Date: Sat, 22 Jun 2002 00:29:49 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: arch@freebsd.org Subject: Possibly change to bcopy.S to thwart (a very few) future exploits? Message-ID: <20020622002329.G36900-200000@patrocles.silby.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-748845592-1024723586=:36900 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20020622002639.L36900@patrocles.silby.com> Important Note: I have not actually tested this code on my machine; I'm too much of a wuss to risk messing up libc until someone else has doublechecked the code, or I can figure out how to statically link a binary with a non-default libc. That being said, the above is a quick change so that memcpy doesn't reload the length field from the stack during the middle of a copy. In theory, this should stop the OpenBSD exploit (which I'm sure will appear in a FreeBSD version shortly) from working. Granted, there's probably some other vector which could be used to exploit the bug, but this might make it just a bit harder. Can anyone see any downsides to this change? It appears that performance should be unchanged, as we're removing one mem->reg copy and replacing it with two reg->reg copies. Any thoughts? If this were some complex workaround, I wouldn't mention it. However, it's so simple that it seems worth the effort. Mike "Silby" Silbersack --0-748845592-1024723586=:36900 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="bcopy.S.patch" Content-Transfer-Encoding: BASE64 Content-ID: <20020622002626.U36900@patrocles.silby.com> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="bcopy.S.patch" LS0tIGJjb3B5LlMub2xkCVNhdCBKdW4gMjIgMDA6MTU6NDEgMjAwMg0KKysr IGJjb3B5LlMJU2F0IEp1biAyMiAwMDoxNzoxMyAyMDAyDQpAQCAtNjksMTAg KzY5LDExIEBADQogCWNtcGwJJWVjeCwlZWF4CS8qIG92ZXJsYXBwaW5nPyAq Lw0KIAlqYgkxZg0KIAljbGQJCQkvKiBub3BlLCBjb3B5IGZvcndhcmRzLiAq Lw0KKwltb3ZsCSVlY3gsICVlYXgNCiAJc2hybAkkMiwlZWN4CQkvKiBjb3B5 IGJ5IHdvcmRzICovDQogCXJlcA0KIAltb3ZzbA0KLQltb3ZsCTIwKCVlc3Ap LCVlY3gNCisJbW92bAklZWF4LCAlZWN4DQogCWFuZGwJJDMsJWVjeAkJLyog YW55IGJ5dGVzIGxlZnQ/ICovDQogCXJlcA0KIAltb3ZzYg0KQEAgLTg2LDEy ICs4NywxMyBAQA0KIAlhZGRsCSVlY3gsJWVkaQkvKiBjb3B5IGJhY2t3YXJk cy4gKi8NCiAJYWRkbAklZWN4LCVlc2kNCiAJc3RkDQorCW1vdmwJJWVjeCwg JWVheA0KIAlhbmRsCSQzLCVlY3gJCS8qIGFueSBmcmFjdGlvbmFsIGJ5dGVz PyAqLw0KIAlkZWNsCSVlZGkNCiAJZGVjbAklZXNpDQogCXJlcA0KIAltb3Zz Yg0KLQltb3ZsCTIwKCVlc3ApLCVlY3gJLyogY29weSByZW1haW5kZXIgYnkg d29yZHMgKi8NCisJbW92bAklZWF4LCAlZWN4DQogCXNocmwJJDIsJWVjeA0K IAlzdWJsCSQzLCVlc2kNCiAJc3VibAkkMywlZWRpDQo= --0-748845592-1024723586=:36900-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020622002329.G36900-200000>