appears to only affect 6.x.... and requires local access. If an >>> attacker has local access to a machine you're screwed anyway. >> >> No, the thing you're screwed anyway by is local *physical* access. Merel= y >> running a process as a non-root local user should *not* be a "you're scr= ewed >> anyway" scenario. The fundamental security guarantee of a modern operati= ng >> system is that different principals cannot affect each other's resources >> (user chris cannot read or write user jane's email -- let alone root's >> email). This bug breaks that guarantee, and is definitely not a ho-hum b= ug. > > Exactly. =A0This type of vulnerability could turn into a serious threat i= f > being used with some other vulnerabilities that allows code injection, > which is worse. > > Cheers, > - -- > Xin LI =A0 =A0http://www.delphij.net/ Ahem, I must read posts correctly first. Beg pardon, I'll type that 100 times this evening. Chris --=20 A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? From owner-freebsd-security@FreeBSD.ORG Fri Sep 18 15:39:56 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 051C11065670 for ; Fri, 18 Sep 2009 15:39:56 +0000 (UTC) (envelope-from hdk_2@yahoo.co.jp) Received: from smtp05.mail.tnz.yahoo.co.jp (smtp05.mail.tnz.yahoo.co.jp [203.216.246.68]) by mx1.freebsd.org (Postfix) with SMTP id 78E028FC13 for ; Fri, 18 Sep 2009 15:39:55 +0000 (UTC) Received: (qmail 54013 invoked by alias); 18 Sep 2009 15:13:14 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=yj20050223; d=yahoo.co.jp; h=Received:X-Apparently-From:Date:Message-Id:To:Cc:Subject:From:In-Reply-To:References:X-Mailer:Mime-Version:Content-Type:Content-Transfer-Encoding; b=qzpCQpdTQpd6X+mC9IsozPf+osyA0Wa5J9vsXsepH/2yhwXc5zD7Xe3WKCHBY6AnDyfI8SVBbHYeFrnZ5uInQvVB3QyCJqMhE6PNyUDHk3fKgKjHZ2GPhKOPkfaAijyv ; Received: from unknown (HELO localhost) (hdk_2@118.157.148.126 with plain) by smtp05.mail.tnz.yahoo.co.jp with SMTP; 18 Sep 2009 15:13:14 -0000 X-Apparently-From: Date: Sat, 19 Sep 2009 00:13:13 +0900 (JST) Message-Id: <20090919.001313.110616099.hdk_2@yahoo.co.jp> To: pieter@thedarkside.nl From: Hideki EIRAKU In-Reply-To: <4AAF4A64.3080906@thedarkside.nl> References: <4AAF4A64.3080906@thedarkside.nl> X-Mailer: Mew version 6.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 15:39:56 -0000 From: Pieter de Boer Subject: Protecting against kernel NULL-pointer derefs Date: Tue, 15 Sep 2009 10:03:48 +0200 > - Are there unwanted side-effects of raising VM_MIN_ADDRESS? Mapping at address 0x0 is needed by some softwares using vm86 mode. For example, emulators/doscmd uses vm86 mode to emulate an old DOS environment. In this case, the address 0x0 - 0x3ff is used for an interrupt vector of emulated DOS world. If VM_MIN_ADDRESS is not zero, doscmd doesn't work. vm86 mode is in 32bit i386 architecture only, not in amd64 or other architectures. -- Hideki EIRAKU -------------------------------------- Thanks 10 years! Yahoo! Shopping and Yahoo! Auctions http://pr.mail.yahoo.co.jp/ec10years/ From owner-freebsd-security@FreeBSD.ORG Fri Sep 18 15:52:05 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44A941065679 for ; Fri, 18 Sep 2009 15:52:05 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-fx0-f210.google.com (mail-fx0-f210.google.com [209.85.220.210]) by mx1.freebsd.org (Postfix) with ESMTP id BB8F88FC12 for ; Fri, 18 Sep 2009 15:52:04 +0000 (UTC) Received: by fxm6 with SMTP id 6so771781fxm.43 for ; Fri, 18 Sep 2009 08:52:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=YyJcdA5zjNrLdmCZp03NoU/ql/AsUX+U12iaSG+uhPE=; b=wAaLGi992H259kPOLcJBRlqjVHc4gQpAHYkW00yCg5clHgrw34qPaHfcnk0U2qNfFF NBmVvntCQ/RqRQWV2f+HcoLV0u8jc2Dw14J98r+0ADZdYsnNMal2trGzGiQYiRyqaCsc Ivhu2qQYExq2oQLsOnr9Hr3JKJvs5EHEBUDjI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=V4uxR3+1DdZAwKCJaEiqOsJv/Mci/qQkoO6v2BTV9ai7GsJsNzmt3c0PU8H8UCxqa5 1OJ1RR1D8vfrXDemCHxSfNe8C2wdGLsvyP8o0D1MGSAL+0bSLGPZS4CzHolzNJaUzle5 X56nJ2N8BUrqGT3YW4HgTXu+Zct1g12Dsa7kc= MIME-Version: 1.0 Received: by 10.204.8.13 with SMTP id f13mr1634946bkf.150.1253289123313; Fri, 18 Sep 2009 08:52:03 -0700 (PDT) In-Reply-To: <20090919.001313.110616099.hdk_2@yahoo.co.jp> References: <4AAF4A64.3080906@thedarkside.nl> <20090919.001313.110616099.hdk_2@yahoo.co.jp> Date: Fri, 18 Sep 2009 16:52:03 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: Hideki EIRAKU Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org, pieter@thedarkside.nl Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 15:52:05 -0000 the question is how much percent of the user are using wine and dosbox which are going to break with this setting, i guess 10% or less. So those guys could use _NO_VM_MIN kernel or something while the rest of the world would fly high with secured kernel. to quote a security friend: the freebsd was the last target platform for this bugclass :)) regards, Istvan On Fri, Sep 18, 2009 at 4:13 PM, Hideki EIRAKU wrote: > From: Pieter de Boer > Subject: Protecting against kernel NULL-pointer derefs > Date: Tue, 15 Sep 2009 10:03:48 +0200 > > > - Are there unwanted side-effects of raising VM_MIN_ADDRESS? > > Mapping at address 0x0 is needed by some softwares using vm86 mode. > For example, emulators/doscmd uses vm86 mode to emulate an old DOS > environment. In this case, the address 0x0 - 0x3ff is used for an > interrupt vector of emulated DOS world. If VM_MIN_ADDRESS is not zero, > doscmd doesn't work. vm86 mode is in 32bit i386 architecture only, not > in amd64 or other architectures. > > -- > Hideki EIRAKU > -------------------------------------- > Thanks 10 years! Yahoo! Shopping and Yahoo! Auctions > http://pr.mail.yahoo.co.jp/ec10years/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > -- the sun shines for all From owner-freebsd-security@FreeBSD.ORG Fri Sep 18 17:20:56 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5CBE1065676 for ; Fri, 18 Sep 2009 17:20:56 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outR.internet-mail-service.net (outr.internet-mail-service.net [216.240.47.241]) by mx1.freebsd.org (Postfix) with ESMTP id 994BE8FC22 for ; Fri, 18 Sep 2009 17:20:55 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 771A23E1D5; Fri, 18 Sep 2009 10:09:28 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id DAEBB2D6012; Fri, 18 Sep 2009 10:09:27 -0700 (PDT) Message-ID: <4AB3BEC7.6090409@elischer.org> Date: Fri, 18 Sep 2009 10:09:27 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Istv=E1n?= References: <4AAF4A64.3080906@thedarkside.nl> <20090919.001313.110616099.hdk_2@yahoo.co.jp> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Fri, 18 Sep 2009 18:06:25 +0000 Cc: pieter@thedarkside.nl, freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 17:20:56 -0000 István wrote: > the question is how much percent of the user are using wine and dosbox which > are going to break with this setting, i guess 10% or less. So those guys > could use _NO_VM_MIN kernel or something while the rest of the world would > fly high with secured kernel. The assumption is that the userland and kernel share a memory map. While we do implement it this way, it is not necessarily needed. We do it for performance reasons (each user memory map includes an identical top section that is the kernel space, so that we do not need to switch memory page arenas (change CR3) when entering the kernel. However it might be possible to not do this, and in fact on some hardware it is mandatory to not do this). It would require a page table arena switch with each syscall which would require flushing the TLBs which would be expensive.. Hmm I guess I've talked myself out of this as a solution.. :-) Julian > > to quote a security friend: > > the freebsd was the last target platform for this bugclass :)) > > regards, > Istvan > > > On Fri, Sep 18, 2009 at 4:13 PM, Hideki EIRAKU wrote: > >> From: Pieter de Boer >> Subject: Protecting against kernel NULL-pointer derefs >> Date: Tue, 15 Sep 2009 10:03:48 +0200 >> >>> - Are there unwanted side-effects of raising VM_MIN_ADDRESS? >> Mapping at address 0x0 is needed by some softwares using vm86 mode. >> For example, emulators/doscmd uses vm86 mode to emulate an old DOS >> environment. In this case, the address 0x0 - 0x3ff is used for an >> interrupt vector of emulated DOS world. If VM_MIN_ADDRESS is not zero, >> doscmd doesn't work. vm86 mode is in 32bit i386 architecture only, not >> in amd64 or other architectures. >> >> -- >> Hideki EIRAKU >> -------------------------------------- >> Thanks 10 years! Yahoo! Shopping and Yahoo! Auctions >> http://pr.mail.yahoo.co.jp/ec10years/ >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org >> " >> > > > From owner-freebsd-security@FreeBSD.ORG Fri Sep 18 21:04:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CAAE1065672 for ; Fri, 18 Sep 2009 21:04:42 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 15D7F8FC15 for ; Fri, 18 Sep 2009 21:04:42 +0000 (UTC) Received: from [192.168.1.13] (home [85.145.92.158]) by mail.thelostparadise.com (Postfix) with ESMTP id C967A61C4B; Fri, 18 Sep 2009 23:04:40 +0200 (CEST) Message-ID: <4AB3F5DB.5070304@thedarkside.nl> Date: Fri, 18 Sep 2009 23:04:27 +0200 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.23 (X11/20090907) MIME-Version: 1.0 To: Julian Elischer References: <4AAF4A64.3080906@thedarkside.nl> <20090919.001313.110616099.hdk_2@yahoo.co.jp> <4AB3BEC7.6090409@elischer.org> In-Reply-To: <4AB3BEC7.6090409@elischer.org> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 21:04:42 -0000 Julian wrote: > The assumption is that the userland and kernel share a memory map. > While we do implement it this way, it is not necessarily needed. > We do it for performance reasons (each user memory map includes an > identical top section that is the kernel space, so that we do not need > to switch memory page arenas (change CR3) when entering the kernel. > However it might be possible to not do this, and in fact on some > hardware it is mandatory to not do this). > > It would require a page table arena switch with each syscall which > would require flushing the TLBs which would be expensive.. > Hmm I guess I've talked myself out of this as a solution.. :-) So, to be able to run VM86 mode or Wine we could make the NULL mapping protection a configurable kernel option, (defaulting to 'on'?), which doscmd/wine users could turn off. A nicer way would be to be able to map 0x0 in userland while having the kernel use its own 0x0 mapping. Possibly there is a way to do that without making context switches very expensive? Partial TLB flushes?? I also wonder how Linux and (possibly) other OS'es handle this; I can imagine it can easily become quite messy resulting in added security issues or insufficient protection. Anyone have pointers to that regard? -- Pieter From owner-freebsd-security@FreeBSD.ORG Fri Sep 18 22:15:14 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0370106566B for ; Fri, 18 Sep 2009 22:15:14 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp5.server.rpi.edu (smtp5.server.rpi.edu [128.113.2.225]) by mx1.freebsd.org (Postfix) with ESMTP id 0C7DF8FC0C for ; Fri, 18 Sep 2009 22:15:13 +0000 (UTC) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp5.server.rpi.edu (8.13.1/8.13.1) with ESMTP id n8IL0Ngu020233; Fri, 18 Sep 2009 17:00:25 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <20090919.001313.110616099.hdk_2@yahoo.co.jp> References: <4AAF4A64.3080906@thedarkside.nl> <20090919.001313.110616099.hdk_2@yahoo.co.jp> Date: Fri, 18 Sep 2009 17:00:22 -0400 To: Hideki EIRAKU , pieter@thedarkside.nl From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Bayes-Prob: 0.0001 (Score 0) X-RPI-SA-Score: 0.00 () [Hold at 20.00] 22490(-25) X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.225 Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 22:15:14 -0000 At 12:13 AM +0900 9/19/09, Hideki EIRAKU wrote: >From: Pieter de Boer >Subject: Protecting against kernel NULL-pointer derefs >Date: Tue, 15 Sep 2009 10:03:48 +0200 > >> - Are there unwanted side-effects of raising VM_MIN_ADDRESS? > >Mapping at address 0x0 is needed by some softwares using vm86 mode. >For example, emulators/doscmd uses vm86 mode to emulate an old DOS >environment. In this case, the address 0x0 - 0x3ff is used for an >interrupt vector of emulated DOS world. If VM_MIN_ADDRESS is not >zero, doscmd doesn't work. vm86 mode is in 32bit i386 architecture >only, not in amd64 or other architectures. Could we: a) alter those programs so they didn't need that vector in page 0? or b) provide some system call or other facility which would allow *that* process to use page 0? -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Sat Sep 19 16:36:32 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D7A110656A6 for ; Sat, 19 Sep 2009 16:36:32 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from fallbackmx07.syd.optusnet.com.au (fallbackmx07.syd.optusnet.com.au [211.29.132.9]) by mx1.freebsd.org (Postfix) with ESMTP id 542818FC23 for ; Sat, 19 Sep 2009 16:36:31 +0000 (UTC) Received: from mail07.syd.optusnet.com.au (mail07.syd.optusnet.com.au [211.29.132.188]) by fallbackmx07.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n8JEiXJ1001080 for ; Sun, 20 Sep 2009 00:44:33 +1000 Received: from besplex.bde.org (c122-107-125-150.carlnfd1.nsw.optusnet.com.au [122.107.125.150]) by mail07.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n8JEiPuI018281 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 20 Sep 2009 00:44:27 +1000 Date: Sun, 20 Sep 2009 00:44:25 +1000 (EST) From: Bruce Evans X-X-Sender: bde@besplex.bde.org To: Pieter de Boer In-Reply-To: <4AB3F5DB.5070304@thedarkside.nl> Message-ID: <20090920001841.G933@besplex.bde.org> References: <4AAF4A64.3080906@thedarkside.nl> <20090919.001313.110616099.hdk_2@yahoo.co.jp> <4AB3BEC7.6090409@elischer.org> <4AB3F5DB.5070304@thedarkside.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Julian Elischer Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Sep 2009 16:36:32 -0000 On Fri, 18 Sep 2009, Pieter de Boer wrote: > Julian wrote: >> The assumption is that the userland and kernel share a memory map. >> While we do implement it this way, it is not necessarily needed. >> We do it for performance reasons (each user memory map includes an >> identical top section that is the kernel space, so that we do not need >> to switch memory page arenas (change CR3) when entering the kernel. >> However it might be possible to not do this, and in fact on some >> hardware it is mandatory to not do this). >> >> It would require a page table arena switch with each syscall which >> would require flushing the TLBs which would be expensive.. >> Hmm I guess I've talked myself out of this as a solution.. :-) > > So, to be able to run VM86 mode or Wine we could make the NULL mapping > protection a configurable kernel option, (defaulting to 'on'?), which > doscmd/wine users could turn off. Does VM86 mode really require or use mapping to kernel address 0? I think it doesn't and shouldn't, since VM86 mode gets a special %cs which can have a nonzero base address. Hmm, the user %cs is always different from the kernel %cs, so I think it can alway have a nonzero base, but then user addresses would be different from kernel address, which would require large changes and small extra runtime to convert the addresses. VM86 mode would hopefully require only small or null changes since it is already weird. > A nicer way would be to be able to map > 0x0 in userland while having the kernel use its own 0x0 mapping. > Possibly there is a way to do that without making context switches very > expensive? Partial TLB flushes?? Not just context switches, but all kernel entries and exits are relevant. I think the cost of switching the map would be small if you only do it when necessary (on every kernel entry/exit from/to a user context that has pages mapped near address 0). Most switches should be null since most processes shouldn't do that. This can be optimized a bit more by delaying the switch back to the unsafe user map until userland actually accesses a low address. Bruce From owner-freebsd-security@FreeBSD.ORG Sat Sep 19 17:26:44 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D3F81065694 for ; Sat, 19 Sep 2009 17:26:44 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (skuns.zoral.com.ua [91.193.166.194]) by mx1.freebsd.org (Postfix) with ESMTP id 369508FC13 for ; Sat, 19 Sep 2009 17:26:43 +0000 (UTC) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id n8JGmcCe084474 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Sep 2009 19:48:38 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.3/8.14.3) with ESMTP id n8JGmbZu002529; Sat, 19 Sep 2009 19:48:37 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.3/8.14.3/Submit) id n8JGmb8U002528; Sat, 19 Sep 2009 19:48:37 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 19 Sep 2009 19:48:37 +0300 From: Kostik Belousov To: Bruce Evans Message-ID: <20090919164837.GF47688@deviant.kiev.zoral.com.ua> References: <4AAF4A64.3080906@thedarkside.nl> <20090919.001313.110616099.hdk_2@yahoo.co.jp> <4AB3BEC7.6090409@elischer.org> <4AB3F5DB.5070304@thedarkside.nl> <20090920001841.G933@besplex.bde.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ufKotkMdkVlnDasC" Content-Disposition: inline In-Reply-To: <20090920001841.G933@besplex.bde.org> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: freebsd-security@freebsd.org, Pieter de Boer , Julian Elischer Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Sep 2009 17:26:44 -0000 --ufKotkMdkVlnDasC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 20, 2009 at 12:44:25AM +1000, Bruce Evans wrote: > On Fri, 18 Sep 2009, Pieter de Boer wrote: >=20 > >Julian wrote: > >>The assumption is that the userland and kernel share a memory map. > >>While we do implement it this way, it is not necessarily needed. > >>We do it for performance reasons (each user memory map includes an > >>identical top section that is the kernel space, so that we do not need > >>to switch memory page arenas (change CR3) when entering the kernel. > >>However it might be possible to not do this, and in fact on some > >>hardware it is mandatory to not do this). > >> > >>It would require a page table arena switch with each syscall which > >>would require flushing the TLBs which would be expensive.. > >>Hmm I guess I've talked myself out of this as a solution.. :-) > > > >So, to be able to run VM86 mode or Wine we could make the NULL mapping > >protection a configurable kernel option, (defaulting to 'on'?), which > >doscmd/wine users could turn off. >=20 > Does VM86 mode really require or use mapping to kernel address 0? I think > it doesn't and shouldn't, since VM86 mode gets a special %cs which can > have a nonzero base address. Hmm, the user %cs is always different from > the kernel %cs, so I think it can alway have a nonzero base, but then > user addresses would be different from kernel address, which would require > large changes and small extra runtime to convert the addresses. VM86 > mode would hopefully require only small or null changes since it is alrea= dy > weird. In vm86 mode, %cs works exactly the same as in real mode, as well as all other segment registers. vm86-mode code is free to load any 16bit value into any segment register, and virtual address is calculated as (seg << 4) + offset. >=20 > >A nicer way would be to be able to map > >0x0 in userland while having the kernel use its own 0x0 mapping. > >Possibly there is a way to do that without making context switches very > >expensive? Partial TLB flushes?? >=20 > Not just context switches, but all kernel entries and exits are relevant. > I think the cost of switching the map would be small if you only do > it when necessary (on every kernel entry/exit from/to a user context > that has pages mapped near address 0). Most switches should be null > since most processes shouldn't do that. This can be optimized a bit > more by delaying the switch back to the unsafe user map until userland > actually accesses a low address. Redhat did that some time ago, but do not any more. --ufKotkMdkVlnDasC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkq1C2UACgkQC3+MBN1Mb4j54gCdFJPQk5Hf/kUJNSRdaxJ/FS6L rOoAoLzIqWK45ZT83ZrL9eW7qKp3q0Ei =YaIS -----END PGP SIGNATURE----- --ufKotkMdkVlnDasC--