From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 11:07:37 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B454A106564A for ; Fri, 28 Jan 2011 11:07:37 +0000 (UTC) (envelope-from click@sgate.org) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 672A38FC08 for ; Fri, 28 Jan 2011 11:07:36 +0000 (UTC) Received: by qyk8 with SMTP id 8so622300qyk.13 for ; Fri, 28 Jan 2011 03:07:35 -0800 (PST) MIME-Version: 1.0 Received: by 10.229.97.1 with SMTP id j1mr2596148qcn.212.1296211164853; Fri, 28 Jan 2011 02:39:24 -0800 (PST) Sender: click@sgate.org Received: by 10.229.88.198 with HTTP; Fri, 28 Jan 2011 02:39:24 -0800 (PST) Date: Fri, 28 Jan 2011 12:39:24 +0200 X-Google-Sender-Auth: 6n9QXYXSU5-s3ApNSQRKM6h6f80 Message-ID: From: Daniel Zhelev To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Windows virus uploaded after ports update or compromised machine X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 11:07:37 -0000 Hello all, Yesterday we`ve updated all ports on our FreeBSD 8.1-RELEASE server and today this report came in from ClamAV Data scanned: 17602.46 MB Data read: 67230.77 MB (ratio 0.26:1) Time: 4528.782 sec (75 m 28 s) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 878062 Engine version: 0.96.5 Scanned directories: 251182 Scanned files: 1108908 Infected files: 0 Data scanned: 17471.19 MB Data read: 67231.75 MB (ratio 0.26:1) Time: 3727.463 sec (62 m 7 s) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 878135 Engine version: 0.96.5 Scanned directories: 120669 Scanned files: 587273 Infected files: 0 Data scanned: 14511.79 MB Data read: 60574.53 MB (ratio 0.24:1) Time: 25865.679 sec (431 m 5 s) ------------------------------------------------------------------------------- /usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ web.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ db.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros1.vsmacros: Trojan.Gendal-7 FOUND /jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros2.vsmacros: Trojan.Gendal-7 FOUND /jails/ ftp.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ samba.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 878215 Engine version: 0.96.5 Scanned directories: 251681 Scanned files: 1110831 Infected files: 8 Data scanned: 17561.01 MB Data read: 64728.64 MB (ratio 0.27:1) Time: 3368.233 sec (56 m 8 s) [root@wolfdale ~]# ls -al /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe -r--r--r-- 1 root wheel 2560 Oct 13 09:05 /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe Our AIDE report is pretty useless in this situation since the database was rebuild-ed after the update. Machine however seems not to be unaffected - there is no hidden processes, strange open ports, new webpages on our web server, new accounts and etc. Before we shoot this machine down for re-installation, could someone check if this is not an port issue since lately a lot of opensource projects were attacked? P.S. There is no direct access to only of those jails or the machine itself by an Windows host. Other recent activity was to change an hard drive on the machine so the host was down for 3 days before the update, and the last AIDE report and ClamAV check is fine. From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 11:25:00 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CEEC1065670 for ; Fri, 28 Jan 2011 11:25:00 +0000 (UTC) (envelope-from click@sgate.org) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 091908FC0A for ; Fri, 28 Jan 2011 11:24:59 +0000 (UTC) Received: by qyk36 with SMTP id 36so3110587qyk.13 for ; Fri, 28 Jan 2011 03:24:59 -0800 (PST) MIME-Version: 1.0 Received: by 10.229.219.132 with SMTP id hu4mr854408qcb.60.1296213897335; Fri, 28 Jan 2011 03:24:57 -0800 (PST) Sender: click@sgate.org Received: by 10.229.88.198 with HTTP; Fri, 28 Jan 2011 03:24:57 -0800 (PST) In-Reply-To: References: Date: Fri, 28 Jan 2011 13:24:57 +0200 X-Google-Sender-Auth: JePXsPDUaejFOVOQx9XVoGyVOBM Message-ID: From: Daniel Zhelev To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: [FALSE ALARM] Windows virus uploaded after ports update or compromised machine X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 11:25:00 -0000 On Fri, Jan 28, 2011 at 12:39 PM, Daniel Zhelev wrote: > Hello all, > > Yesterday we`ve updated all ports on our FreeBSD 8.1-RELEASE server and > today this report came in from ClamAV > > Data scanned: 17602.46 MB > Data read: 67230.77 MB (ratio 0.26:1) > Time: 4528.782 sec (75 m 28 s) > > > ------------------------------------------------------------------------------- > > > ----------- SCAN SUMMARY ----------- > Known viruses: 878062 > Engine version: 0.96.5 > Scanned directories: 251182 > Scanned files: 1108908 > Infected files: 0 > Data scanned: 17471.19 MB > Data read: 67231.75 MB (ratio 0.26:1) > Time: 3727.463 sec (62 m 7 s) > > > ------------------------------------------------------------------------------- > > > ----------- SCAN SUMMARY ----------- > Known viruses: 878135 > Engine version: 0.96.5 > Scanned directories: 120669 > Scanned files: 587273 > Infected files: 0 > Data scanned: 14511.79 MB > Data read: 60574.53 MB (ratio 0.24:1) > Time: 25865.679 sec (431 m 5 s) > > > ------------------------------------------------------------------------------- > > /usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > web.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros1.vsmacros: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros2.vsmacros: > Trojan.Gendal-7 FOUND > /jails/ > ftp.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > samba.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 878215 > Engine version: 0.96.5 > Scanned directories: 251681 > Scanned files: 1110831 > Infected files: 8 > Data scanned: 17561.01 MB > Data read: 64728.64 MB (ratio 0.27:1) > Time: 3368.233 sec (56 m 8 s) > > [root@wolfdale ~]# ls -al /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe > -r--r--r-- 1 root wheel 2560 Oct 13 09:05 /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe > > Our AIDE report is pretty useless in this situation since the database > was rebuild-ed after the update. > Machine however seems not to be unaffected - there is no hidden processes, > strange open ports, new webpages on our web server, new accounts and etc. > Before we shoot this machine down for re-installation, could someone check > if this is not an port issue since lately a lot of opensource projects > were attacked? > > P.S. There is no direct access to only of those jails or the machine itself > by an Windows host. Other recent activity was to change an hard drive on the > machine so the host was down for 3 days before the update, and the last > AIDE report and ClamAV check is fine. > UPDATE: Big fun, it was an ClamAV issue - checked gettext versions up to 0.17 with McAfree and MSA - no viruses found, however with ClamAV: [root@wolfdale ~]# /usr/local/bin/clamscan -r /jails/ samba.sgate.org/storage/csharpexec-test\ \(2\).exe --infected /jails/samba.sgate.org/storage/csharpexec-test (2).exe: Trojan.Gendal-7 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 878215 Engine version: 0.96.5 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 2.642 sec (0 m 2 s) This is the file downloaded from http://ftp.gnu.org/gnu/gettext/ Same for the older versions. Then I did [root@wolfdale ~]# freshclam ClamAV update process started at Fri Jan 28 13:17:58 2011 main.cld is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven) Downloading daily-12579.cdiff [100%] Downloading daily-12580.cdiff [100%] Downloading daily-12581.cdiff [100%] daily.cld updated (version: 12581, sigs: 33248, f-level: 58, builder: mcichosz) bytecode.cld is up to date (version: 123, sigs: 29, f-level: 58, builder: edwin) Database updated (879491 signatures) from database.clamav.net (IP: 193.92.150.194) [root@wolfdale ~]# /usr/local/bin/clamscan -r /jails/ samba.sgate.org/storage/csharpexec-test\ \(2\).exe --infected ----------- SCAN SUMMARY ----------- Known viruses: 878234 Engine version: 0.96.5 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 2.605 sec (0 m 2 s) [root@wolfdale ~]# And miracle the virus was gone. Sorry for bothering you :) From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 14:47:21 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FB4E106566C for ; Fri, 28 Jan 2011 14:47:21 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from eu1sys200aob111.obsmtp.com (eu1sys200aob111.obsmtp.com [207.126.144.130]) by mx1.freebsd.org (Postfix) with SMTP id A2FE78FC1F for ; Fri, 28 Jan 2011 14:47:20 +0000 (UTC) Received: from source ([63.174.175.251]) by eu1sys200aob111.postini.com ([207.126.147.11]) with SMTP ID DSNKTULW9Zjxcii4APHecpPf355jl8LJVe9q@postini.com; Fri, 28 Jan 2011 14:47:19 UTC Received: from [172.17.10.53] (unknown [172.17.10.53]) by bbbx3.usdmm.com (Postfix) with ESMTP id 08CE3FD053 for ; Fri, 28 Jan 2011 14:29:28 +0000 (UTC) Message-ID: <4D42D2B2.4030806@tomjudge.com> Date: Fri, 28 Jan 2011 08:29:06 -0600 From: Tom Judge User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 14:47:21 -0000 Has anyone looked at this: [Full-disclosure] FreeBSD local denial of service - forced reboot http://lists.grok.org.uk/pipermail/full-disclosure/2011-January/078836.html Tom -- TJU13-ARIN From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 16:05:24 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 810FB1065670 for ; Fri, 28 Jan 2011 16:05:24 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.97]) by mx1.freebsd.org (Postfix) with ESMTP id 1BF948FC12 for ; Fri, 28 Jan 2011 16:05:22 +0000 (UTC) Received: from [78.34.140.41] (helo=r500.local) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1Piqbf-000727-NX for freebsd-security@freebsd.org; Fri, 28 Jan 2011 16:51:27 +0100 Date: Fri, 28 Jan 2011 16:36:02 +0100 From: Fabian Keil To: freebsd-security@freebsd.org Message-ID: <20110128163602.0c7463af@r500.local> In-Reply-To: <4D42D2B2.4030806@tomjudge.com> References: <4D42D2B2.4030806@tomjudge.com> X-Mailer: Claws Mail 3.7.8 (GTK+ 2.22.1; amd64-portbld-freebsd9.0) X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2008-08-18.asc Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/hxDp.sc=GNb=onAD5_AEUTq"; protocol="application/pgp-signature" X-Df-Sender: 775067 Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 16:05:24 -0000 --Sig_/hxDp.sc=GNb=onAD5_AEUTq Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Tom Judge wrote: > Has anyone looked at this: >=20 > [Full-disclosure] FreeBSD local denial of service - forced reboot >=20 > http://lists.grok.org.uk/pipermail/full-disclosure/2011-January/078836.ht= ml I don't have a 8.0-RELEASE with a "specific network driver" around for testing, but at least on 9.0-CURRENT amd64 with iwn and bge it doesn't seem to work: fk@r500 ~/test/freebsd $./freebsd-crash=20 SUCCESS! SUCCESS! SUCCESS! fk@r500 ~/test/freebsd $sudo ./freebsd-crash=20 Password: SUCCESS! SUCCESS! SUCCESS! Fabian --Sig_/hxDp.sc=GNb=onAD5_AEUTq Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iEYEARECAAYFAk1C4mYACgkQBYqIVf93VJ0oggCglF49TYsGXseKEb5uddV5t4+O 550An0GP06tttc3ytpJiLlzC3n8rVT7b =OvIL -----END PGP SIGNATURE----- --Sig_/hxDp.sc=GNb=onAD5_AEUTq-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 16:09:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1364A106566C for ; Fri, 28 Jan 2011 16:09:02 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from eu1sys200aog101.obsmtp.com (eu1sys200aog101.obsmtp.com [207.126.144.111]) by mx1.freebsd.org (Postfix) with SMTP id 499F38FC16 for ; Fri, 28 Jan 2011 16:09:00 +0000 (UTC) Received: from source ([63.174.175.251]) by eu1sys200aob101.postini.com ([207.126.147.11]) with SMTP ID DSNKTULqG55dwSLNHNDbeHF5cdXHrXDwqpDF@postini.com; Fri, 28 Jan 2011 16:09:01 UTC Received: from [172.17.10.53] (unknown [172.17.10.53]) by bbbx3.usdmm.com (Postfix) with ESMTP id 771ADFD01A for ; Fri, 28 Jan 2011 16:08:59 +0000 (UTC) Message-ID: <4D42EA05.2070707@tomjudge.com> Date: Fri, 28 Jan 2011 10:08:37 -0600 From: Tom Judge User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4D42D2B2.4030806@tomjudge.com> In-Reply-To: <4D42D2B2.4030806@tomjudge.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 16:09:02 -0000 On 01/28/2011 08:29 AM, Tom Judge wrote: > > Has anyone looked at this: > > [Full-disclosure] FreeBSD local denial of service - forced reboot > > http://lists.grok.org.uk/pipermail/full-disclosure/2011-January/078836.html > I have done some simple tests on ESXi 4.1.0, 260247. releng/8.1 - i386 - Not repeatable. releng/8.2-RC1 - amd64 - Not repeatable. current 9.0-CURRENT-201011 - i386 - Repeatable: Unread portion of the kernel message buffer: panic: tcp_output: mbuf chain shorter than expected cpuid = 0 KDB: enter: panic Physical memory: 239 MB Dumping 99 MB: 84 68 52 36 20 4 (kgdb) bt #0 doadump () at pcpu.h:231 #1 0xc04d5809 in db_fncall (dummy1=1, dummy2=0, dummy3=-1057111072, dummy4=0xcd0cc78c "") at /usr/src/sys/ddb/db_command.c:548 #2 0xc04d5c01 in db_command (last_cmdp=0xc0e0e27c, cmd_table=0x0, dopager=1) at /usr/src/sys/ddb/db_command.c:445 #3 0xc04d5d5a in db_command_loop () at /usr/src/sys/ddb/db_command.c:498 #4 0xc04d7c7d in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:229 #5 0xc08ee99e in kdb_trap (type=3, code=0, tf=0xcd0cc930) at /usr/src/sys/kern/subr_kdb.c:546 #6 0xc0bfcf5b in trap (frame=0xcd0cc930) at /usr/src/sys/i386/i386/trap.c:732 #7 0xc0be5e8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168 #8 0xc08eeb6a in kdb_enter (why=0xc0cddbdf "panic", msg=0xc0cddbdf "panic") at cpufunc.h:71 #9 0xc08bba04 in panic (fmt=0xc0cfb014 "%s: mbuf chain shorter than expected") at /usr/src/sys/kern/kern_shutdown.c:574 #10 0xc0a3ecc6 in tcp_output (tp=0xc2789768) at /usr/src/sys/netinet/tcp_output.c:1084 #11 0xc0a4a309 in tcp_ctloutput (so=0xc3a179a8, sopt=0xcd0ccc0c) at /usr/src/sys/netinet/tcp_usrreq.c:1328 #12 0xc092742d in sosetopt (so=0xc3a179a8, sopt=0xcd0ccc0c) at /usr/src/sys/kern/uipc_socket.c:2396 #13 0xc092ec95 in kern_setsockopt (td=0xc33b1b40, s=4, level=6, name=4, val=0xbfbfdacc, valseg=UIO_USERSPACE, valsize=4) at /usr/src/sys/kern/uipc_syscalls.c:1335 #14 0xc092ed1e in setsockopt (td=0xc33b1b40, uap=0xcd0cccec) at /usr/src/sys/kern/uipc_syscalls.c:1290 #15 0xc08fc103 in syscallenter (td=0xc33b1b40, sa=0xcd0ccce4) at /usr/src/sys/kern/subr_trap.c:318 #16 0xc0bfc804 in syscall (frame=0xcd0ccd28) at /usr/src/sys/i386/i386/trap.c:1095 #17 0xc0be5ef1 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:266 #18 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) None ESXi armv5te IOP 80321 current -r216409 - Not repeatable. I am in the process of building a more up to date current to do another test. Tom -- TJU13-ARIN From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 17:09:58 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82F9A1065673 for ; Fri, 28 Jan 2011 17:09:58 +0000 (UTC) (envelope-from john@baldwin.cx) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 536EB8FC14 for ; Fri, 28 Jan 2011 17:09:58 +0000 (UTC) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id F2F1F46B35; Fri, 28 Jan 2011 12:09:57 -0500 (EST) Received: from jhbbsd.localnet (smtp.hudson-trading.com [209.249.190.9]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id CF8BF8A01D; Fri, 28 Jan 2011 12:09:56 -0500 (EST) From: John Baldwin To: freebsd-security@freebsd.org Date: Fri, 28 Jan 2011 12:09:50 -0500 User-Agent: KMail/1.13.5 (FreeBSD/7.4-CBSD-20110107; KDE/4.4.5; amd64; ; ) References: <4D42D2B2.4030806@tomjudge.com> <4D42EA05.2070707@tomjudge.com> In-Reply-To: <4D42EA05.2070707@tomjudge.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201101281209.51046.john@baldwin.cx> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (bigwig.baldwin.cx); Fri, 28 Jan 2011 12:09:56 -0500 (EST) X-Virus-Scanned: clamav-milter 0.96.3 at bigwig.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-1.9 required=4.2 tests=BAYES_00,T_FRT_STOCK2 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on bigwig.baldwin.cx X-Mailman-Approved-At: Fri, 28 Jan 2011 17:12:49 +0000 Cc: Tom Judge Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 17:09:58 -0000 On Friday, January 28, 2011 11:08:37 am Tom Judge wrote: > On 01/28/2011 08:29 AM, Tom Judge wrote: > > > > Has anyone looked at this: > > > > [Full-disclosure] FreeBSD local denial of service - forced reboot > > > > http://lists.grok.org.uk/pipermail/full-disclosure/2011- January/078836.html > > > > I have done some simple tests on ESXi 4.1.0, 260247. > > releng/8.1 - i386 - Not repeatable. > > releng/8.2-RC1 - amd64 - Not repeatable. > > > current 9.0-CURRENT-201011 - i386 - Repeatable: > > Unread portion of the kernel message buffer: > panic: tcp_output: mbuf chain shorter than expected > cpuid = 0 > KDB: enter: panic > Physical memory: 239 MB > Dumping 99 MB: 84 68 52 36 20 4 > > > (kgdb) bt > #0 doadump () at pcpu.h:231 > #1 0xc04d5809 in db_fncall (dummy1=1, dummy2=0, dummy3=-1057111072, > dummy4=0xcd0cc78c "") at /usr/src/sys/ddb/db_command.c:548 > #2 0xc04d5c01 in db_command (last_cmdp=0xc0e0e27c, cmd_table=0x0, > dopager=1) at /usr/src/sys/ddb/db_command.c:445 > #3 0xc04d5d5a in db_command_loop () at /usr/src/sys/ddb/db_command.c:498 > #4 0xc04d7c7d in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:229 > #5 0xc08ee99e in kdb_trap (type=3, code=0, tf=0xcd0cc930) at > /usr/src/sys/kern/subr_kdb.c:546 > #6 0xc0bfcf5b in trap (frame=0xcd0cc930) at > /usr/src/sys/i386/i386/trap.c:732 > #7 0xc0be5e8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168 > #8 0xc08eeb6a in kdb_enter (why=0xc0cddbdf "panic", msg=0xc0cddbdf > "panic") at cpufunc.h:71 > #9 0xc08bba04 in panic (fmt=0xc0cfb014 "%s: mbuf chain shorter than > expected") at /usr/src/sys/kern/kern_shutdown.c:574 > #10 0xc0a3ecc6 in tcp_output (tp=0xc2789768) at > /usr/src/sys/netinet/tcp_output.c:1084 > #11 0xc0a4a309 in tcp_ctloutput (so=0xc3a179a8, sopt=0xcd0ccc0c) at > /usr/src/sys/netinet/tcp_usrreq.c:1328 > #12 0xc092742d in sosetopt (so=0xc3a179a8, sopt=0xcd0ccc0c) at > /usr/src/sys/kern/uipc_socket.c:2396 > #13 0xc092ec95 in kern_setsockopt (td=0xc33b1b40, s=4, level=6, name=4, > val=0xbfbfdacc, valseg=UIO_USERSPACE, valsize=4) at This is an IPPROTO_TCP, TCP_NOPUSH with an optval of 0. Can you try making a far simpler program that just does: int optval, s; s = socket(PF_INET, SOCK_STREAM, 0); if (s < 0) err(1, "socket"); optval = 0; if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH, &optval, sizeof(optval)) < 0) err(1, "setsockopt"); and see if that breaks? -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 17:38:49 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3210A1065694 for ; Fri, 28 Jan 2011 17:38:49 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from eu1sys200aog103.obsmtp.com (eu1sys200aog103.obsmtp.com [207.126.144.115]) by mx1.freebsd.org (Postfix) with SMTP id 616DF8FC08 for ; Fri, 28 Jan 2011 17:38:47 +0000 (UTC) Received: from source ([63.174.175.251]) by eu1sys200aob103.postini.com ([207.126.147.11]) with SMTP ID DSNKTUL/JTJNdabphbqZNfn7cKQGktuT50Vk@postini.com; Fri, 28 Jan 2011 17:38:48 UTC Received: from [172.17.10.53] (unknown [172.17.10.53]) by bbbx3.usdmm.com (Postfix) with ESMTP id 73309FD04D; Fri, 28 Jan 2011 17:38:44 +0000 (UTC) Message-ID: <4D42FF0E.9030407@tomjudge.com> Date: Fri, 28 Jan 2011 11:38:22 -0600 From: Tom Judge User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: John Baldwin References: <4D42D2B2.4030806@tomjudge.com> <4D42EA05.2070707@tomjudge.com> <201101281209.51046.john@baldwin.cx> In-Reply-To: <201101281209.51046.john@baldwin.cx> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 17:38:49 -0000 On 01/28/2011 11:09 AM, John Baldwin wrote: > On Friday, January 28, 2011 11:08:37 am Tom Judge wrote: >> On 01/28/2011 08:29 AM, Tom Judge wrote: >>> >>> Has anyone looked at this: >>> >>> [Full-disclosure] FreeBSD local denial of service - forced reboot >>> >>> http://lists.grok.org.uk/pipermail/full-disclosure/2011- > January/078836.html >>> >> >> I have done some simple tests on ESXi 4.1.0, 260247. >> >> releng/8.1 - i386 - Not repeatable. >> >> releng/8.2-RC1 - amd64 - Not repeatable. >> >> >> current 9.0-CURRENT-201011 - i386 - Repeatable: >> >> Unread portion of the kernel message buffer: >> panic: tcp_output: mbuf chain shorter than expected >> cpuid = 0 >> KDB: enter: panic >> Physical memory: 239 MB >> Dumping 99 MB: 84 68 52 36 20 4 >> >> >> (kgdb) bt >> #0 doadump () at pcpu.h:231 >> #1 0xc04d5809 in db_fncall (dummy1=1, dummy2=0, dummy3=-1057111072, >> dummy4=0xcd0cc78c "") at /usr/src/sys/ddb/db_command.c:548 >> #2 0xc04d5c01 in db_command (last_cmdp=0xc0e0e27c, cmd_table=0x0, >> dopager=1) at /usr/src/sys/ddb/db_command.c:445 >> #3 0xc04d5d5a in db_command_loop () at /usr/src/sys/ddb/db_command.c:498 >> #4 0xc04d7c7d in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:229 >> #5 0xc08ee99e in kdb_trap (type=3, code=0, tf=0xcd0cc930) at >> /usr/src/sys/kern/subr_kdb.c:546 >> #6 0xc0bfcf5b in trap (frame=0xcd0cc930) at >> /usr/src/sys/i386/i386/trap.c:732 >> #7 0xc0be5e8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168 >> #8 0xc08eeb6a in kdb_enter (why=0xc0cddbdf "panic", msg=0xc0cddbdf >> "panic") at cpufunc.h:71 >> #9 0xc08bba04 in panic (fmt=0xc0cfb014 "%s: mbuf chain shorter than >> expected") at /usr/src/sys/kern/kern_shutdown.c:574 >> #10 0xc0a3ecc6 in tcp_output (tp=0xc2789768) at >> /usr/src/sys/netinet/tcp_output.c:1084 >> #11 0xc0a4a309 in tcp_ctloutput (so=0xc3a179a8, sopt=0xcd0ccc0c) at >> /usr/src/sys/netinet/tcp_usrreq.c:1328 >> #12 0xc092742d in sosetopt (so=0xc3a179a8, sopt=0xcd0ccc0c) at >> /usr/src/sys/kern/uipc_socket.c:2396 >> #13 0xc092ec95 in kern_setsockopt (td=0xc33b1b40, s=4, level=6, name=4, >> val=0xbfbfdacc, valseg=UIO_USERSPACE, valsize=4) at > > This is an IPPROTO_TCP, TCP_NOPUSH with an optval of 0. > > Can you try making a far simpler program that just does: > > int optval, s; > > s = socket(PF_INET, SOCK_STREAM, 0); > if (s < 0) > err(1, "socket"); > optval = 0; > if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH, &optval, sizeof(optval)) < 0) > err(1, "setsockopt"); > > and see if that breaks? > Hi John, I can't repeat this with the code you sent. I tried this in a while (1) loop and had 4 instances running without issue. Tom -- TJU13-ARIN From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 19:27:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2D47106564A; Fri, 28 Jan 2011 19:27:33 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 646B98FC13; Fri, 28 Jan 2011 19:27:33 +0000 (UTC) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id F3E3046B39; Fri, 28 Jan 2011 14:27:32 -0500 (EST) Received: from jhbbsd.localnet (smtp.hudson-trading.com [209.249.190.9]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id D795A8A027; Fri, 28 Jan 2011 14:27:31 -0500 (EST) From: John Baldwin To: freebsd-security@freebsd.org Date: Fri, 28 Jan 2011 14:27:18 -0500 User-Agent: KMail/1.13.5 (FreeBSD/7.4-CBSD-20110107; KDE/4.4.5; amd64; ; ) References: <4D42D2B2.4030806@tomjudge.com> <201101281209.51046.john@baldwin.cx> <4D42FF0E.9030407@tomjudge.com> In-Reply-To: <4D42FF0E.9030407@tomjudge.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201101281427.19212.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (bigwig.baldwin.cx); Fri, 28 Jan 2011 14:27:31 -0500 (EST) X-Virus-Scanned: clamav-milter 0.96.3 at bigwig.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-1.9 required=4.2 tests=BAYES_00,T_FRT_STOCK2 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on bigwig.baldwin.cx Cc: Tom Judge , Lawrence Stewart , Bjoern Zeeb Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 19:27:33 -0000 On Friday, January 28, 2011 12:38:22 pm Tom Judge wrote: > On 01/28/2011 11:09 AM, John Baldwin wrote: > > On Friday, January 28, 2011 11:08:37 am Tom Judge wrote: > >> On 01/28/2011 08:29 AM, Tom Judge wrote: > >>> > >>> Has anyone looked at this: > >>> > >>> [Full-disclosure] FreeBSD local denial of service - forced reboot > >>> > >>> http://lists.grok.org.uk/pipermail/full-disclosure/2011- > > January/078836.html > >>> > >> > >> I have done some simple tests on ESXi 4.1.0, 260247. > >> > >> releng/8.1 - i386 - Not repeatable. > >> > >> releng/8.2-RC1 - amd64 - Not repeatable. > >> > >> > >> current 9.0-CURRENT-201011 - i386 - Repeatable: > >> > >> Unread portion of the kernel message buffer: > >> panic: tcp_output: mbuf chain shorter than expected > >> cpuid = 0 > >> KDB: enter: panic > >> Physical memory: 239 MB > >> Dumping 99 MB: 84 68 52 36 20 4 > >> > >> > >> (kgdb) bt > >> #0 doadump () at pcpu.h:231 > >> #1 0xc04d5809 in db_fncall (dummy1=1, dummy2=0, dummy3=-1057111072, > >> dummy4=0xcd0cc78c "") at /usr/src/sys/ddb/db_command.c:548 > >> #2 0xc04d5c01 in db_command (last_cmdp=0xc0e0e27c, cmd_table=0x0, > >> dopager=1) at /usr/src/sys/ddb/db_command.c:445 > >> #3 0xc04d5d5a in db_command_loop () at /usr/src/sys/ddb/db_command.c:498 > >> #4 0xc04d7c7d in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:229 > >> #5 0xc08ee99e in kdb_trap (type=3, code=0, tf=0xcd0cc930) at > >> /usr/src/sys/kern/subr_kdb.c:546 > >> #6 0xc0bfcf5b in trap (frame=0xcd0cc930) at > >> /usr/src/sys/i386/i386/trap.c:732 > >> #7 0xc0be5e8c in calltrap () at /usr/src/sys/i386/i386/exception.s:168 > >> #8 0xc08eeb6a in kdb_enter (why=0xc0cddbdf "panic", msg=0xc0cddbdf > >> "panic") at cpufunc.h:71 > >> #9 0xc08bba04 in panic (fmt=0xc0cfb014 "%s: mbuf chain shorter than > >> expected") at /usr/src/sys/kern/kern_shutdown.c:574 > >> #10 0xc0a3ecc6 in tcp_output (tp=0xc2789768) at > >> /usr/src/sys/netinet/tcp_output.c:1084 > >> #11 0xc0a4a309 in tcp_ctloutput (so=0xc3a179a8, sopt=0xcd0ccc0c) at > >> /usr/src/sys/netinet/tcp_usrreq.c:1328 > >> #12 0xc092742d in sosetopt (so=0xc3a179a8, sopt=0xcd0ccc0c) at > >> /usr/src/sys/kern/uipc_socket.c:2396 > >> #13 0xc092ec95 in kern_setsockopt (td=0xc33b1b40, s=4, level=6, name=4, > >> val=0xbfbfdacc, valseg=UIO_USERSPACE, valsize=4) at > > > > This is an IPPROTO_TCP, TCP_NOPUSH with an optval of 0. > > > > Can you try making a far simpler program that just does: > > > > int optval, s; > > > > s = socket(PF_INET, SOCK_STREAM, 0); > > if (s < 0) > > err(1, "socket"); > > optval = 0; > > if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH, &optval, sizeof(optval)) < 0) > > err(1, "setsockopt"); > > > > and see if that breaks? > > > > Hi John, > > I can't repeat this with the code you sent. I tried this in a while (1) > loop and had 4 instances running without issue. Humm. That is the only setsockopt for TCP that can trigger a call to tcp_output(). I have a possible fix I'm just not sure if it is completely correct: Index: tcp_usrreq.c =================================================================== --- tcp_usrreq.c (revision 218018) +++ tcp_usrreq.c (working copy) @@ -1330,7 +1330,8 @@ tcp_ctloutput(struct socket *so, struct sockopt *s tp->t_flags |= TF_NOPUSH; else { tp->t_flags &= ~TF_NOPUSH; - error = tcp_output(tp); + if (TCPS_HAVEESTABLISHED(tp->t_state)) + error = tcp_output(tp); } INP_WUNLOCK(inp); break; -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 19:35:36 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F3B81065674 for ; Fri, 28 Jan 2011 19:35:36 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 8D3D08FC23 for ; Fri, 28 Jan 2011 19:35:35 +0000 (UTC) Received: by wwf26 with SMTP id 26so3535712wwf.31 for ; Fri, 28 Jan 2011 11:35:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=RsHCJRmRwxD3YaXLy7Ue4LGyS1Zclcaf6UmQgYsVhfw=; b=XQF3K5bIcgVbsaq337SGzi+4WYSDlcYriMsiqL+Oz6XaOUgyLu7H/TBWLANpzXA+Sc AbmE7G4O3QR3yFs+oZV/DfjYfd59UjD8oal/z5XlW/65CogtsgnHDA0vD6wQoXO/ukYx 4N6cCT7gvHwlnucU7URb1q193wdc7d999gfdA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=DOsskNlAGBDoD9kPPwBmaB8nC59esptfqaK6/xUrNAR7rUfk0aswcjq16uVQaeAO/5 oM7fXuyGnDmJXFJsnQrvAOymZau6U+AjGpE8hVQhltPnC4D+Q4mSlhkJIQ7+YQJ841An tFFjgG5rfjHjBrb3AoLgbvFfttv1LFma44Ic0= Received: by 10.216.62.212 with SMTP id y62mr3990751wec.9.1296241804552; Fri, 28 Jan 2011 11:10:04 -0800 (PST) Received: from [192.168.0.151] (ppp-94-69-59-210.home.otenet.gr [94.69.59.210]) by mx.google.com with ESMTPS id h39sm5183494wes.5.2011.01.28.11.10.02 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 28 Jan 2011 11:10:02 -0800 (PST) Message-ID: <4D431498.8090105@gmail.com> Date: Fri, 28 Jan 2011 21:10:16 +0200 From: Manolis Kiagias User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20101226 Icedove/3.0.11 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4D42D2B2.4030806@tomjudge.com> <4D42EA05.2070707@tomjudge.com> <201101281209.51046.john@baldwin.cx> <4D42FF0E.9030407@tomjudge.com> In-Reply-To: <4D42FF0E.9030407@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 19:35:36 -0000 On 01/28/2011 07:38 PM, Tom Judge wrote: > >> This is an IPPROTO_TCP, TCP_NOPUSH with an optval of 0. >> >> Can you try making a far simpler program that just does: >> >> int optval, s; >> >> s = socket(PF_INET, SOCK_STREAM, 0); >> if (s< 0) >> err(1, "socket"); >> optval = 0; >> if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH,&optval, sizeof(optval))< 0) >> err(1, "setsockopt"); >> >> and see if that breaks? >> >> > Hi John, > > I can't repeat this with the code you sent. I tried this in a while (1) > loop and had 4 instances running without issue. > > Tom > > FWIW, I can't crash 7.4-RC2 (i386) and 8.2-RC2 (amd64) with either the original or John's code. Tried both as user and root. From owner-freebsd-security@FreeBSD.ORG Sat Jan 29 00:50:16 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2ED4B10656CF; Sat, 29 Jan 2011 00:50:16 +0000 (UTC) (envelope-from csjp@freebsd.org) Received: from mx-01queue01.mts.net (mx-01queue01.mts.net [142.161.3.10]) by mx1.freebsd.org (Postfix) with ESMTP id B054B8FC19; Sat, 29 Jan 2011 00:50:15 +0000 (UTC) Received: from wnpgmb021pw-sp03.mts.net ([10.204.128.23]) by mx-02mtaout02.mts.net with ESMTP id <20110129003139.PAVV13621.mx-02mtaout02.mts.net@wnpgmb021pw-sp03.mts.net>; Fri, 28 Jan 2011 18:31:39 -0600 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAJLuQk3NyOgL/2dsb2JhbAClA3S7e4VPBIUY X-IronPort-AV: E=Sophos;i="4.60,394,1291615200"; d="scan'208";a="160216027" Received: from wnpgmb1308w-ad04-232-11.dynamic.mts.net (HELO movsx.my.domain) ([205.200.232.11]) by wnpgmb021pw-sp03.mts.net with ESMTP; 28 Jan 2011 18:31:39 -0600 Received: from movsx.my.domain (localhost [127.0.0.1]) by movsx.my.domain (8.14.4/8.14.3) with ESMTP id p0T0UXwC016407; Fri, 28 Jan 2011 18:30:48 -0600 (CST) (envelope-from csjp@movsx.my.domain) Received: (from csjp@localhost) by movsx.my.domain (8.14.4/8.14.3/Submit) id p0T0UWbV016406; Fri, 28 Jan 2011 18:30:32 -0600 (CST) (envelope-from csjp) Date: Fri, 28 Jan 2011 18:30:32 -0600 From: Christian Peron To: John Baldwin Message-ID: <20110129003032.GA16316@movsx> References: <4D42D2B2.4030806@tomjudge.com> <201101281209.51046.john@baldwin.cx> <4D42FF0E.9030407@tomjudge.com> <201101281427.19212.jhb@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline In-Reply-To: <201101281427.19212.jhb@freebsd.org> User-Agent: Mutt/1.4.2.3i Cc: Tom Judge , freebsd-security@freebsd.org, Bjoern Zeeb , Lawrence Stewart Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2011 00:50:16 -0000 --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 28, 2011 at 02:27:18PM -0500, John Baldwin wrote: [..] > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- tcp_usrreq.c (revision 218018) > +++ tcp_usrreq.c (working copy) > @@ -1330,7 +1330,8 @@ tcp_ctloutput(struct socket *so, struct sockopt *s > tp->t_flags |=3D TF_NOPUSH; > else { > tp->t_flags &=3D ~TF_NOPUSH; > - error =3D tcp_output(tp); > + if (TCPS_HAVEESTABLISHED(tp->t_state)) > + error =3D tcp_output(tp); > } > INP_WUNLOCK(inp); > break; I was thinking of correcting it the same way.. I might even do something like: else { if (tp->t_flags & TF_NOPUSH) { tp->t_flags &=3D ~TF_NOPUSH; if (TCPS_HAVEESTABLISHED(tp->t_state)) error =3D tcp_output(tp); } } By default, this mask is not set.. so un-setting it and calling tcp_output(= )=20 if it was not already set seems wasteful --=20 () ascii ribbon campaign - against html e-mail=20 /\ www.asciiribbon.org - against proprietary attachments --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAk1DX6gACgkQzHFpVAM/ozy8bQCeNtF3+gblw3B8qOCKMV64LhEO sTcAn1WHorzA33/saFpWaoaEbmUoUenG =bNbf -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- From owner-freebsd-security@FreeBSD.ORG Sat Jan 29 19:03:18 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 371A71065670 for ; Sat, 29 Jan 2011 19:03:18 +0000 (UTC) (envelope-from dmagda@ee.ryerson.ca) Received: from eccles.ee.ryerson.ca (eccles.ee.ryerson.ca [141.117.1.2]) by mx1.freebsd.org (Postfix) with ESMTP id D7A7E8FC08 for ; Sat, 29 Jan 2011 19:03:17 +0000 (UTC) Received: from [10.0.1.3] ([70.30.90.57]) (authenticated bits=0) by eccles.ee.ryerson.ca (8.14.4/8.14.4) with ESMTP id p0TINn71022583 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Sat, 29 Jan 2011 13:24:05 -0500 (EST) (envelope-from dmagda@ee.ryerson.ca) From: David Magda Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Date: Sat, 29 Jan 2011 13:26:23 -0500 Message-Id: To: freebsd-security@freebsd.org Mime-Version: 1.0 (Apple Message framework v1082) X-Mailer: Apple Mail (2.1082) X-Mailman-Approved-At: Sat, 29 Jan 2011 23:12:35 +0000 Subject: Add SHA-256/512 hash algorithm to crypt(3) (kern/124164) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2011 19:03:18 -0000 Hello all, Is there any chance that kern/124164 [1] could be looked at? The = included patch has been updated by KIMURA Yasuhiro for 8.1R, and so = hopefully would be okay for 8.3R (and maybe even -CURRENT). The functionality would be very helpful for NIS- and LDAP-based = environments, as Linux and even Solaris support these newer algorithms, = and so when they do a (yp)passwd the new hashes are often used which = cause interoperability issues=97not to mention the usefulness of of = stronger hashes. :) Thanks for any info (and please CC, as I'm not subscribed). [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/124164=