From owner-freebsd-security@freebsd.org Tue Oct 25 17:36:41 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2588C21D00 for ; Tue, 25 Oct 2016 17:36:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id B9DFBDB8; Tue, 25 Oct 2016 17:36:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id B96F7190F; Tue, 25 Oct 2016 17:36:41 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161025173641.B96F7190F@freefall.freebsd.org> Date: Tue, 25 Oct 2016 17:36:41 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 17:36:41 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:15.sysarch [REVISED] Security Advisory The FreeBSD Project Topic: Incorrect argument validation in sysarch(2) Category: core Module: kernel Announced: 2016-10-25 Credits: Core Security, ahaha from Chaitin Tech Affects: All supported versions of FreeBSD. Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11) 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24) 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41) 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49) CVE Name: CVE-2016-1885 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2016-03-16 Initial release. v1.1 2016-10-25 Revised patch to address a problem pointed out by ahaha from Chaitin Tech. I. Background The IA-32 architecture allows programs to define segments, which provides based and size-limited view into the program address space. The memory-resident processor structure, called Local Descriptor Table, usually abbreviated LDT, contains definitions of the segments. Since incorrect or malicious segments would breach system integrity, operating systems do not provide processes direct access to the LDT, instead they provide system calls which allow controlled installation and removal of segments. II. Problem Description A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to lack of sufficient bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode. III. Impact This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes. IV. Workaround No workaround is available, but only the amd64 architecture is affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot is required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. [*** v1.1 NOTE ***] If your sources are not yet patched using the initially published advisory patches, then you need to apply both sysarch.patch and sysarch-01.patch. If your sources are already updated, or patched with patches from the initial advisory, then you need to apply sysarch-01.patch only. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [ FreeBSD system not patched with original SA-16:15 patch] # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc # gpg --verify sysarch.patch.asc [ FreeBSD system that has been patched with original SA-16:15 patch] # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc # gpg --verify sysarch-01.patch.asc b) Apply the patch(es). Execute the following commands as root for every patch file downloaded: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r307941 releng/9.3/ r307931 stable/10/ r307940 releng/10.1/ r307932 releng/10.2/ r307933 releng/10.3/ r307934 stable/11/ r307938 releng/11.0/ r307935 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2 qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5 A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3 /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G YHOkZydbLPaXOXimZfut =NWuL -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Oct 25 17:37:00 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49E58C21D59 for ; Tue, 25 Oct 2016 17:37:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 305B26C; Tue, 25 Oct 2016 17:37:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 2FB3E1A86; Tue, 25 Oct 2016 17:37:00 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:32.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161025173700.2FB3E1A86@freefall.freebsd.org> Date: Tue, 25 Oct 2016 17:37:00 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 17:37:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:32.bhyve Security Advisory The FreeBSD Project Topic: bhyve - privilege escalation vulnerability Category: core Module: bhyve Announced: 2016-10-25 Credits: Ilja van Sprundel, IOActive Affects: FreeBSD 11.0 amd64 Corrected: 2016-10-25 17:15:32 UTC (stable/11, 11.0-STABLE) 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve is a BSD licensed hypervisor that supports running a variety of virtual machines (guests). II. Problem Description An unchecked array reference in the VGA device emulation code could potentially allow guests access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they are running on. III. Impact For bhyve virtual machines with the "fbuf" framebuffer device configured, if exploited, a malicious guest could obtain full access to not just the host system, but to other virtual machines running on the system. IV. Workaround No workaround is available, however systems not using bhyve for virtualization are not vulnerable. Additionally systems using bhyve but without the "fbuf" framebuffer device configured are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No reboot is needed. Rather the bhyve process for vulnerable virtual machines should be restarted. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 platforms can be updated via the freebsd-update(8) utility. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:32/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-16:32/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in . Restart the bhyve process(es). VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r307939 releng/11.0/ r307935 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYD5UbAAoJEO1n7NZdz2rnOAcP/03LJPbzVE05gIkN+j8z4jz5 Q/EX+zGgid5omIqslsiM6obDNupnH3HYE7Suv5sCJky9pyX8mv1g3jTkxXzm+32k 9rCcBtGdIviKKG8GNuMa56ZU5EvgUkwndn4qTi7KmZ/+1l8UGRCAsU04L6qQHwb2 Si7WcgZLse+epkYAgzyje+YFR/Ib2xc3vdXXpj+uxlQWs6U3RZ95v+6M5ARhBHes YJ34QKphy/PaT02hI9AvLU6aB4hkN5XVE2uHgpciNRLp0DF3XwqHRYbDx2bACifS ge7hbpsSCZuOayYWdtw8gcbzJXxX1fMv1q9ntj5XLh/a4av7coHWYPHDYmIC7Inb RNAhynR8W9SWFZ1EqUEWhKeWPwpKgiy1e4+CpDm5wbnj+CzJLc08tMU77jIUV6In ilJkZ04sv25mjOdnjSkjt6PnXmT1n+UrWdKjOYsAkaWiHpAUzGT2dSgRfn8zh5wv hc1368Z2v2v43HJ+Y4x0M0VVuuEydEHB+sWBhn8evxlQ6KIAC2sdi7juP4TLAgkj A1kA3Oob4+pGlxzTGgHDE+/HzHnGEfmoWHS/u0dmDiUuTlQDKQCdCEUnjfRdJYuc 3fbigdY70d2wx6igs4VZszSQLu4c4ranewy3ORS1OghpOjnvO7mvJVUbseusLaNC fYkumZ2XfUaJuya63z7z =gyCa -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Oct 26 04:28:01 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 05976C20838 for ; Wed, 26 Oct 2016 04:28:01 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 8E879CFC for ; Wed, 26 Oct 2016 04:28:00 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from localhost (unknown [24.6.107.161]) by mail.dawidek.net (Postfix) with ESMTPSA id 91BD7E8E; Wed, 26 Oct 2016 06:27:52 +0200 (CEST) Date: Wed, 26 Oct 2016 06:27:49 +0200 From: Pawel Jakub Dawidek To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Message-ID: <20161026042748.GG60006@garage.freebsd.pl> References: <20161025173641.BCDFD1911@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="orO6xySwJI16pVnm" Content-Disposition: inline In-Reply-To: <20161025173641.BCDFD1911@freefall.freebsd.org> X-OS: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 04:28:01 -0000 --orO6xySwJI16pVnm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi guys, since when do we publish security advisories for local DoSes? On Tue, Oct 25, 2016 at 05:36:41PM +0000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-16:15.sysarch [REVISED] Security Advi= sory > The FreeBSD Pro= ject >=20 > Topic: Incorrect argument validation in sysarch(2) >=20 > Category: core > Module: kernel > Announced: 2016-10-25 > Credits: Core Security, ahaha from Chaitin Tech > Affects: All supported versions of FreeBSD. > Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) > 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) > 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) > 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11) > 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24) > 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41) > 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) > 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49) > CVE Name: CVE-2016-1885 >=20 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . >=20 > 0. Revision history >=20 > v1.0 2016-03-16 Initial release. > v1.1 2016-10-25 Revised patch to address a problem pointed out by > ahaha from Chaitin Tech. >=20 > I. Background >=20 > The IA-32 architecture allows programs to define segments, which provides > based and size-limited view into the program address space. The > memory-resident processor structure, called Local Descriptor Table, > usually abbreviated LDT, contains definitions of the segments. Since > incorrect or malicious segments would breach system integrity, operating > systems do not provide processes direct access to the LDT, instead > they provide system calls which allow controlled installation and removal= =20 > of segments. >=20 > II. Problem Description >=20 > A special combination of sysarch(2) arguments, specify a request to > uninstall a set of descriptors from the LDT. The start descriptor > is cleared and the number of descriptors are provided. Due to lack > of sufficient bounds checking during argument validity verification, > unbound zero'ing of the process LDT and adjacent memory can be initiated > from usermode. >=20 > III. Impact >=20 > This vulnerability could cause the kernel to panic. In addition it is > possible to perform a local Denial of Service against the system by > unprivileged processes.=20 >=20 > IV. Workaround >=20 > No workaround is available, but only the amd64 architecture is affected. >=20 > V. Solution >=20 > Perform one of the following: >=20 > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. >=20 > Reboot is required. >=20 > 2) To update your vulnerable system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD platforms can be updated > via the freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install >=20 > Reboot is required. >=20 > 3) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > [*** v1.1 NOTE ***] If your sources are not yet patched using the initial= ly > published advisory patches, then you need to apply both sysarch.patch and > sysarch-01.patch. If your sources are already updated, or patched with > patches from the initial advisory, then you need to apply sysarch-01.patch > only. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > [ FreeBSD system not patched with original SA-16:15 patch] > # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch > # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc > # gpg --verify sysarch.patch.asc >=20 > [ FreeBSD system that has been patched with original SA-16:15 patch] > # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch > # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc > # gpg --verify sysarch-01.patch.asc >=20 > b) Apply the patch(es). Execute the following commands as root for > every patch file downloaded: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile your kernel as described in > and reboot the > system. >=20 > VI. Correction details >=20 > The following list contains the correction revision numbers for each > affected branch. >=20 > Branch/path Revision > - -----------------------------------------------------------------------= -- > stable/9/ r307941 > releng/9.3/ r307931 > stable/10/ r307940 > releng/10.1/ r307932 > releng/10.2/ r307933 > releng/10.3/ r307934 > stable/11/ r307938 > releng/11.0/ r307935 > - -----------------------------------------------------------------------= -- >=20 > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > >=20 > VII. References >=20 > >=20 > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- >=20 > iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H > WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2 > qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa > LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p > a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO > pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp > la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5 > A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH > H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3 > /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf > V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G > YHOkZydbLPaXOXimZfut > =3DNWuL > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscr= ibe@freebsd.org" --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --orO6xySwJI16pVnm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJYEDDEAAoJEJVLhSuxKFt180kQAMv8ah16hXs8DTmZVoSaYBaP rSrIeCgieUcdYYuj5j/fCU3KYbChOF5o5lvaYRwxByDqmdst/xJjMUtRug1SQlsP y9IJ55jD4dH9zisWWRbOM+WWgb2dL9M7d5QO3ZyRhe5FbeHp7mViJsgveDd0ZFPy iG3sl/UXe3Vp16CSkLKBPO0HHcPy9Hz1P2jwsT5yaD1cYgofy41wyIe2U9PYlkB2 qz46DzERqft04P745KGWbj5A8vi38nnYyDmicSaf7ILv39dXlGTE54MW09bj1/sM fI076sm22/P30u1NEzWjh2vIzRFsaKByAH+lG/cjn0H3wleCrVF+d5Zl0j0V3Ysc F0QLwtJDJF/xuESKROqNVzhNdNweulRw9XJmgcz0WjqBqztJB67YauHZtyDxbgLh jCt8Nee8ieEporWYQcHRPKRv5OoFtsGNZnd78SMcxBFOSSR10xgiKqvEadZWo5S0 wkTHE974KTprD8PhYZVe3Wy6ZHVO0LhWIh2lOLxKbQoLAooOBENpNeblQloaKTFJ RIPrDRAjD3rL7IeVlEUG65eOe07DMPVmhestsUmYxKtqeOoR1PionH1PB1UqW8w3 zPP6wgy1NwJA1mExtvhdxHneRYzsoqma3yhYqtcGS9PZihEtnhdssAr1C5DQl2xj hI+G0I+NhRlawKXL8GDm =IQv9 -----END PGP SIGNATURE----- --orO6xySwJI16pVnm-- From owner-freebsd-security@freebsd.org Wed Oct 26 05:47:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98B6BC22C5A for ; Wed, 26 Oct 2016 05:47:46 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D420A50; Wed, 26 Oct 2016 05:47:46 +0000 (UTC) (envelope-from delphij@gmail.com) Received: by mail-it0-x22f.google.com with SMTP id m138so9493516itm.1; Tue, 25 Oct 2016 22:47:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xVudQyaduMpSACE3l0T159Ek3E1UzsgNzsTLnLAwbQg=; b=gSyuF6bk6O1wynTpPEK6+mQ5m0cSbmP/7O2HxcAVL98I9MfmFYGTVWkxMqKv7Pjx6T xPnRXgq51e4/i2F/9obcXShSqFXcfh62LFIDzOvCWPllqWc/Xh+2n4jbAxuk1PymFzUB LmIGzgzZlMftjbaK7WWPcpVLm17aRMCRAe+r01yPwSfB+n5yH+yfOvrdgs//RMVRKQ71 xCuGu2MSTgjicnLwYJptdJNcWTXKOV2/6IG/FUmPKEBLAIqFZDxK5Zxi059ipYaj626T 2Q4CZ0vuD8CCLkOGnp4E6ZAFqGhJCIwZ+ZN0cAyVY62WJhfb/cJ9K1S0H1iV/4YISvn/ TC4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xVudQyaduMpSACE3l0T159Ek3E1UzsgNzsTLnLAwbQg=; b=NS7kTsMhdj2A+L7rQg0ySwIq6CxU3ljlEg3X/sgjfwue7bDJnO6I3Gacfxt3fxZNBt T4ZN5CMGF1DsC5L6rlaujdxkAQfMF/HujitHGAxYDOWrTW7F05IFDMVptPMRFXVf9zOK pt/32mPxUp6S8Ed9CxEVMyAkGhbUFhYBDC8iJTln9QLX6sX8lWeIrJU4bYCgkO1IQVmO w0frn1qP0Ss3CoV29qiGnVDHmEY9Bl5P3XYUJbxS3mHqbUNaao67MJlBQu9QRVp3iCBB D3nrT9b+xTAdLaiP+B2F3C8QU2UmHztZ68b2aOCFuC3ny3vEPWfb1FN+7JZ9U/OQBLVj Lpuw== X-Gm-Message-State: ABUngveO42wwkaukVqJRU617/Zz/lY+M8Q9e30ZuFosQIP6qPB/9NINA59mUtEB/5GswVYncf/AO+Xz/bVhIaQ== X-Received: by 10.107.135.36 with SMTP id j36mr775364iod.143.1477460865137; Tue, 25 Oct 2016 22:47:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.41.4 with HTTP; Tue, 25 Oct 2016 22:47:44 -0700 (PDT) In-Reply-To: <20161026042748.GG60006@garage.freebsd.pl> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> From: Xin LI Date: Tue, 25 Oct 2016 22:47:44 -0700 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] To: Pawel Jakub Dawidek Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 05:47:46 -0000 It's unprivileged local DoS (if it's root DoS then we normally don't). On Tue, Oct 25, 2016 at 9:27 PM, Pawel Jakub Dawidek wrote: > Hi guys, > > since when do we publish security advisories for local DoSes? > > On Tue, Oct 25, 2016 at 05:36:41PM +0000, FreeBSD Security Advisories wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> ============================================================================= >> FreeBSD-SA-16:15.sysarch [REVISED] Security Advisory >> The FreeBSD Project >> >> Topic: Incorrect argument validation in sysarch(2) >> >> Category: core >> Module: kernel >> Announced: 2016-10-25 >> Credits: Core Security, ahaha from Chaitin Tech >> Affects: All supported versions of FreeBSD. >> Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) >> 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) >> 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) >> 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11) >> 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24) >> 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41) >> 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) >> 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49) >> CVE Name: CVE-2016-1885 >> >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, and the >> following sections, please visit . >> >> 0. Revision history >> >> v1.0 2016-03-16 Initial release. >> v1.1 2016-10-25 Revised patch to address a problem pointed out by >> ahaha from Chaitin Tech. >> >> I. Background >> >> The IA-32 architecture allows programs to define segments, which provides >> based and size-limited view into the program address space. The >> memory-resident processor structure, called Local Descriptor Table, >> usually abbreviated LDT, contains definitions of the segments. Since >> incorrect or malicious segments would breach system integrity, operating >> systems do not provide processes direct access to the LDT, instead >> they provide system calls which allow controlled installation and removal >> of segments. >> >> II. Problem Description >> >> A special combination of sysarch(2) arguments, specify a request to >> uninstall a set of descriptors from the LDT. The start descriptor >> is cleared and the number of descriptors are provided. Due to lack >> of sufficient bounds checking during argument validity verification, >> unbound zero'ing of the process LDT and adjacent memory can be initiated >> from usermode. >> >> III. Impact >> >> This vulnerability could cause the kernel to panic. In addition it is >> possible to perform a local Denial of Service against the system by >> unprivileged processes. >> >> IV. Workaround >> >> No workaround is available, but only the amd64 architecture is affected. >> >> V. Solution >> >> Perform one of the following: >> >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or >> release / security branch (releng) dated after the correction date. >> >> Reboot is required. >> >> 2) To update your vulnerable system via a binary patch: >> >> Systems running a RELEASE version of FreeBSD platforms can be updated >> via the freebsd-update(8) utility: >> >> # freebsd-update fetch >> # freebsd-update install >> >> Reboot is required. >> >> 3) To update your vulnerable system via a source code patch: >> >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. >> >> [*** v1.1 NOTE ***] If your sources are not yet patched using the initially >> published advisory patches, then you need to apply both sysarch.patch and >> sysarch-01.patch. If your sources are already updated, or patched with >> patches from the initial advisory, then you need to apply sysarch-01.patch >> only. >> >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >> >> [ FreeBSD system not patched with original SA-16:15 patch] >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc >> # gpg --verify sysarch.patch.asc >> >> [ FreeBSD system that has been patched with original SA-16:15 patch] >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc >> # gpg --verify sysarch-01.patch.asc >> >> b) Apply the patch(es). Execute the following commands as root for >> every patch file downloaded: >> >> # cd /usr/src >> # patch < /path/to/patch >> >> c) Recompile your kernel as described in >> and reboot the >> system. >> >> VI. Correction details >> >> The following list contains the correction revision numbers for each >> affected branch. >> >> Branch/path Revision >> - ------------------------------------------------------------------------- >> stable/9/ r307941 >> releng/9.3/ r307931 >> stable/10/ r307940 >> releng/10.1/ r307932 >> releng/10.2/ r307933 >> releng/10.3/ r307934 >> stable/11/ r307938 >> releng/11.0/ r307935 >> - ------------------------------------------------------------------------- >> >> To see which files were modified by a particular revision, run the >> following command, replacing NNNNNN with the revision number, on a >> machine with Subversion installed: >> >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >> >> Or visit the following URL, replacing NNNNNN with the revision number: >> >> >> >> VII. References >> >> >> >> The latest revision of this advisory is available at >> >> -----BEGIN PGP SIGNATURE----- >> >> iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H >> WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2 >> qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa >> LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p >> a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO >> pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp >> la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5 >> A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH >> H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3 >> /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf >> V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G >> YHOkZydbLPaXOXimZfut >> =NWuL >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-security-notifications@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications >> To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" > > -- > Pawel Jakub Dawidek http://www.wheelsystems.com > FreeBSD committer http://www.FreeBSD.org > Am I Evil? Yes, I Am! http://mobter.com From owner-freebsd-security@freebsd.org Wed Oct 26 06:15:11 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88149C22191 for ; Wed, 26 Oct 2016 06:15:11 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id DC7F07F9; Wed, 26 Oct 2016 06:15:10 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from localhost (unknown [24.6.107.161]) by mail.dawidek.net (Postfix) with ESMTPSA id C6244EC3; Wed, 26 Oct 2016 08:15:08 +0200 (CEST) Date: Wed, 26 Oct 2016 08:15:05 +0200 From: Pawel Jakub Dawidek To: Xin LI Cc: rwatson@FreeBSD.org, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Message-ID: <20161026061504.GH60006@garage.freebsd.pl> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Mjqg7Yu+0hL22rav" Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 06:15:11 -0000 --Mjqg7Yu+0hL22rav Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm pretty sure we didn't for unprivileged local DoS. Robert, can you help me here? Do I recall correctly? I remember one time when Colin did security advisory for unprivileged local DoS and we had a discussion back then that this is dangerous precedent, as users may start depending on it. On Tue, Oct 25, 2016 at 10:47:44PM -0700, Xin LI wrote: > It's unprivileged local DoS (if it's root DoS then we normally don't). >=20 > On Tue, Oct 25, 2016 at 9:27 PM, Pawel Jakub Dawidek wr= ote: > > Hi guys, > > > > since when do we publish security advisories for local DoSes? > > > > On Tue, Oct 25, 2016 at 05:36:41PM +0000, FreeBSD Security Advisories w= rote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA512 > >> > >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > >> FreeBSD-SA-16:15.sysarch [REVISED] Security A= dvisory > >> The FreeBSD = Project > >> > >> Topic: Incorrect argument validation in sysarch(2) > >> > >> Category: core > >> Module: kernel > >> Announced: 2016-10-25 > >> Credits: Core Security, ahaha from Chaitin Tech > >> Affects: All supported versions of FreeBSD. > >> Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) > >> 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) > >> 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) > >> 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11) > >> 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24) > >> 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41) > >> 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) > >> 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49) > >> CVE Name: CVE-2016-1885 > >> > >> For general information regarding FreeBSD Security Advisories, > >> including descriptions of the fields above, security branches, and the > >> following sections, please visit . > >> > >> 0. Revision history > >> > >> v1.0 2016-03-16 Initial release. > >> v1.1 2016-10-25 Revised patch to address a problem pointed out by > >> ahaha from Chaitin Tech. > >> > >> I. Background > >> > >> The IA-32 architecture allows programs to define segments, which provi= des > >> based and size-limited view into the program address space. The > >> memory-resident processor structure, called Local Descriptor Table, > >> usually abbreviated LDT, contains definitions of the segments. Since > >> incorrect or malicious segments would breach system integrity, operati= ng > >> systems do not provide processes direct access to the LDT, instead > >> they provide system calls which allow controlled installation and remo= val > >> of segments. > >> > >> II. Problem Description > >> > >> A special combination of sysarch(2) arguments, specify a request to > >> uninstall a set of descriptors from the LDT. The start descriptor > >> is cleared and the number of descriptors are provided. Due to lack > >> of sufficient bounds checking during argument validity verification, > >> unbound zero'ing of the process LDT and adjacent memory can be initiat= ed > >> from usermode. > >> > >> III. Impact > >> > >> This vulnerability could cause the kernel to panic. In addition it is > >> possible to perform a local Denial of Service against the system by > >> unprivileged processes. > >> > >> IV. Workaround > >> > >> No workaround is available, but only the amd64 architecture is affecte= d. > >> > >> V. Solution > >> > >> Perform one of the following: > >> > >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or > >> release / security branch (releng) dated after the correction date. > >> > >> Reboot is required. > >> > >> 2) To update your vulnerable system via a binary patch: > >> > >> Systems running a RELEASE version of FreeBSD platforms can be updated > >> via the freebsd-update(8) utility: > >> > >> # freebsd-update fetch > >> # freebsd-update install > >> > >> Reboot is required. > >> > >> 3) To update your vulnerable system via a source code patch: > >> > >> The following patches have been verified to apply to the applicable > >> FreeBSD release branches. > >> > >> [*** v1.1 NOTE ***] If your sources are not yet patched using the init= ially > >> published advisory patches, then you need to apply both sysarch.patch = and > >> sysarch-01.patch. If your sources are already updated, or patched with > >> patches from the initial advisory, then you need to apply sysarch-01.p= atch > >> only. > >> > >> a) Download the relevant patch from the location below, and verify the > >> detached PGP signature using your PGP utility. > >> > >> [ FreeBSD system not patched with original SA-16:15 patch] > >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch > >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc > >> # gpg --verify sysarch.patch.asc > >> > >> [ FreeBSD system that has been patched with original SA-16:15 patch] > >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch > >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch= =2Easc > >> # gpg --verify sysarch-01.patch.asc > >> > >> b) Apply the patch(es). Execute the following commands as root for > >> every patch file downloaded: > >> > >> # cd /usr/src > >> # patch < /path/to/patch > >> > >> c) Recompile your kernel as described in > >> and reboot the > >> system. > >> > >> VI. Correction details > >> > >> The following list contains the correction revision numbers for each > >> affected branch. > >> > >> Branch/path Revis= ion > >> - --------------------------------------------------------------------= ----- > >> stable/9/ r307= 941 > >> releng/9.3/ r307= 931 > >> stable/10/ r307= 940 > >> releng/10.1/ r307= 932 > >> releng/10.2/ r307= 933 > >> releng/10.3/ r307= 934 > >> stable/11/ r307= 938 > >> releng/11.0/ r307= 935 > >> - --------------------------------------------------------------------= ----- > >> > >> To see which files were modified by a particular revision, run the > >> following command, replacing NNNNNN with the revision number, on a > >> machine with Subversion installed: > >> > >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > >> > >> Or visit the following URL, replacing NNNNNN with the revision number: > >> > >> > >> > >> VII. References > >> > >> > >> > >> The latest revision of this advisory is available at > >> > >> -----BEGIN PGP SIGNATURE----- > >> > >> iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H > >> WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2 > >> qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa > >> LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p > >> a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO > >> pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp > >> la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5 > >> A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH > >> H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3 > >> /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf > >> V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G > >> YHOkZydbLPaXOXimZfut > >> =3DNWuL > >> -----END PGP SIGNATURE----- > >> _______________________________________________ > >> freebsd-security-notifications@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notificati= ons > >> To unsubscribe, send any mail to "freebsd-security-notifications-unsub= scribe@freebsd.org" > > > > -- > > Pawel Jakub Dawidek http://www.wheelsystems.com > > FreeBSD committer http://www.FreeBSD.org > > Am I Evil? Yes, I Am! http://mobter.com --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --Mjqg7Yu+0hL22rav Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJYEEnoAAoJEJVLhSuxKFt1yicP/17P5g+imYFMySqraAEN9Y/x Tom4hzttQ0hDpwdtMk/JxYxlC9sL5ZGZCIyXIhepfzB8WosKNBXPoelMFeYPE9pM XU9ixvkXnrFcF2vXEOifRSy/EmUKyQKF0+7AVUrl/6dsmXwiBeTWffVsjpbmiu9C NP4lqg0yI4fRIWUjb63PyW/fbhwDNW4fA/wGb7FbM+ZD+Ry/8+rkOj5OuD3uRaB7 DdYb47uBxouSCTdnu8WupbDmwJOKn6lIaqJeUIODeEyi5e7NjPdbA2Lwc7Kn0L8b qmzNPbR5EdGSiH6FrjxhF2nbLMe8pVViWvQn4T05uY/qPI+AqveH0d2DEnB+Z7KH jswyeQ7CWsyChSJuwMLeQSUYEh7Fb80iEIbW0hLeBIB5q0azrf1Fhd2cTeuBG9I+ 8ejlIMIRf9IdWQII2xEj/CQ8JY4jr8riecOJlu6QfISnnfA9EB0A8+0vI+IXPKDT vlNZDvhFGH/hSyk1qA1HhaXYc4hWMxk+bwjqY33DZyoN3h5SEyT4sfhF3IRoR55u czuhbyOfbcFc0Fbn4ZeguUUBveu9YLAcwfw1LubiJZOWWqF5L2mnMb9/7uvoVFOP SMOYjw0IypkdzY8O28ItsXNTXksjMFu+30wDcGK41c2PLmws2GZI2yqditxbrhVS 8BcIRgorKs1dbSyqHT72 =F7qd -----END PGP SIGNATURE----- --Mjqg7Yu+0hL22rav-- From owner-freebsd-security@freebsd.org Wed Oct 26 06:53:52 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C881BC22A60 for ; Wed, 26 Oct 2016 06:53:52 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by mx1.freebsd.org (Postfix) with ESMTP id A5B7A952; Wed, 26 Oct 2016 06:53:52 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from [10.0.1.11] (host81-157-242-153.range81-157.btcentralplus.com [81.157.242.153]) by cyrus.watson.org (Postfix) with ESMTPSA id E56CE46C17; Wed, 26 Oct 2016 02:53:45 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] From: "Robert N. M. Watson" In-Reply-To: <20161026061504.GH60006@garage.freebsd.pl> Date: Wed, 26 Oct 2016 07:53:44 +0100 Cc: Xin LI , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> To: Pawel Jakub Dawidek X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 06:53:52 -0000 Hi Pawel: In general, my strong recommendation is against issuing advisories for = local denial-of-service attacks, in part because it suggests we consider = it a security guarantee of the system that those problems can be = reliably prevented. At least in current operating-system designs, = preventing local DoS is a very hard problem (not quite up there with = covert channels, but certainly not something we can do reliably) =E2=80=94= and so I think it would be misleading to suggest to our users that they = can expect them not to exist at all. If something is being widely = exploited, then it might be appropriate to issue an errata update, but I = think if it=E2=80=99s something obscure where a local user to trigger a = panic (and there really is no escalation path to kernel privilege, for = example), then I think an advisory would generally be a mistake. = Otherwise we=E2=80=99d find that a huge number of our ordinary kernel = bug fixes get reclassified as security patches requiring advisories, if = nothing else! (In this case, I=E2=80=99m not passing judgement one way or the other = =E2=80=94 zeroing of arbitrary kernel memory can have more broad = implications than a panic =E2=80=94 for example, you can imagine that if = it were to zero a process credential, a process might start running = unexpectedly as root. And what were once thought to be innocuous crashes = due to NULL-pointer dereferences turn out not to be!) Robert > On 26 Oct 2016, at 07:15, Pawel Jakub Dawidek wrote: >=20 > I'm pretty sure we didn't for unprivileged local DoS. >=20 > Robert, can you help me here? Do I recall correctly? >=20 > I remember one time when Colin did security advisory for unprivileged > local DoS and we had a discussion back then that this is dangerous > precedent, as users may start depending on it. >=20 > On Tue, Oct 25, 2016 at 10:47:44PM -0700, Xin LI wrote: >> It's unprivileged local DoS (if it's root DoS then we normally = don't). >>=20 >> On Tue, Oct 25, 2016 at 9:27 PM, Pawel Jakub Dawidek = wrote: >>> Hi guys, >>>=20 >>> since when do we publish security advisories for local DoSes? >>>=20 >>> On Tue, Oct 25, 2016 at 05:36:41PM +0000, FreeBSD Security = Advisories wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA512 >>>>=20 >>>> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>>> FreeBSD-SA-16:15.sysarch [REVISED] = Security Advisory >>>> The = FreeBSD Project >>>>=20 >>>> Topic: Incorrect argument validation in sysarch(2) >>>>=20 >>>> Category: core >>>> Module: kernel >>>> Announced: 2016-10-25 >>>> Credits: Core Security, ahaha from Chaitin Tech >>>> Affects: All supported versions of FreeBSD. >>>> Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) >>>> 2016-10-25 17:11:20 UTC (releng/11.0, = 11.0-RELEASE-p2) >>>> 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) >>>> 2016-10-25 17:11:15 UTC (releng/10.3, = 10.3-RELEASE-p11) >>>> 2016-10-25 17:11:11 UTC (releng/10.2, = 10.2-RELEASE-p24) >>>> 2016-10-25 17:11:07 UTC (releng/10.1, = 10.1-RELEASE-p41) >>>> 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) >>>> 2016-10-25 17:11:02 UTC (releng/9.3, = 9.3-RELEASE-p49) >>>> CVE Name: CVE-2016-1885 >>>>=20 >>>> For general information regarding FreeBSD Security Advisories, >>>> including descriptions of the fields above, security branches, and = the >>>> following sections, please visit = . >>>>=20 >>>> 0. Revision history >>>>=20 >>>> v1.0 2016-03-16 Initial release. >>>> v1.1 2016-10-25 Revised patch to address a problem pointed out by >>>> ahaha from Chaitin Tech. >>>>=20 >>>> I. Background >>>>=20 >>>> The IA-32 architecture allows programs to define segments, which = provides >>>> based and size-limited view into the program address space. The >>>> memory-resident processor structure, called Local Descriptor Table, >>>> usually abbreviated LDT, contains definitions of the segments. = Since >>>> incorrect or malicious segments would breach system integrity, = operating >>>> systems do not provide processes direct access to the LDT, instead >>>> they provide system calls which allow controlled installation and = removal >>>> of segments. >>>>=20 >>>> II. Problem Description >>>>=20 >>>> A special combination of sysarch(2) arguments, specify a request to >>>> uninstall a set of descriptors from the LDT. The start descriptor >>>> is cleared and the number of descriptors are provided. Due to lack >>>> of sufficient bounds checking during argument validity = verification, >>>> unbound zero'ing of the process LDT and adjacent memory can be = initiated >>>> from usermode. >>>>=20 >>>> III. Impact >>>>=20 >>>> This vulnerability could cause the kernel to panic. In addition it = is >>>> possible to perform a local Denial of Service against the system by >>>> unprivileged processes. >>>>=20 >>>> IV. Workaround >>>>=20 >>>> No workaround is available, but only the amd64 architecture is = affected. >>>>=20 >>>> V. Solution >>>>=20 >>>> Perform one of the following: >>>>=20 >>>> 1) Upgrade your vulnerable system to a supported FreeBSD stable or >>>> release / security branch (releng) dated after the correction date. >>>>=20 >>>> Reboot is required. >>>>=20 >>>> 2) To update your vulnerable system via a binary patch: >>>>=20 >>>> Systems running a RELEASE version of FreeBSD platforms can be = updated >>>> via the freebsd-update(8) utility: >>>>=20 >>>> # freebsd-update fetch >>>> # freebsd-update install >>>>=20 >>>> Reboot is required. >>>>=20 >>>> 3) To update your vulnerable system via a source code patch: >>>>=20 >>>> The following patches have been verified to apply to the applicable >>>> FreeBSD release branches. >>>>=20 >>>> [*** v1.1 NOTE ***] If your sources are not yet patched using the = initially >>>> published advisory patches, then you need to apply both = sysarch.patch and >>>> sysarch-01.patch. If your sources are already updated, or patched = with >>>> patches from the initial advisory, then you need to apply = sysarch-01.patch >>>> only. >>>>=20 >>>> a) Download the relevant patch from the location below, and verify = the >>>> detached PGP signature using your PGP utility. >>>>=20 >>>> [ FreeBSD system not patched with original SA-16:15 patch] >>>> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch >>>> # fetch = https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc >>>> # gpg --verify sysarch.patch.asc >>>>=20 >>>> [ FreeBSD system that has been patched with original SA-16:15 = patch] >>>> # fetch = https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch >>>> # fetch = https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc >>>> # gpg --verify sysarch-01.patch.asc >>>>=20 >>>> b) Apply the patch(es). Execute the following commands as root for >>>> every patch file downloaded: >>>>=20 >>>> # cd /usr/src >>>> # patch < /path/to/patch >>>>=20 >>>> c) Recompile your kernel as described in >>>> and reboot = the >>>> system. >>>>=20 >>>> VI. Correction details >>>>=20 >>>> The following list contains the correction revision numbers for = each >>>> affected branch. >>>>=20 >>>> Branch/path = Revision >>>> - = ------------------------------------------------------------------------- >>>> stable/9/ = r307941 >>>> releng/9.3/ = r307931 >>>> stable/10/ = r307940 >>>> releng/10.1/ = r307932 >>>> releng/10.2/ = r307933 >>>> releng/10.3/ = r307934 >>>> stable/11/ = r307938 >>>> releng/11.0/ = r307935 >>>> - = ------------------------------------------------------------------------- >>>>=20 >>>> To see which files were modified by a particular revision, run the >>>> following command, replacing NNNNNN with the revision number, on a >>>> machine with Subversion installed: >>>>=20 >>>> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >>>>=20 >>>> Or visit the following URL, replacing NNNNNN with the revision = number: >>>>=20 >>>> >>>>=20 >>>> VII. References >>>>=20 >>>> >>>>=20 >>>> The latest revision of this advisory is available at >>>> = = >>>> -----BEGIN PGP SIGNATURE----- >>>>=20 >>>> iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H >>>> WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2 >>>> qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa >>>> LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p >>>> a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO >>>> pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp >>>> la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5 >>>> A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH >>>> H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3 >>>> /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf >>>> V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G >>>> YHOkZydbLPaXOXimZfut >>>> =3DNWuL >>>> -----END PGP SIGNATURE----- >>>> _______________________________________________ >>>> freebsd-security-notifications@freebsd.org mailing list >>>> = https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications >>>> To unsubscribe, send any mail to = "freebsd-security-notifications-unsubscribe@freebsd.org" >>>=20 >>> -- >>> Pawel Jakub Dawidek = http://www.wheelsystems.com >>> FreeBSD committer http://www.FreeBSD.org >>> Am I Evil? Yes, I Am! http://mobter.com >=20 > --=20 > Pawel Jakub Dawidek http://www.wheelsystems.com > FreeBSD committer http://www.FreeBSD.org > Am I Evil? Yes, I Am! http://mobter.com From owner-freebsd-security@freebsd.org Wed Oct 26 08:18:41 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88960C21407 for ; Wed, 26 Oct 2016 08:18:41 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2110C61A; Wed, 26 Oct 2016 08:18:40 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id u9Q8IZM9066282 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 26 Oct 2016 11:18:35 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua u9Q8IZM9066282 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id u9Q8IZcL066281; Wed, 26 Oct 2016 11:18:35 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 26 Oct 2016 11:18:35 +0300 From: Konstantin Belousov To: "Robert N. M. Watson" Cc: Pawel Jakub Dawidek , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Message-ID: <20161026081835.GR54029@kib.kiev.ua> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> User-Agent: Mutt/1.7.1 (2016-10-04) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 08:18:41 -0000 On Wed, Oct 26, 2016 at 07:53:44AM +0100, Robert N. M. Watson wrote: > Hi Pawel: > > In general, my strong recommendation is against issuing advisories for local denial-of-service attacks, in part because it suggests we consider it a security guarantee of the system that those problems can be reliably prevented. At least in current operating-system designs, preventing local DoS is a very hard problem (not quite up there with covert channels, but certainly not something we can do reliably) ??? and so I think it would be misleading to suggest to our users that they can expect them not to exist at all. If something is being widely exploited, then it might be appropriate to issue an errata update, but I think if it???s something obscure where a local user to trigger a panic (and there really is no escalation path to kernel privilege, for example), then I think an advisory would generally be a mistake. Otherwise we???d find that a huge number of our ordinary kernel bug fixes get reclassified as security patches requiring advisories, if nothing else! > > (In this case, I???m not passing judgement one way or the other ??? zeroing of arbitrary kernel memory can have more broad implications than a panic ??? for example, you can imagine that if it were to zero a process credential, a process might start running unexpectedly as root. And what were once thought to be innocuous crashes due to NULL-pointer dereferences turn out not to be!) It is not quite arbitrary kernel memory, memory is adjanced to the region allocated with kmem_malloc(kernel_arena), which puts the allocated chunk aside from the typical kernel allocations. In fact, most likely the allocated chunk is followed by an unmapped page, which means that attempt to zero past the end of legit chunk traps. In other words, I consider the escalation of the issue unlikely or, at least, hard. FWIW, I asked the same question as Pawel when initial SA was created. The answer was not technical but satisfactory. From owner-freebsd-security@freebsd.org Wed Oct 26 09:15:47 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8AFBCC1FA9A for ; Wed, 26 Oct 2016 09:15:47 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 28E1932D; Wed, 26 Oct 2016 09:15:46 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from localhost (unknown [24.6.107.161]) by mail.dawidek.net (Postfix) with ESMTPSA id C0868F19; Wed, 26 Oct 2016 11:15:44 +0200 (CEST) Date: Wed, 26 Oct 2016 11:15:42 +0200 From: Pawel Jakub Dawidek To: Konstantin Belousov Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Message-ID: <20161026091541.GI60006@garage.freebsd.pl> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <20161026081835.GR54029@kib.kiev.ua> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="sLx0z+5FKKtIVDwd" Content-Disposition: inline In-Reply-To: <20161026081835.GR54029@kib.kiev.ua> X-OS: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 09:15:47 -0000 --sLx0z+5FKKtIVDwd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 26, 2016 at 11:18:35AM +0300, Konstantin Belousov wrote: > On Wed, Oct 26, 2016 at 07:53:44AM +0100, Robert N. M. Watson wrote: > > Hi Pawel: > >=20 > > In general, my strong recommendation is against issuing advisories for = local denial-of-service attacks, in part because it suggests we consider it= a security guarantee of the system that those problems can be reliably pre= vented. At least in current operating-system designs, preventing local DoS = is a very hard problem (not quite up there with covert channels, but certai= nly not something we can do reliably) ??? and so I think it would be mislea= ding to suggest to our users that they can expect them not to exist at all.= If something is being widely exploited, then it might be appropriate to is= sue an errata update, but I think if it???s something obscure where a local= user to trigger a panic (and there really is no escalation path to kernel = privilege, for example), then I think an advisory would generally be a mist= ake. Otherwise we???d find that a huge number of our ordinary kernel bug fi= xes get reclassified as security patches requiring advisories, if nothing e= lse! > >=20 > > (In this case, I???m not passing judgement one way or the other ??? zer= oing of arbitrary kernel memory can have more broad implications than a pan= ic ??? for example, you can imagine that if it were to zero a process crede= ntial, a process might start running unexpectedly as root. And what were on= ce thought to be innocuous crashes due to NULL-pointer dereferences turn ou= t not to be!) >=20 > It is not quite arbitrary kernel memory, memory is adjanced to the > region allocated with kmem_malloc(kernel_arena), which puts the > allocated chunk aside from the typical kernel allocations. In fact, most > likely the allocated chunk is followed by an unmapped page, which means > that attempt to zero past the end of legit chunk traps. In other words, > I consider the escalation of the issue unlikely or, at least, hard. >=20 > FWIW, I asked the same question as Pawel when initial SA was created. > The answer was not technical but satisfactory. I'd definiately prefer to have strict rules in this area that we always follow. "Sometimes" publishing SAs for local DoS sends wrong message to the users who may start to depend on them and to the people who report those kind of bugs, who can accuse us of trying to lower number of SAs on purpose. Note that the latter already happend in the past, AFAIR, where we were committing fixes and later publish SAs - the time between commit and SA publication gave a room to people to make those kind of accusations. This is the reason we now try to commit fix and publish SA at the same time, isn't it? --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --sLx0z+5FKKtIVDwd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJYEHQ9AAoJEJVLhSuxKFt14S8QAK8+T1qmGBBBLUdN9oyk0Dd3 It3cT74xqLPZxAyOBTuKRMRozX6VF+GTS51C955Kmp/lS5dKrOgBnyRYzvEdwZ/I o5QmnKC5uOd6beJqMbgJ5cEvTpGd/HKqIffvKjRliYOJ9UwSbKtvmv4ViDa9ziQ1 JPru4wP4aySD1WrOLo9InKgGyBOONYWi2oQa7zvEPuBVuJxMy53irC7sqRhqNwMv AgqACB0r2DmmK521PI/FktDXPr+W3aQNhz8IeOukX//u4PZDzO8RcTR6hbRi5lcZ vvwT9YsGUqP06E+jr9fO4QlBHpf5B2d4hBfSPVJ7MhYytQu7Av622gDRTKucsUjz rf9Rf3ezQiS7fqoA2IfQhwOd/0lCh4G7yl9+5M5ZOYAdzVeFyUfGQmGYepH9hirH 1ijobaY801NRB1o0pPyMZZtNIBXyupcAI2vELyPDKTefGDoJaGHquLGqXN8YTfuv zOqUSg+UdmO6CII1/2WUJR2JpqA3vroS/lVCdLPeYl0r5zTY00MzcBiUx23C0f1u 6y0OAmQ8hPeOL3cDANF0uPproiUijhY+71Z1Lk//IteVIC2DdXiEhRxzoHW382lv Rrn3nrA9hmj6kTASLTKJ9hc+lAff30HuxC+rkZr/RyZtQXjf83Qq4/De3+jRh6Ht CDM9dzxIysk5s3auROVl =LAPy -----END PGP SIGNATURE----- --sLx0z+5FKKtIVDwd-- From owner-freebsd-security@freebsd.org Wed Oct 26 09:23:08 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10920C1FD57 for ; Wed, 26 Oct 2016 09:23:08 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AAAAA9B2; Wed, 26 Oct 2016 09:23:07 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: by mail-wm0-x230.google.com with SMTP id 140so9856735wmv.0; Wed, 26 Oct 2016 02:23:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=TdNnyAxhJvxMGTVAwZGuNheBoAaCOjkHiYG/eCSmkMU=; b=dt1PP9pSwVlDcwLiGM7QS3rUe/9pXvjHaVPYUV9LxC9tCalQQaVcCA3YOeOlnxOu4d k2dWd1LCYN1txfuyVE4bNPvaTl/xUwacOuA8Ba6iEaUgA10a1g3zmnVqzI4/dn5cFYJ0 E6V5yw3gm8r113/CwI7CNqfH4yS63SIKPwe59UkSmZNhW66CdrLI3uG0ogfBifCzm8mm cDzdoKqpEQNrxMtERbqoBEHpaw69uPaaIt9Yfat5dX+nwAk50eVgO46pHFVlWtUGXUbu ewMk0D5Ett/GfV4H9xZSRIuuo88MM8Rjkhx7YLEVD59lhIQyJQzRhwfgiDJwXd8EMA5N y92A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=TdNnyAxhJvxMGTVAwZGuNheBoAaCOjkHiYG/eCSmkMU=; b=iHj+ePRriF3T8hIx/iiu+wZA2k9b8RAioMmUIJmM0ap4Kw59siM/nc5FG4ehhwbcdN 0yR9Cvs+pBiFA2MmHE3RcL8qr+pNw7WQ5pZOfn+qCy2v7kMYgClM5o90fFLGWlop7kWw 0P23tAYHcZoz9LIlW7Wnba2cNRXbGP6w6GaEUHAG+qLw05xGE+56uaYODK6tTOIer13K pn+njC86gtMH8l1QS2yyk9+mJtQr7aK28Y7zFdDvcZJODpgESt03aEjk4wIYa+0lMdX9 15+0/P3kh8h29WkbZ3QJgo/5awKG94Mhbl6mrgoelK3DCYWspZnFHR57vnq6KC6/recU RAog== X-Gm-Message-State: ABUngvcOYPcBVAz5Ov1PUOwMOEOrp4Zj5yg5FQJNyLeNO7GXkO2Pql9z30XaQCEx7QFLB9Vzv/V3XkrYWUaBGg== X-Received: by 10.194.24.34 with SMTP id r2mr1231685wjf.111.1477473785419; Wed, 26 Oct 2016 02:23:05 -0700 (PDT) MIME-Version: 1.0 Sender: tomek.cedro@gmail.com Received: by 10.28.178.132 with HTTP; Wed, 26 Oct 2016 02:22:44 -0700 (PDT) In-Reply-To: <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> From: CeDeROM Date: Wed, 26 Oct 2016 11:22:44 +0200 X-Google-Sender-Auth: okQivMhtwqVWDRx-V_vQLND7Zww Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] To: "Robert N. M. Watson" Cc: Pawel Jakub Dawidek , freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 09:23:08 -0000 On Wed, Oct 26, 2016 at 8:53 AM, Robert N. M. Watson wrote: > In general, my strong recommendation is against issuing advisories for local denial-of-service attacks, (..) I would prefer to get that information regardless of individual preferences.. SA tells there is a problem that is at least good to know about. -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From owner-freebsd-security@freebsd.org Wed Oct 26 09:42:22 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABB3CC1E32C for ; Wed, 26 Oct 2016 09:42:22 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 6F418686; Wed, 26 Oct 2016 09:42:22 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 05B64105DB; Wed, 26 Oct 2016 09:42:15 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id CC7F34312E; Wed, 26 Oct 2016 11:42:14 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: CeDeROM Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> Date: Wed, 26 Oct 2016 11:42:14 +0200 In-Reply-To: (cederom@tlen.pl's message of "Wed, 26 Oct 2016 11:22:44 +0200") Message-ID: <868ttbwio9.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 09:42:22 -0000 CeDeROM writes: > Robert N. M. Watson writes: > > In general, my strong recommendation is against issuing advisories > > for local denial-of-service attacks, (..) > I would prefer to get that information regardless of individual > preferences. It's not a matter of individual preference. During my time as so@ (and Simon's before me), this was an explicit policy. The reason is that, as Robert points out, there are a million ways for a trusted unprivileged user to cause a DoS, and most of them aren't even bugs. Some of them can be mitigated using quotas or resource limits, but far from all. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Oct 26 10:03:49 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E21F8C1EA6A for ; Wed, 26 Oct 2016 10:03:49 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7BB60B1; Wed, 26 Oct 2016 10:03:49 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: by mail-wm0-x231.google.com with SMTP id b80so215111910wme.1; Wed, 26 Oct 2016 03:03:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=t8Qdnmcqh6mV2gJxnQvWnXonvHrBemY1+x/Z3wRA6qk=; b=oCW0XuAZwlvFSl/rHyxJvsu20EUumul4U/M5JGKyG4InTGjDcT0pWMW4KjW5MO40Lv hS+h21lgKjXRDSFRxASmZojJUwXNiSuVJ+jqh5e9IuDP6LTCzaljuWsoW+fwwdMyXxld HMIyR8O5Xvf05bjfq8cVHfq/gl3hx9T5oXZxvZqJC/pH64WRTOR8Iy3RA0cwis39v/Ok 8v/HheG+nJtkut6iSAh8hUs3dR1JqKTXKNsbW+1eR98EdDIvFsqx89Wob4bt7iLv2F7X FJK1n0WzgusaHb0I/Od2VLR3Jsi0fB9gJSTiDVNpRTHeDUynbCDvWFdqkFGRdvQ38IsO RwjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=t8Qdnmcqh6mV2gJxnQvWnXonvHrBemY1+x/Z3wRA6qk=; b=AiW8hbJDXLY/orHB9sFIPO+2nRFVLJvNsRXFPMd8AQB3olCjfT/oJJcE/9hVBsQaIv yzNTpML3HrMGTXxYBlEXRFVEGZZNvwdJ/q1x9G8lgfk2+ivc9K2ZqeLfouuSIk9zgNH8 PTaefeTDAmu5iR06ZvBZQK4YuHXOxeCysxJXEPVYBnowOKjrV1twY6vOXTytpCbkXRG4 bwbyPIclw5ebRQgUowM17nVCKtWokvBzXAikFYZQBPBIZntnd+dQakL8s47dxFqE4ZMY 9v7k+6ZtjIS+sm3FLrcxlGM6iPJQeUnsUhvr7OAX7NxAchB6b0SxGfsGbJ+piiUfeKUo 1axg== X-Gm-Message-State: ABUngvc3OGx836OJBVBGNccalv5K/K+UXYDo2lStqu4D1kFuhOJPqkdigx4ifAAtqJ/3jUTbcvMnnnKfYmzz6g== X-Received: by 10.194.24.34 with SMTP id r2mr1396731wjf.111.1477476223757; Wed, 26 Oct 2016 03:03:43 -0700 (PDT) MIME-Version: 1.0 Sender: tomek.cedro@gmail.com Received: by 10.28.178.132 with HTTP; Wed, 26 Oct 2016 03:03:23 -0700 (PDT) In-Reply-To: <868ttbwio9.fsf@desk.des.no> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> From: CeDeROM Date: Wed, 26 Oct 2016 12:03:23 +0200 X-Google-Sender-Auth: RIalhLzT-OGuJQ0T2K81GR3LiZ0 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 10:03:50 -0000 On Wed, Oct 26, 2016 at 11:42 AM, Dag-Erling Sm=C3=B8rgrav wro= te: > CeDeROM writes: >> Robert N. M. Watson writes: >> > In general, my strong recommendation is against issuing advisories >> > for local denial-of-service attacks, (..) >> I would prefer to get that information regardless of individual >> preferences. > > It's not a matter of individual preference. During my time as so@ (and > Simon's before me), this was an explicit policy. The reason is that, as > Robert points out, there are a million ways for a trusted unprivileged > user to cause a DoS, and most of them aren't even bugs. Some of them > can be mitigated using quotas or resource limits, but far from all. Maybe a dedicated place/list for those..? That would be also good source of recommendations on how to protect a system.. something like CIS Benchmarks? :-) --=20 CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From owner-freebsd-security@freebsd.org Wed Oct 26 11:00:37 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B41C8C20A0D for ; Wed, 26 Oct 2016 11:00:37 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by mx1.freebsd.org (Postfix) with ESMTP id 78FB4E2C; Wed, 26 Oct 2016 11:00:37 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from kaffir.sec.cl.cam.ac.uk (kaffir.sec.cl.cam.ac.uk [128.232.18.243]) by cyrus.watson.org (Postfix) with ESMTPSA id EF02946B2A; Wed, 26 Oct 2016 07:00:35 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] From: "Robert N.M. Watson" In-Reply-To: <868ttbwio9.fsf@desk.des.no> Date: Wed, 26 Oct 2016 12:00:33 +0100 Cc: CeDeROM , freebsd-security@freebsd.org, Pawel Jakub Dawidek Content-Transfer-Encoding: quoted-printable Message-Id: <376CBFFC-8BE1-4401-984E-4E8BB336FE32@FreeBSD.org> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 11:00:37 -0000 On 26 Oct 2016, at 10:42, Dag-Erling Sm=C3=B8rgrav wrote: > CeDeROM writes: >> Robert N. M. Watson writes: >>> In general, my strong recommendation is against issuing advisories >>> for local denial-of-service attacks, (..) >> I would prefer to get that information regardless of individual >> preferences. >=20 > It's not a matter of individual preference. During my time as so@ = (and > Simon's before me), this was an explicit policy. The reason is that, = as > Robert points out, there are a million ways for a trusted unprivileged > user to cause a DoS, and most of them aren't even bugs. Some of them > can be mitigated using quotas or resource limits, but far from all. I agree: it=E2=80=99s critical that security patches remain a = high-signal, low-noise venue for conservative changes for which risk has = been minimised (and carefully balanced against urgency of application). = This is especially true for kernel patches, which not only suffer higher = risk in general (it=E2=80=99s not just one application that crashes..) = but also higher impact on uptime (since they require a reboot), etc. = Risk is further increased with patches requiring reboots as they expose = greater opportunity for operator error. Starting to ship large numbers = of stability fixes via this mechanism will make it vastly harder for = users to minimise downtime, which may have a much more substantial = impact than the problem being fixed. We do have a mechanism for shipping (and also batching) stability = improvements, which is the errata note mechanism =E2=80=94 and that may = be appropriate where there are a class of related critical stability = (rather than security) problems, especially where they are seen =E2=80=9Ci= n the wild=E2=80=9D and are impacting a substantial user base, which = mitigates the former risks to some extent. For non-critical stability fixes, then there is a source of continuous = notifications and improvements available: the commit mailing lists. = Every time a commit comes through saying =E2=80=9CFix a crash when = =E2=80=9D, =E2=80=9CDon=E2=80=99t dereference a bad pointer when = =E2=80=9D, =E2=80=9CEliminate a resource leak when =E2=80=9D, then = they are pertinent to a user trying to review and evaluate fixes =E2=80=94= but they will not have seen (and cannot, at that volume see) the level = of individual review that a security update sees. I am willing to see stability problems escalated to an errata note or = security patch if we can convince ourselves that the risk imposed by = shipping the additional patch is going to be counter-balanced by the = benefits it brings =E2=80=94 but I think that case has to be made very = carefully, because between the context for updates (rebooting real = systems) and the chances of error (whether programmer or operator), = it=E2=80=99s very easy for the cost to outweigh the benefit much of the = time. Robert= From owner-freebsd-security@freebsd.org Wed Oct 26 11:28:13 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CC711C21369 for ; Wed, 26 Oct 2016 11:28:13 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 926E1F4F; Wed, 26 Oct 2016 11:28:13 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 70EEC10847; Wed, 26 Oct 2016 11:28:11 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 4609543140; Wed, 26 Oct 2016 13:28:11 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: CeDeROM Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> Date: Wed, 26 Oct 2016 13:28:11 +0200 In-Reply-To: (cederom@tlen.pl's message of "Wed, 26 Oct 2016 12:03:23 +0200") Message-ID: <864m3zwdro.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 11:28:13 -0000 CeDeROM writes: > Dag-Erling Sm=C3=B8rgrav writes: > > [...] there are a million ways for a trusted unprivileged user to > > cause a DoS, and most of them aren't even bugs. Some of them can be > > mitigated using quotas or resource limits, but far from all. > Maybe a dedicated place/list for those..? That's like asking for a list of ways you can hurt yourself in your own home. I could list a hundred, and there would still be thousands more I didn't think of. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Oct 26 12:12:50 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF18DC22A0A for ; Wed, 26 Oct 2016 12:12:50 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 51587F3A; Wed, 26 Oct 2016 12:12:50 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: by mail-wm0-x234.google.com with SMTP id d128so82004656wmf.1; Wed, 26 Oct 2016 05:12:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=f8X2eGDlBMZMrXYkMypbCf74+z+H4FRKAOdTtUbB9sA=; b=FoNFMIYcOcnA5YiWUFWxji6U+VKRgFvEECyjZ/KvqNJQFf/z+67sx+ZzarRC0mWux8 /rIU2SHVF7ut0eVTh7xHBRjMAuUtGZx7+Rdy6IikRQldUCvWzusTPmy2SAdOp1limCri MpwMWzCwKDTkQlaG2HYfKHeibVTochAl9gbtXbKeck7UlFuX2pSNQVtdp0L13uSRUXG3 NZqG5kZs+MIBEnOOqukeC1dDHLDIS1b3gXEV1uN31VNjDO8MMHpDLaUwPHLMf/ai06Vl o+A9f+1GIx+Xh/iuMLSy4H5fquG2GJN83APMLtgIC9kE4IBPDrAcUg9Mz8pcx7sNzQkL wUoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=f8X2eGDlBMZMrXYkMypbCf74+z+H4FRKAOdTtUbB9sA=; b=HNrihkETll5cD2jfOjwI5DqWyNHPRvhMMxx1AGwbCjytpBibj0P4ah8HNV+QojPBN2 O6Tho3dMMiKaQFJzkIBuwDvtMgd3G0mpFb61SEy027gg6zxSHo9usz9i/iXwAPjb6DhH jsx9+mGETDX2jgjZc0yEbMnVToE2lGlIarmX76X87cmjVG7QcPF9KElEYVsNRX/qJXBy igLHnJ80v4F16GDtFRznw396jO9y405lyhcCigF5UgcUW4LVW9vHCvfqiU8GIeM1mPTA mL5vR5tRBd6ny8OqjFvaPETj1njUBUcZK3cXrN7rYUzwsmtp2FsH1nzlToPDQopd2b+Y MDpg== X-Gm-Message-State: ABUngvcT5UfaTDilvnIDEp3E47w/zV9IaHzgEdOSrGmZfha9GYTSwkfueSly9C9E1spSViC+WxTVzRgTKEdIsg== X-Received: by 10.194.85.229 with SMTP id k5mr1986213wjz.22.1477483968792; Wed, 26 Oct 2016 05:12:48 -0700 (PDT) MIME-Version: 1.0 Sender: tomek.cedro@gmail.com Received: by 10.28.178.132 with HTTP; Wed, 26 Oct 2016 05:12:28 -0700 (PDT) In-Reply-To: <864m3zwdro.fsf@desk.des.no> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> <864m3zwdro.fsf@desk.des.no> From: CeDeROM Date: Wed, 26 Oct 2016 14:12:28 +0200 X-Google-Sender-Auth: jkMliTnjcZ4iCcaQPvdinnPe2I8 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 12:12:50 -0000 On Wed, Oct 26, 2016 at 1:28 PM, Dag-Erling Sm=C3=B8rgrav wrot= e: > That's like asking for a list of ways you can hurt yourself in your own > home. I could list a hundred, and there would still be thousands more I > didn't think of. I think it would be nice to have something like CIS Benchmark for FreeBSD.. It could assess local settings and security. There are for Linux, Windows, ... if we find anything disturbing we could simply create and add a benchmark and recommendation for others to implement and verify.. that could be nice complementary to SA / kernel patch at admin level. It works for others. It could work here :-) --=20 CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From owner-freebsd-security@freebsd.org Wed Oct 26 12:21:43 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7373EC22FC6 for ; Wed, 26 Oct 2016 12:21:43 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 39CF268E; Wed, 26 Oct 2016 12:21:42 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id EDDC71094E; Wed, 26 Oct 2016 12:21:41 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id CB19943147; Wed, 26 Oct 2016 14:21:41 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: CeDeROM Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> <864m3zwdro.fsf@desk.des.no> Date: Wed, 26 Oct 2016 14:21:41 +0200 In-Reply-To: (cederom@tlen.pl's message of "Wed, 26 Oct 2016 14:12:28 +0200") Message-ID: <86wpgvuwq2.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 12:21:43 -0000 CeDeROM writes: > I think it would be nice to have something like CIS Benchmark for > FreeBSD. https://benchmarks.cisecurity.org/downloads/multiform/ Right between "Docker" and "FreeRadius" DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Oct 26 12:27:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9BF8C2215D for ; Wed, 26 Oct 2016 12:27:46 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47A8B9AA; Wed, 26 Oct 2016 12:27:46 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: by mail-wm0-x235.google.com with SMTP id e69so26600897wmg.0; Wed, 26 Oct 2016 05:27:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=GUZ0Y0+GZHir8uJkT9/rSrRsj+kyVvT56ZpPYJ59nDw=; b=gEMBF7/NuyOsH+tkA/RZW2Y4oyi2w2Q1YYtoo8FEP80fh+ACt8+5Q5CpfU6Xt0X3kN QpJWgq5RlcW8iUB+2pj4sNHzxHDmZjYwvZKOj0OBAEEuFexkZAnLnW0K8sys8/Vtjq5b uwyVqSs+13lXJfRwpS85MPCBOlFkpJBdfcM6eiVrlfynwYpj+rjmFo4K4zNq3wjqSHOz R5NV9oDck9Lunv0TXyjz7jNi3SrclVyHe/YKMUrNcgW6h3K90ZH7Q91+TrodOYAVUFLw i1eIUnhI7eYNcbGF1+RrC1e6ViFv+V3+qZW5xW5BU+Me/JRaUT9t0HmGjn15tW9xRL+A 4deg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=GUZ0Y0+GZHir8uJkT9/rSrRsj+kyVvT56ZpPYJ59nDw=; b=UC8Tc5I+A6MqAT1ivkFVnpMMbDfCbeZTqRt89m0ZLmbiM1L8NIBkBQ3ZU776l3odqE PqUe6ME9mnof65AljSd8boAaPRcvCUF5sAq9QvS3ObR1JoMxAGd6PWmYlXTSIlJk5Ylv lL4wRxN/io0vMqk+XuRsQEo1wub9QjdxPKGuYOSGapVoHq20dXNPfDeTwT9gReG7cK3E peHIjmZsmWMxgJ5WUqKnH1y4+YWtqla7py2tLCFCq6AQaFwkcAqYpR1z5Q3dKSXJTFvh fvzLN6oTXYjvPbiPSNkswgKP3detsOKArZ3feBRMEiCPNNgP5WIjq3lcG4YCxvyQdJ0q ZQ5w== X-Gm-Message-State: ABUngvcr2Dw4BnuDMQFUb+jMO/oVxqX9XBAmUHrx7Nvb05SKScdbjnfUdU3p8gkE3925/J93zImZP8lSI+uJeQ== X-Received: by 10.194.85.229 with SMTP id k5mr2048487wjz.22.1477484864712; Wed, 26 Oct 2016 05:27:44 -0700 (PDT) MIME-Version: 1.0 Sender: tomek.cedro@gmail.com Received: by 10.28.178.132 with HTTP; Wed, 26 Oct 2016 05:27:24 -0700 (PDT) In-Reply-To: <86wpgvuwq2.fsf@desk.des.no> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> <864m3zwdro.fsf@desk.des.no> <86wpgvuwq2.fsf@desk.des.no> From: CeDeROM Date: Wed, 26 Oct 2016 14:27:24 +0200 X-Google-Sender-Auth: QZv8WwnLUnHufy_sUyTvPXgJ9yM Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 12:27:46 -0000 On Wed, Oct 26, 2016 at 2:21 PM, Dag-Erling Sm=C3=B8rgrav wrot= e: > CeDeROM writes: >> I think it would be nice to have something like CIS Benchmark for >> FreeBSD. > https://benchmarks.cisecurity.org/downloads/multiform/ > Right between "Docker" and "FreeRadius" Perfect :-) This is the place for benchmarking "advisories for local denial-of-service attacks", no? :-) --=20 CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From owner-freebsd-security@freebsd.org Wed Oct 26 13:12:41 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 592DFC22FCC for ; Wed, 26 Oct 2016 13:12:41 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 1E10FE1A; Wed, 26 Oct 2016 13:12:40 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id A992710A3D; Wed, 26 Oct 2016 13:12:39 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 7CE164314F; Wed, 26 Oct 2016 15:12:39 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: CeDeROM Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> <864m3zwdro.fsf@desk.des.no> <86wpgvuwq2.fsf@desk.des.no> Date: Wed, 26 Oct 2016 15:12:39 +0200 In-Reply-To: (cederom@tlen.pl's message of "Wed, 26 Oct 2016 14:27:24 +0200") Message-ID: <86shrjuud4.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 13:12:41 -0000 CeDeROM writes: > Dag-Erling Sm=C3=B8rgrav writes: > > CeDeROM writes: > > > I think it would be nice to have something like CIS Benchmark for > > > FreeBSD. > > https://benchmarks.cisecurity.org/downloads/multiform/ > Perfect :-) This is the place for benchmarking "advisories for local > denial-of-service attacks", no? :-) I'm not sure you understand what the CIS benchmarks are. From the website: The CIS Security Benchmarks program provides vendor-agnostic, consensus-based best practices to help organizations assess and improve their security. Resources include: - secure configuration benchmarks - automated configuration assessment tools and content - security metrics - security software product certifications DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Oct 26 13:33:54 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41BBFC22B1E for ; Wed, 26 Oct 2016 13:33:54 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DAF4A1F08; Wed, 26 Oct 2016 13:33:53 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id d128so85643966wmf.1; Wed, 26 Oct 2016 06:33:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=CdPPeHU/wlXNqgsRYpym3xWViPlSj2R03CUnDGqP49A=; b=mHmzOv7AXheCunDIrdPZ/SHIrDMOPqsvgZ+MEDncEXAwE62iT1iUVBh8e1OnYALX5O IhLL7yKWu36QO7dF833JoyPtI75xQ9YBwWvq4RDwnljV/nD0pb9zx6bKRykIO0my0TKw ALAS4dX1IEakYHw0yu/YBvSx515vcOrFze24PoRG3iXOU37tVwF+EdDqbgYPdLsAXSaL 5t9ttj3mBHgmTLm0x0OR97YRA+1GEQv0n7nEnSI2ioidZ5GA96X2VhV6W/+p+VfOKfdM UK7IUw9TprzGM0DCrmpeSk+c9Ix0W0mZyxYhceCVTiR5viS4itRTH+y0Nc0FHO1xjhml dw3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=CdPPeHU/wlXNqgsRYpym3xWViPlSj2R03CUnDGqP49A=; b=ELqmd1iCQGW0+SMLRL11eKzQ7XiFR7y1c1N26d+OB9Zfb9f/4ZdjzxiCfm8EKpKIVy xF0IcsxDbo71jODxmgdrozZpL2ww7GsJ5AHunqnwIzv9D4Yc8A/WOyk3vwa0N6qmeVie 6UbpWRyX/tc1RIWPRBoO4OyL4XrT1Mko7WGXmPznfMYEUclHp07LzttdbhlUIiPvYvis OSoAvw0u7m20IOMZUmHtjOvAnpYl2PJmiiNcNAiwPKqPJywiGjsgwjAk7B8Eo2etaEaD HYzMQVyGRDBSQ7xQszVxqgGD92NjI5qsRe5GZJSMRB8kup8Vt2usdMuUOCTWXRgk33yh TlWQ== X-Gm-Message-State: ABUngveD3/rVu/2p9DY263pthVobgQhhDqzayFzaDiq+ZxzoiXiR2uYTULcln6uz3FcZTdRDxUJVMQoZR1wQug== X-Received: by 10.194.85.229 with SMTP id k5mr2324992wjz.22.1477488832278; Wed, 26 Oct 2016 06:33:52 -0700 (PDT) MIME-Version: 1.0 Sender: tomek.cedro@gmail.com Received: by 10.28.178.132 with HTTP; Wed, 26 Oct 2016 06:33:31 -0700 (PDT) In-Reply-To: <86shrjuud4.fsf@desk.des.no> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> <864m3zwdro.fsf@desk.des.no> <86wpgvuwq2.fsf@desk.des.no> <86shrjuud4.fsf@desk.des.no> From: CeDeROM Date: Wed, 26 Oct 2016 15:33:31 +0200 X-Google-Sender-Auth: 86sjYU7gZAuJEiSdzkmxDQRWlVQ Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 13:33:54 -0000 You have this idea to remove local denial of service advisories. I can understand that. :-) My idea is to move them into benchmarks/recommendations such as CIS, not to /dev/null, as they also provide useful information for users and administrators. CIS-like organization of the local/configuration advisories/recommendations would make it centralized and reproducible way of quick system verification in an automated way. That would not remove additional work but also would not remove important information. That would lower the "noise" on SA list and benefit users/admins in a new way. Just an idea.. Can you understand that? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From owner-freebsd-security@freebsd.org Wed Oct 26 13:49:39 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7CEF9C222CA for ; Wed, 26 Oct 2016 13:49:39 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 411FDBE5; Wed, 26 Oct 2016 13:49:38 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id B202710BB1; Wed, 26 Oct 2016 13:49:37 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 9355143154; Wed, 26 Oct 2016 15:49:37 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: CeDeROM Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> <864m3zwdro.fsf@desk.des.no> <86wpgvuwq2.fsf@desk.des.no> <86shrjuud4.fsf@desk.des.no> Date: Wed, 26 Oct 2016 15:49:37 +0200 In-Reply-To: (cederom@tlen.pl's message of "Wed, 26 Oct 2016 15:33:31 +0200") Message-ID: <86oa27usni.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 13:49:39 -0000 CeDeROM writes: > You have this idea to remove local denial of service advisories. No. With very few (imho unfortunate) exceptions, we have *never* issued advisories for local DoS exploits. So we're not taking anything away from you. > My idea is to move them into benchmarks/recommendations such as CIS, The CIS benchmarks are not lists of vulnerabilities. They are lists of best practices for configuring a machine, and shell scripts that tell you whether a machine is configured correctly according to the benchmark. The only way to prevent local denial of service attacks is to not have any users. A four-byte shell script will send the load through the roof. A seven- or ten-byte script will render the machine unusable, and you won't even be able to log in to kill it. These are not bugs, they're fundamental features of the operating system, and you can't plug them without making the system useless for its intended purpose. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Oct 26 17:54:13 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE221C23E41 for ; Wed, 26 Oct 2016 17:54:13 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 616C4104E; Wed, 26 Oct 2016 17:54:13 +0000 (UTC) (envelope-from tomek.cedro@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id d128so97580015wmf.1; Wed, 26 Oct 2016 10:54:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=2OlG2qSocnm8L1+d0GWgA8JNr3Q9I5F6NbxqEqO81As=; b=EhNe1DS0az8UDS8HkqlhQGcK0uR947rAJbmePTAzg3jGl2yiB1TYl3WaVxlF68dwbJ 6+WenJgugl9V/QJBmnXkusDq//FnkF0zrjYFBZ93l75CtZLRH0rjkIxCze8Zw+Ya0qCh GRuY4K+ljCwCYZwIt4feQWimcQPAjhBqGsX3paRESRrOzyy3EtftEvMWetyRJ/puBRFc jLoVOBhHfmFR22DOzcAGsL1TLyA+ynGVg1Ni3gxMOPZoBCny7HnlPwBqO2VcMzZbRNFG jatIpWScq9GKaUuu1ktfCcDvlBLsKR46C9Tuj/m4QYu/vDsNP0aBW2oK+r5VRjFggv6y HkTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=2OlG2qSocnm8L1+d0GWgA8JNr3Q9I5F6NbxqEqO81As=; b=TcU8J5Ddi0l0bdTHjY67el6Y70/BAaZefxRetOEtlAuOsVzrT44yC/BdqfdmrQZApS dxvOriveVHhaEvH0hyBIjZ4wqa44i6NurFS+MHzthrxgpMmcT9aGyVHVEsgGUNGmxroP VM6J0fnf1Ipmum+3Lec3L0Cyuuv0k9J8o106YLp0UDSY6moPYt++EMQgtz8y17b79Vfx JdaHBINkJywqq3GmEzX4+Lp+dN73CsrCHJ+ZuBf6jeyvZE4g8KJzodnaMxt7u1hB55El +3Q6XH0+XoNRZLb6pxsnkpcWmZOpwI9Hx/KXlppGZ+rXLjtBI5FFOR0FjtKbB++hQePA gchA== X-Gm-Message-State: ABUngvcYRvfLcUJq3+tzCr794zf8mav/qQlleO6yAPYc/SczRTlZC4P+6ow8zl+YQc3YmvpDGKi2FmPnyR2BHg== X-Received: by 10.28.220.68 with SMTP id t65mr561932wmg.85.1477504451688; Wed, 26 Oct 2016 10:54:11 -0700 (PDT) MIME-Version: 1.0 Sender: tomek.cedro@gmail.com Received: by 10.28.178.132 with HTTP; Wed, 26 Oct 2016 10:53:51 -0700 (PDT) In-Reply-To: <86oa27usni.fsf@desk.des.no> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <868ttbwio9.fsf@desk.des.no> <864m3zwdro.fsf@desk.des.no> <86wpgvuwq2.fsf@desk.des.no> <86shrjuud4.fsf@desk.des.no> <86oa27usni.fsf@desk.des.no> From: CeDeROM Date: Wed, 26 Oct 2016 19:53:51 +0200 X-Google-Sender-Auth: CyOnU8l738vsLmY-5T7k6WNJd-s Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Cc: "Robert N. M. Watson" , freebsd-security@freebsd.org, Pawel Jakub Dawidek Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 17:54:13 -0000 Allright :-) I was just thinking aloud.. not necessairly "the" but rather "something alike" CIS Benchmarks.. I was using them several times and found people also keen to use them as security measure before implementation :-) It is nice to see SA anyway and know things get improved.. it would be also nice to have a tool that would easily assess the OS state.. I know this is not the goal here and not really the topic.. but could be a nice derivative :-) If we speak about four byte DoS I think this should not be possible in the default configuration anyway.. or at least it would be nice to have a tool that would show the problem and tell you how to fix it.. kind of automated OS hardening.. I am sure this could be done with CIS alike set of rules, no? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From owner-freebsd-security@freebsd.org Wed Oct 26 23:18:50 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C91E5C23444 for ; Wed, 26 Oct 2016 23:18:50 +0000 (UTC) (envelope-from mark.picone@deakin.edu.au) Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-sg2apc01on0137.outbound.protection.outlook.com [104.47.125.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A7124236 for ; Wed, 26 Oct 2016 23:18:47 +0000 (UTC) (envelope-from mark.picone@deakin.edu.au) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deakin.edu.au; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2qEovcCX0vKHxUB9dcNsACr8keUujR+uNp7E1JiF4x8=; b=WGDJG5G4qr/760Rzu0QtOqGfhtsyFSenWMSAHNQqG+byYQgJhGgRvJ0otNJdCgDdgSF5GdYavvmncKbKaGxTDvMcsBVqddIUxS1KxuzTAZHujAIy2QhnARYbbKnGh+yivb/gOzfIzgp2c7wPedzx424ov5g46t+qHr06vBD7IXk= Received: from PS1PR06CA0040.apcprd06.prod.outlook.com (10.169.59.178) by HK2PR06MB0404.apcprd06.prod.outlook.com (10.160.178.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.12; Wed, 26 Oct 2016 04:49:27 +0000 Received: from SY3AUS01FT008.eop-AUS01.prod.protection.outlook.com (2a01:111:f400:7eb5::203) by PS1PR06CA0040.outlook.office365.com (2a01:111:e400:7829::50) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.12 via Frontend Transport; Wed, 26 Oct 2016 04:49:25 +0000 Authentication-Results: spf=pass (sender IP is 128.184.35.186) smtp.mailfrom=deakin.edu.au; freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=pass action=none header.from=deakin.edu.au; Received-SPF: Pass (protection.outlook.com: domain of deakin.edu.au designates 128.184.35.186 as permitted sender) receiver=protection.outlook.com; client-ip=128.184.35.186; helo=exch15-hybrid-b.du.deakin.edu.au; Received: from exch15-hybrid-b.du.deakin.edu.au (128.184.35.186) by SY3AUS01FT008.mail.protection.outlook.com (10.152.234.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5 via Frontend Transport; Wed, 26 Oct 2016 04:49:25 +0000 Received: from exch15-f-1.du.deakin.edu.au (10.68.72.129) by exch15-hybrid-b.du.deakin.edu.au (128.184.35.186) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 26 Oct 2016 15:49:22 +1100 Received: from exch15-f-1.du.deakin.edu.au (10.68.72.129) by exch15-f-1.du.deakin.edu.au (10.68.72.129) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 26 Oct 2016 15:49:21 +1100 Received: from exch15-f-1.du.deakin.edu.au ([10.68.72.129]) by exch15-f-1.du.deakin.edu.au ([10.68.72.129]) with mapi id 15.00.1178.000; Wed, 26 Oct 2016 15:49:21 +1100 From: Mark Picone To: "freebsd-security@freebsd.org" Subject: RE: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Thread-Index: AQHSLua2NBCLkp5ICk2fMcmreO4tt6C5bGmAgAC7QBA= Date: Wed, 26 Oct 2016 04:49:20 +0000 Message-ID: <9c684248eee34983aa5f890225ef65b6@exch15-f-1.du.deakin.edu.au> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> In-Reply-To: <20161026042748.GG60006@garage.freebsd.pl> Accept-Language: en-AU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.68.0.215] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:128.184.35.186; IPV:NLI; CTRY:AU; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(7916002)(2980300002)(438002)(377454003)(377424004)(13464003)(189002)(24454002)(199003)(54524002)(5660300001)(42882006)(54356999)(47776003)(2351001)(626004)(97756001)(74482002)(102836003)(106116001)(92566002)(15650500001)(76176999)(106466001)(8746002)(2906002)(5640700001)(10710500007)(8676002)(2420400007)(16601075003)(50986999)(8936002)(10400500002)(3846002)(305945005)(6116002)(23726003)(189998001)(5890100001)(11100500001)(19580405001)(7846002)(7636002)(88552002)(7736002)(4001150100001)(2501003)(107886002)(19580395003)(33646002)(356003)(77096005)(15975445007)(86362001)(7696004)(108616004)(46406003)(230783001)(586003)(24736003)(110136003)(2900100001)(450100001)(2950100002)(6916009)(50466002)(87936001)(575784001)(246002); DIR:OUT; SFP:1102; SCL:1; SRVR:HK2PR06MB0404; H:exch15-hybrid-b.du.deakin.edu.au; FPR:; SPF:Pass; PTR:exch15-hybrid-b.its.deakin.edu.au; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; SY3AUS01FT008; 1:uv048OOsMtQMtxeUJHgAY4yLd/NhpGOVmRn+mu98O5gvx2o103E/OfBnXK1CpJHKBAr1TNWSWwqlri14UPY8ttHyPDZCi5p1GeRvGVcUN5DdvaBNSWaspRztWt0RMjVpZx7uFGLAinLKOYuKI8RDvidpau/hzTofqbRvrITBdrqHIA2PyHgz3IczvSPIIRI2U5ZRxyHdmoLyBULQI3EDm009Ymxoq3JM6GP/JoA5Q2uSrxz1ZRuau2qorNB80IW+Y2QI/u1pqoPjlOHHKhng/Cyb+a+Az4zKSryR7XWETttUd68v8/6nILRm7VrQE80Z2RXTJCqrBw3okRg5dtGL6V5IGAEgUE3S3W98sV0ueoHf1j1yc7MMsW4XSP6kES3x7k9ghOpftiU2SOKj441ndg+zqnwav9uXRPxIcubJuDmVALLE6fz6BkWLNjHt4yfb4MFRDu4Qlkv+yNqi019xqujigt/ybjEcVU3htlaSeUCfFX9yW9YKLsXfCvfIs9WW X-MS-Office365-Filtering-Correlation-Id: 7a856f0a-ab2e-435a-3a35-08d3fd5b7610 X-Microsoft-Exchange-Diagnostics: 1; HK2PR06MB0404; 2:9tVUb8zc761yAcakUeLNAU/jvisrt5lcEoaqFMjEnxPnrBdz3Y5GBQ/xDguL3d3XCGkXCdoOKIhoqKvF7BSCtwEGx8dZF0nGvdvkwTjFAydENggG9xtYGVPLmai6lEVLo8U6ZQHSktv2UDPpXndrxqUvbueNtqoo9ZdKbERhPERK65j1YL7j3K/y2yzIy2oEBgQbNRjrDAk3WWZEd9INaQ==; 3:xq00/UHO4yTbCi9eqOiLjp6K7Lb1t1FxZCwpr6odA/ZDG6TOBJ3y7zZHs/3S0p2MrwY7acnmM26zJdAbDA5ID7DtkXJocYq0568FasQSxlztVSZny5beU2dQJUduOhPev+B0WJozmaLppc3DBv4gOmCcddX+iLobrEVDqxFTQCC6eA1mOaczvkZiC4tvlGCSo68ky9hly3YxzOzewLQKK2at/1FgvfNWL1UBFmBlG3i5lw+OsZkEKj49wg7osTZPVW+mFLKXnb3qBDDzH705Gl9R7KyReMOfCdmxq9HRcco=; 25:nBODew1yYxDLkMtUBchamAytLfYWUHICHgdse3hwFtTSvQsGtVNaTpz4JP27FoHKdK2uPVve2ViAY0pZJ1UZcPmVZy5yx7RdbCmwBQTFyMu0K7qReZbpdB/zq9iqAt7aFSfyEnU/MFYe7pPhmK5zrmzlodCTV9Np+aruhkk9EgTfifX/5k0ceu699IMMYA7+9KAyf1H1IH+b/nWsgf/E+D+9u/bTkARmltfCb0dRe4nr2v+bB1ysZP0fMmNAk/zF4qZjGuUQE7jiIVt0BAi/7z8cUsTT+N1Qd2r2WakaEOWELFG6xKCCW2gZoD2fdmOFZcoYuOBlIam9eW7i2vmHBsBvwJPsr2hsVhfUECCqBmkiLWr5g2/OqX+K5n4evCIxKF0b0gfXfTMA4R4DrrjD+BPy6Lwf52zBC/FDryB MThHzwutAl9dEL6Z2S4ydbS03 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(8251501002); SRVR:HK2PR06MB0404; X-Microsoft-Exchange-Diagnostics: 1; HK2PR06MB0404; 31:K0nu0G48VFH4hhw8bI5alWn5OyqYcoK6PLyEJel/PE3ebQFHLUeXeWqx3DdmMAn9DtODfmwG/84429HhWGz+qzmXuw7xBAl1/+cfhARpQvZyo9Y2ojNVGFNJEvPDjcHx7Il46/X2PrFg2qIeRAeMA5gzey13we6ySxxfs+mFGcxo00UWRMazvCzWEa9Gxp94qx6JmcPrBvmGBNQnQO6/1C2W2R8pDsPy4HDwzwvWYjLa2qb4XL78g5r6g8ElbCan; 20:tabQMkmKi+hlIyJNGLVO/dq+JcSC5pk5UF00qJzdMxfsXVXIocnrgM6mSGPExh7RzwC84j6fBSUN6WPa4ehFlrEigsDsUzyOntRBqj1OdHflo/T/0bDRFtDF5PD3CRdfR/TAsIek3DY1Ia9YFPubZa2gGre2yO7uNg6FBD0/lKAXFndX/tvj/jFXer+JTOYRFE+qSfzZJ3bCi0V0LXpz3bN5MDhcYWc8BeemYzhiwTqNQ3FlMVPbNsS6vWNITU4yx+UNOn9jcE/AI+3avgTEUSYkP4mcbzvsHbIPCK5T6o5R9Gkul21PH0yLHXgUTeMBBsIDWjoaohnFj0Cur7IB7Go5l9gaPKFR6npQ0+Cd3nS74LlIMWQLbHBHdqumDM5JaeacBpi2RD+Wa+CcQLyrajx4bs9YtSJ+ePSE00naBl5kExL6OU5zE/rY7WuoVGqvZRokT2JjCjG81VL4CCEAx0JHbUcpHiReyhChHkY56frpvdbS5hPbGABbBs7cwvaV X-DknRule-Disclaimer: Triggered X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(56005881305849)(76373721406558)(192374486261705)(75325880899374); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(13018025)(13016025)(8121501046)(10201501046)(3002001); SRVR:HK2PR06MB0404; BCL:0; PCL:0; RULEID:; SRVR:HK2PR06MB0404; X-Microsoft-Exchange-Diagnostics: 1; HK2PR06MB0404; 4:oIoasNCumpd2PS41qO5fvGqVLWhtn3Qx00QmueQZNl9XXiro40mIoxF6Z1u0pJicMVNvYqtR2QFoXQyfeh0j+TDZ3KEyUBjA/gswniKOlBXsqQoBm/TaVorn1KNRJsWt+lcCpvMQPWyBc0I5qWU1CmsXA8/AGWv/7TRhUqz/tG4UrtA6xvXv2j4N4PbPkye8cG0UvW8O6ZRDc4pj5v3j26zdUloRR+hqY2CJt0mNcwgmTBXTLOZZBdDG6DN5PnQVPt3f+2Sz7iU3YQ/ZcOUyjRFXCd6l3YwRUBkpF3OM6OCo2w2SMDLNYMN5nN7qWJcdFgFlMVe3EC5jCT8X4gZvNdwBR1HbrNwf2BY+7AoKEJXBSycO8H/8cZGNMltPzFmQ0iyjFbodmy+wPzwoejPk8CCuuq4Zv5/q4J2nOKPrTeF/wsu5HkKs6z954A25GkPqBOFPUEP5oG+Ik/ZhtX7dYR89doujrbK4FTztuIj5fznu3hrtuXfZhz+oEMnhPkJdoFyYHkf3s0kfkFLnRdf/WQ2r1EnRNbZchHCnBSgQ8FAt91EVDb+nlNVuoSTdcZqzXcr8xKPjopasSXRP+h4Dhg== X-Forefront-PRVS: 0107098B6C X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HK2PR06MB0404; 23:8DKuhJ+UA15gS04IqiofrqyGObMrq/XC5GmWTEqyq?= =?us-ascii?Q?jHlI56srtYH2AnYo3xIi6hsY0oVqIG63lRcuP00roiKdx+lQcOgwYTwlFjG/?= =?us-ascii?Q?0HRvGyKN7bLLckfhtMpMECA8T+PWhexk8rkw8Xwr1zytV48qThWcjthgAaBh?= =?us-ascii?Q?5r3rQN8yDHSiogWnR9u4e5a515qT8Yf57siezrDeKls2cfYNn7DCX77tfpkO?= =?us-ascii?Q?rW6DdXulGcbWeZvlNubuwCqfF7C/5mpEcHNZesCkFAr5WUxaSZkxVvP4UJoa?= =?us-ascii?Q?c/DAIwa2vP8dxLLPT9z0WKSmWscwuIu3n0zFhyNf1MD+3D2ktMb+TdX2mexs?= =?us-ascii?Q?jYaiN4Jk+OoZhcKp5AK/APnyjDW1k7Qw9FEoMHclkXzxXDl4HYKH+vcYZ1IB?= =?us-ascii?Q?0BbwNZbxbwcUMwlu4EJl0pfyCMaiOdWdNJzZ2b3TtTnVMhMF5UYuoi6IRT/G?= =?us-ascii?Q?FeAyB+FonUAewOXmXD1Zr96cHn9V/F33km/wg2XdWxkp/ya+vUzsDC2N8DvO?= =?us-ascii?Q?2iL72GyewwR66oa8txpte1e+LpYzOuQMAba87kI+qTHnnm3PABw8E2DxJ0/7?= =?us-ascii?Q?WrXL/0WABfxHAixgYEQMjjM/McV3WCOFw2hcGFpUpOxl4Oegw0otroiDQGgO?= =?us-ascii?Q?RkzVkFj2Qp7JC15ZX12En2N2Dsm3kW58gnpbpuOsp7wUr2QWuRTL99keJv/G?= =?us-ascii?Q?pDcxOixSy7Ux9AsDjnm26rh/BDzSSjtprNJd18uwS+myKoqb1Mu/idovuZ4E?= =?us-ascii?Q?UbD0tGoJzG/RgI9WjJQlqxv3miVfipQLWT4f5KeDrjndRe6M/e8LqP2p17FY?= =?us-ascii?Q?vFS883wOoiH7Gam/QJadYuPr7fXvpNf1kfcdRBouMfNNE632OVWZvCTnjAoa?= =?us-ascii?Q?KU4ibIQBHxuvseuzy1yVpsXIZAjY8BdIrwA57jGT7XT8qtkISvlBTd61fr+r?= =?us-ascii?Q?F7qNf5kJuEqmIDwD5MduKYiSNSaDb6iYw4M0NDeTYNFmT267dL/g7YIdByUj?= =?us-ascii?Q?2159Lxy2e7RWh1n/lvIJrUyVJuwA3UTrp9H0Fho5PYchO65VSdeK2czXOvPf?= =?us-ascii?Q?RT3Uv4CJjwXJrER36Ag79dI50ptI0D6uBIx5BCXnNQGHQy383wS5ZqROHJRc?= =?us-ascii?Q?qzHzZUepkakMU7/nbcsISH3ZtaxIpAjySriOqsWdIsGy/f2p4dVe6kMkgTQ8?= =?us-ascii?Q?/iwIGhyg0GYAmm/pEaJlzQH1zODhkiCFtzCoOAGOMQ/VTpCqVaDslHCS31RQ?= =?us-ascii?Q?YF82Pi06pcmLAaQ4jKLhFfBLK+cC4265/XnK2/le+1kNuFTZLE6+mzfAO0Sq?= =?us-ascii?Q?21g+8vGvj15sL8u7kJSHExg8U7Cl7ysNcGie6Yny7JKeWXqSY25ILAdOw7Hv?= =?us-ascii?Q?vgOr6wKwgEanz1U/S/MAlW0gyETkXfKWhcst2VL8gGNgAGeZdL0tWsYbzlE0?= =?us-ascii?Q?RHUGQELEuA8VJUfwAVUVanqdoClG9UQyEWmG83QlhEj1ta7RciS7ChLlY3OF?= =?us-ascii?Q?CoLNIdzbHVm6U+9yMVfOBDkOSwriFm1/fGGB3+DewG3T+aCA54urBgRU2cYG?= =?us-ascii?Q?OQy6r/dF8CXnv2GgsmHJhQ3wSDoNnyEu0qw5gXUzQpL1wBPDtvQM5lBNLxXf?= =?us-ascii?Q?BhPAuLmenqWIXdnvudSlGWKCeeSkzaB4Xt+BVkBAEUtX0u9PDoOu6oiKq2s4?= =?us-ascii?Q?NP4DMdWxXUMgncM5zw1zfPa+3+u6BBmDCjkm6klf6DpnRFJueFMjCOqtcGhB?= =?us-ascii?Q?ch5yPGi?= X-Microsoft-Exchange-Diagnostics: 1; HK2PR06MB0404; 6:FTfkwD9F/tdtU7u174KfUK9h37HcCBzBvUuczQyGcNFm3ksh8yoQbtvZ3mhfFvV610SHVtQ5utTfa5eRQie+bixGMjlwNnEAVUS/kIaeN92YGL/Nw6I4hqn7AObhGF5RO6WVoX1TTDE5t8uzQ8J/MMIeZaPlfUEnUB01v/HNPMCwrtBEkE1FIgkFbDG2pbuJKpzMfL6CZDl2ZlX4GHoYT/gMxt8WdQCKaAN4CFhibI9A0HHiMnptB/H1k3pR9g9ulhHkF5AB24ybOB2X7nhKXA2YZo7OttAgXAZkjvYQnXBW8fKtcu99LTQdDDoUDz4b; 5:1AgU1t3CH9IOmrpV7aY3KGqzKvxc0Pnoma6USGwTa+7+LTJ3I4HNSE3Ndi3J4khTtoABr4HvHId08Sf6NN2gp0ShUzzLVD2Y94tDRCF9187sKWEwVWTFlixafxlE6er0kTWmkLgGwylJBNiiRgF0zBap3cvuIegz/QqST+nV08w=; 24:5l0A0TRL75g6/lNJnwyoZeau7laq2LCaLwYUBRstFwdI1251+8GYTC/d0GyLHjZ3N9LTrvkU3Uhj3RwXHat8Qms/z1j693OnuaWkH0rbjL0=; 7:ORTNDtbE9NxnZ1+hjNUWb3OkFH1tYul8LiFUbvffxYa1fOd4fMiXN3ApT+LqMYQ+H0b2uHmx/PLwyY4TGTTeYpaRPSim6LlKPmrYZBhdsgrgfd0gHfLPEu0SxBZ2B/dAc3Vsj49A1a9epvsBfYwyiEE3sFJQQM5vl9Arwkg/eAJTWoSoxyGIWxVVraEE8oLi+6SVO92MwpaE5fjSuAVIOj9io+9osLnWYL5AUN2bMbmVMT2/sczLj7UGVk91NZRbhKLtUav27+IB0057dAo2p8tCA/T1I7GqxrLfEZGWX1j3IaZjaiOHLvz69XQWzwwSyr/yp7Uls5yWBhji d9urq6f8rWu6siJAJismiGMMB1E= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2016 04:49:25.2591 (UTC) X-MS-Exchange-CrossTenant-Id: d02378ec-1688-46d5-8540-1c28b5f470f6 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d02378ec-1688-46d5-8540-1c28b5f470f6; Ip=[128.184.35.186]; Helo=[exch15-hybrid-b.du.deakin.edu.au] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2PR06MB0404 X-Microsoft-Exchange-Diagnostics: 1; HK2PR06MB0404; 23:M2LPEnL1Q1tC+LGUgIBQ3fdAxBzye21CbWn74ehZNVBtD7Yr10ZmHrTehN55tqj/aVCr7KR7ERTRMDnUq1jprsDkpzhJZ4/rKbec/Sz/JnaeFohro5/EUJMHDfUhIDfSDVqjk4NiMHSLji7UXnOcve4pwOxUKP078FmfUmd3BeUQiLHI4C3jPCPP1wGFY/IA X-OriginatorOrg: deakin.edu.au X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 23:18:50 -0000 Since the security team have had the procedure of publishing security advis= ories for vulnerabilities once a fix available: https://www.freebsd.org/doc= /handbook/security-advisories.html -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@fre= ebsd.org] On Behalf Of Pawel Jakub Dawidek Sent: Wednesday, 26 October 2016 3:28 PM To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Hi guys, since when do we publish security advisories for local DoSes? On Tue, Oct 25, 2016 at 05:36:41PM +0000, FreeBSD Security Advisories wrote= : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-16:15.sysarch [REVISED] Security Advi= sory > The FreeBSD > Project > > Topic: Incorrect argument validation in sysarch(2) > > Category: core > Module: kernel > Announced: 2016-10-25 > Credits: Core Security, ahaha from Chaitin Tech > Affects: All supported versions of FreeBSD. > Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) > 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) > 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) > 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11) > 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24) > 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41) > 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) > 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49) > CVE Name: CVE-2016-1885 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > 0. Revision history > > v1.0 2016-03-16 Initial release. > v1.1 2016-10-25 Revised patch to address a problem pointed out by > ahaha from Chaitin Tech. > > I. Background > > The IA-32 architecture allows programs to define segments, which > provides based and size-limited view into the program address space. > The memory-resident processor structure, called Local Descriptor > Table, usually abbreviated LDT, contains definitions of the segments. > Since incorrect or malicious segments would breach system integrity, > operating systems do not provide processes direct access to the LDT, > instead they provide system calls which allow controlled installation > and removal of segments. > > II. Problem Description > > A special combination of sysarch(2) arguments, specify a request to > uninstall a set of descriptors from the LDT. The start descriptor is > cleared and the number of descriptors are provided. Due to lack of > sufficient bounds checking during argument validity verification, > unbound zero'ing of the process LDT and adjacent memory can be > initiated from usermode. > > III. Impact > > This vulnerability could cause the kernel to panic. In addition it is > possible to perform a local Denial of Service against the system by > unprivileged processes. > > IV. Workaround > > No workaround is available, but only the amd64 architecture is affected. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > Reboot is required. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD platforms can be updated > via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > Reboot is required. > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > [*** v1.1 NOTE ***] If your sources are not yet patched using the > initially published advisory patches, then you need to apply both > sysarch.patch and sysarch-01.patch. If your sources are already > updated, or patched with patches from the initial advisory, then you > need to apply sysarch-01.patch only. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [ FreeBSD system not patched with original SA-16:15 patch] # fetch > https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch > # fetch > https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc > # gpg --verify sysarch.patch.asc > > [ FreeBSD system that has been patched with original SA-16:15 patch] # > fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch > # fetch > https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc > # gpg --verify sysarch-01.patch.asc > > b) Apply the patch(es). Execute the following commands as root for > every patch file downloaded: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot > the system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - -----------------------------------------------------------------------= -- > stable/9/ r307941 > releng/9.3/ r307931 > stable/10/ r307940 > releng/10.1/ r307932 > releng/10.2/ r307933 > releng/10.3/ r307934 > stable/11/ r307938 > releng/11.0/ r307935 > - > ---------------------------------------------------------------------- > --- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > The latest revision of this advisory is available at > asc> > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H > WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2 > qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa > LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p > a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO > pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp > la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5 > A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH > H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3 > /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf > V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G > YHOkZydbLPaXOXimZfut > =3DNWuL > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security-notificati > ons To unsubscribe, send any mail to > "freebsd-security-notifications-unsubscribe@freebsd.org" -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com Important Notice: The contents of this email are intended solely for the na= med addressee and are confidential; any unauthorised use, reproduction or s= torage of the contents is expressly prohibited. If you have received this e= mail in error, please delete it and any attachments immediately and advise = the sender by return email or telephone. Deakin University does not warrant that this email and any attachments are = error or virus free. From owner-freebsd-security@freebsd.org Thu Oct 27 11:26:21 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9FB2FC23A4A for ; Thu, 27 Oct 2016 11:26:21 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 5E880C8A for ; Thu, 27 Oct 2016 11:26:21 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id E2572101E4; Thu, 27 Oct 2016 11:26:19 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id C2E6E43202; Thu, 27 Oct 2016 13:26:19 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mark Picone Cc: "freebsd-security\@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <9c684248eee34983aa5f890225ef65b6@exch15-f-1.du.deakin.edu.au> Date: Thu, 27 Oct 2016 13:26:19 +0200 In-Reply-To: <9c684248eee34983aa5f890225ef65b6@exch15-f-1.du.deakin.edu.au> (Mark Picone's message of "Wed, 26 Oct 2016 04:49:20 +0000") Message-ID: <868ttauj6s.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 11:26:21 -0000 Mark Picone writes: > Since the security team have had the procedure of publishing security > advisories for vulnerabilities once a fix available: > https://www.freebsd.org/doc/handbook/security-advisories.html Not for local denial of service. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no