From owner-freebsd-security@freebsd.org Tue Jun 20 08:29:01 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 05315D92944 for ; Tue, 20 Jun 2017 08:29:01 +0000 (UTC) (envelope-from vterziev@gvcgroup.com) Received: from mgate03.itsfogo.com (mgate03.itsfogo.com [195.72.134.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.itsfogo.com", Issuer "thawte SSL CA - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8FD4F78BE7 for ; Tue, 20 Jun 2017 08:29:00 +0000 (UTC) (envelope-from vterziev@gvcgroup.com) From: Vladimir Terziev To: "freebsd-security@freebsd.org" Subject: The Stack Clash vulnerability Thread-Topic: The Stack Clash vulnerability Thread-Index: AQHS6Z0jz/DDK+TE1km4g5qTF2EboQ== Date: Tue, 20 Jun 2017 08:13:46 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3273) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [10.138.239.254] MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 20 Jun 2017 11:22:42 +0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 08:29:01 -0000 Hi, I assume FreeBSD security team is already aware about the Stack Clash vulne= rability, that is stated to affect FreeBSD amongst other Unix-like OS. Just in case here is the analyses document of Qualys: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt Regards, Vladimir From owner-freebsd-security@freebsd.org Tue Jun 20 12:26:53 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 621ADD977F7 for ; Tue, 20 Jun 2017 12:26:53 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C7017FAB1 for ; Tue, 20 Jun 2017 12:26:53 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-qk0-x236.google.com with SMTP id r62so55988940qkf.0 for ; Tue, 20 Jun 2017 05:26:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wJvVd8NYXhuXCb9OqZQuDhpMGWAOUqDrIUoSTwo1esw=; b=W5Qi6fhh9RuTvn/rUo7J/CH72Dym73yYZJs/FVjQuV3qSgfayIfNEhC/C9jr/t3bfr Ov7G5FcNsOF+OjdH4DlgbwIHtdRrB2SyvsYU/DY0VOTyU+cA+wnx/b1PIYBeo11EfCeH o7smMOtXO6B9rZRjEVzo+BEbZPcgyazI1h8CkpiK/2RADqzm4u83Ax4cqIMtYC9LZ00q DXJGtSCtoSyoflYV3AUEYJsySxYOj0DwPPRAcGMMcl7CDKU+XSDbb5B+Cl2H8rz3DXCt pWUyX8DjMToPZIuBtTY012d2SCusgeaKJVSovMQEfdsJ1ZNZuUJGpp7ViJjEZBDCmM9Q tL/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wJvVd8NYXhuXCb9OqZQuDhpMGWAOUqDrIUoSTwo1esw=; b=VT+7jWKt1cL8ATBKp3bL5s2ngzlvybyNo0ub0QScDOj1a+OAm8A5Lg0F8L0dTuB4Bc 4FIX3YaFAreeVtgFjZYeF/dBBK9v6BectRVtXGuAqP7DO9p4RH+K0irvYhXOy5DbAq2s aaTk0VFYplX/Ju/jlHmYj4i3YT2ws1c3u+yO8j1T+ROJazLMichNa+ny4KFcQ31ErF6g N749U54Q39UsuZNmN94WDMlKXMZbk/YzETD9YKManIIj+/5Hga1E9SVn7RwlhmY3XaAP s/lM9s45L+aJ6aWIB+DUDvCwmzTF4szjZetzwKQ19QPoyflnk+RAul4aIVKyuc+RM/9X mgMg== X-Gm-Message-State: AKS2vOwXDCHG6CENl8SafRDwZ0MooBZ/7Wm7qljYspfJgJtJJ00OdxvB fRZ7jBuQLgFH4moBI/F4njzKBbgIrw== X-Received: by 10.55.198.156 with SMTP id s28mr3993059qkl.222.1497961612295; Tue, 20 Jun 2017 05:26:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.8.51 with HTTP; Tue, 20 Jun 2017 05:26:51 -0700 (PDT) In-Reply-To: References: From: Big Lebowski Date: Tue, 20 Jun 2017 13:26:51 +0100 Message-ID: Subject: Re: The Stack Clash vulnerability To: Vladimir Terziev Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 12:26:53 -0000 Funny enough, we had that covered for a short while, at least better than it is now: https://www.mail-archive.com/svn-src-all@freebsd.org/msg141063.html On Tue, Jun 20, 2017 at 9:13 AM, Vladimir Terziev wrote: > Hi, > > I assume FreeBSD security team is already aware about the Stack Clash > vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. > > Just in case here is the analyses document of Qualys: > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > > > Regards, > > Vladimir > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Tue Jun 20 13:15:17 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21301D98702 for ; Tue, 20 Jun 2017 13:15:17 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C1BFC81332 for ; Tue, 20 Jun 2017 13:15:16 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt0-x233.google.com with SMTP id v20so16971722qtg.1 for ; Tue, 20 Jun 2017 06:15:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=EQlHlrWBMYX0rbL7hIV1PGxYAAr+3pnTzDqk3N1qhhs=; b=hH3UdM9xnpvjUmiVhx5rPqrWfCz3fEkXDIr3AWsrTPahGDga4UTaWdjCb/y5VQ6yRl h6kJfDQU6+h2utRmfTV6c1HgnCcZ354i4uqdGssjiAjycYpfGXjH1J1w2xuYcdwnn3ND KQWXwdTUizufNOirQJhNM/5BEamkNUIFfopHPQF0u5ashVv+7iH2Sbtq1gBzlQnWwira ja8qZMnUgEV2Cue/Wvz2Q9BqTv2+V/43FIrZmG6KxDKH/N3huIzsZxk9OmwidbBhEom4 bXi3VwabKLg1lfwWplR4rcM3exXJFrjpNVvL4YXSDcOInY0EIaCrmO2ocwQ9KTL5ygT6 U0WQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=EQlHlrWBMYX0rbL7hIV1PGxYAAr+3pnTzDqk3N1qhhs=; b=iNI/LRyJ/WTsTfgHaQrKOl85XFCj+3cLHBwpbMUEStCoVxT9BbCR66mWBcvBtXOtKi PRe/z7196o0BmmUIlaH4tzrIns/e7hbJhUtUhxl6aFK0jYG+SDmsFlCMB8lkvlASFcgz kS1gRd/525XAU74s0VAg56B7W7cpK555F8pR7ckI2j4haNBgUNHxeBXrdOKpYcNQRrDk AA8dZAQdJfthLaDJN4XnHt5E7tNxKDtZ16BukiI5QlbTvPEmJUUVHpF2dCLgqfM0GgRF dfQoRbLtPefv2nWDwJnXVC42W8S92/OGG1XCZMORfcJYD2JYNC67oPG537oUuWEShYCK lwpg== X-Gm-Message-State: AKS2vOwXVfO1SZr7v0aVv/CmimICo96L5FV3awcYefmjUl233kV8Qr6D xmt9uj10DXS9Gw0mJAJ8WA== X-Received: by 10.200.0.153 with SMTP id c25mr33249244qtg.28.1497964515687; Tue, 20 Jun 2017 06:15:15 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.66]) by smtp.gmail.com with ESMTPSA id f8sm8072637qke.52.2017.06.20.06.15.14 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Jun 2017 06:15:14 -0700 (PDT) Date: Tue, 20 Jun 2017 09:15:14 -0400 From: Shawn Webb To: Vladimir Terziev Cc: "freebsd-security@freebsd.org" Subject: Re: The Stack Clash vulnerability Message-ID: <20170620131514.vdynljgemuz4fp3c@mutt-hbsd> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="s2kksklr6jya7fco" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170428 (1.8.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 13:15:17 -0000 --s2kksklr6jya7fco Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote: > Hi, >=20 > I assume FreeBSD security team is already aware about the Stack Clash vul= nerability, that is stated to affect FreeBSD amongst other Unix-like OS. >=20 > Just in case here is the analyses document of Qualys: >=20 > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt FreeBSD is indeed affected. I've written a PoC, which works even with the stack guard enabled: https://github.com/lattera/exploits/blob/master/FreeBSD/StackClash/001-stac= kclash.c Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --s2kksklr6jya7fco Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAllJH98ACgkQaoRlj1JF bu5HLg/+IR2arBkP+Mel4Axw/SZqUbjYbzzP17Xp68yhoEjcI6czIzQwp6CcunQ7 F4HIRzhZxpZFDatlYvt6ID4W2ZRuxOhWAwWI6/h/qg2Bknm/Hh3lSjdKcgi+tOdg HfGQsIczH/sVgRpe41QSuLL6JVW8DHDRA1bC0Tjf0WkLSb6z08cPBvr+Q1quEwMV L4AZQOpHj89KMwjiLNP+z7yUvOeMHNDaoj9hfmIplJcnfSOghPCHfagzpItIwNvA Wbr98JYfNvm+oCLw7mfyVM1gDzbCXqUWsruvyE11oFvnNEzlRerfUL8giOnhG2Tw LyWt9McVnGvS9DyYmbntO2PFXzoG4ZH6vAJNOxsOksOH/AYX9ID6AtpRazIhsls3 owdvUIDml2Qj9Hkcp5dD1Y1KisV7a2EwR4iumoDwVKFXnShQS65RmvWaKUeUKTWR w+CV9knHvgXmzbXEGQasNnIbQvDJFJ1Y5lRooSEIHfGOQxAhCwIMeVvChh4umliD 2Uz5GYOjQAv+Eolth/g8eXPyPtghqIVURFhaa6Skm1VA5gXDO/lsoX6gO2jEfX0f O8sIo2qJ0NhSYjq4jSSogg7o/4zIJDW7E7x1Kx3IWHUowBZmTydHeJYXKVcZEjbL w9CD8GDYYlEu+s5yS1U4GLG1yi5N5pDwhEOijt5gTijQ4+AGHAw= =sAde -----END PGP SIGNATURE----- --s2kksklr6jya7fco-- From owner-freebsd-security@freebsd.org Tue Jun 20 13:32:20 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 899C3D99048 for ; Tue, 20 Jun 2017 13:32:20 +0000 (UTC) (envelope-from pawel.biernacki@gmail.com) Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1201482D55 for ; Tue, 20 Jun 2017 13:32:20 +0000 (UTC) (envelope-from pawel.biernacki@gmail.com) Received: by mail-lf0-x232.google.com with SMTP id m77so73766267lfe.0 for ; Tue, 20 Jun 2017 06:32:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YGd4mWuKbBcqkAE1305krTqTKv7+U8JZRbTrOBFijd4=; b=MXAKCjAkfhh4h4KFaLWOo28h9YNtrOgNS745o7HmrQvLPl9OidIa2YdcMEwRSC0oPe lSNIgmJqx2mlReMgdrkI+BPu8nhBRMWZ2UsjBfYKRmKNW7qYObL2RhwqHCiJM7T1f0/s R+F0Jd5MJq/X7+Ab8SotHpc+gwYrZ6nQ32Ab4y0E+t016Xz9ZwHd+aVl1jQ8OMF3IPrK fJ2PijTQaHjUYQXFDr3Nq+Bc1ii452U1LXGweDbyFCcwfSejZPefraWzXO5Yo/8Qp8A6 71ofRO4ZSaYdLayMcCN09XgQQCJ1NLDMmZ4eUqIlaqYNYlMINfNf7L2uK6Vj6NbK5Jum 7WoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YGd4mWuKbBcqkAE1305krTqTKv7+U8JZRbTrOBFijd4=; b=RZXLaGJYHSpLn+zDHX49AdFL6lkaz0NO68g/QfgCoyZ/jQ+K4ZqUtZ0OSquMZm+Rq8 AkdQIAB9CDQLlDLJU1lP+sa10Rgq63DYHrqNqXtF3tbZKndqg9muuuVHIrFYJogMTb5x 5pTzckf1poM8rt5MKSf2VXpkivOry2Wm78hYPnuaQc2wbXf8rK6ekd+CTAVUJL7m75wT HNt0mpQLG3ZKNMPMQiP8zThWRRZ11GqtTJvFfQqKTd8kSVr9BmKb2za+Dl2ewb7g0EfX uc8ZAmIq0hZL3KCnyohiDTu0n7tHyHCm55dT9tGGQ/TDvRWiyDmH4OZEsre/iWFT+/pb Aibw== X-Gm-Message-State: AKS2vOwEZmH6X/gdUtKUiR+D1AmeYSzDY8EKh1Jprx7Hkkn+5pj7Amjg 9YvxNtOWZG4SzoHI6gdv/gPHxS6bRGqc6bM= X-Received: by 10.25.31.13 with SMTP id f13mr9510645lff.2.1497965537932; Tue, 20 Jun 2017 06:32:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.27.5 with HTTP; Tue, 20 Jun 2017 06:32:17 -0700 (PDT) In-Reply-To: <20170620131514.vdynljgemuz4fp3c@mutt-hbsd> References: <20170620131514.vdynljgemuz4fp3c@mutt-hbsd> From: Pawel Biernacki Date: Tue, 20 Jun 2017 14:32:17 +0100 Message-ID: Subject: Re: The Stack Clash vulnerability To: Shawn Webb Cc: Vladimir Terziev , "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 13:32:20 -0000 Hi Shawn, Nice p0c, but it don't work with security.bsd.unprivileged_proc_debug=0, which was initially enabled in the menu with hardening options. Pawel. On 20 June 2017 at 14:15, Shawn Webb wrote: > On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote: > > Hi, > > > > I assume FreeBSD security team is already aware about the Stack Clash > vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. > > > > Just in case here is the analyses document of Qualys: > > > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > > FreeBSD is indeed affected. I've written a PoC, which works even with > the stack guard enabled: > > https://github.com/lattera/exploits/blob/master/FreeBSD/ > StackClash/001-stackclash.c > > Thanks, > > -- > Shawn Webb > Cofounder and Security Engineer > HardenedBSD > > GPG Key ID: 0x6A84658F52456EEE > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE > -- One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die. From owner-freebsd-security@freebsd.org Tue Jun 20 13:34:28 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61127D9916F for ; Tue, 20 Jun 2017 13:34:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 158F182FF0 for ; Tue, 20 Jun 2017 13:34:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk0-x231.google.com with SMTP id d14so57350691qkb.1 for ; Tue, 20 Jun 2017 06:34:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=wsMHHBH7YkoKfb8yWEvPY8ELi7mHY5q5rESelJtBSgU=; b=G/M/zZeOYZOzI2d5gukjZ+HOxQ2r42EYufoNeS+uxYulXFc/dinlok/nA0wSR/zL4D q85j6ToDu4OEyOPq4RbNX1tpeSdyhhxpBUdm3d49PKDoXcHQkyXpXfmTXtqVQyVVfVdo 5SJKR4a8COdPuEHMX4N6OutBSRGkxiYHTBWEDUwaRM0R3RmCehRXx3Ej/q0gOerkRFgr VrwZ851mznTGiwhLJIuwp7MWZg2T4RfWbpqp3AXT3jB3e0/zMpFkHJ02NrO5K6WVzOpu RREHMIJw7aYi7HaUlNYhWqW5wVygow3qx2/87gUZHTDSILwtnlzqTlGz3YIlSDsoOKkv DE8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=wsMHHBH7YkoKfb8yWEvPY8ELi7mHY5q5rESelJtBSgU=; b=QGHIGrIKgoERDGoae/51vfLbqKEvoLgsCv4j/GkzdBP5eYW4DrRuvTU4Kzi+1QkAww Euu5jWIo1ueMJ3F2vA8hdSJ6Cens5M+GYk+k+VOABXbNasEUOVt2BFeeXtn/wk/xT5QH 7JlM+s+ho1P8DZsE2MnFLVEkaERva1Un3SV8vJw8YehAn3imTMHnxxcfPKvhZHGi7r+h Z7UcYGT4rOExI5nniMrbXCRPgZvsSCfooYNFTP68WNbfQmeU3ldVrr2XjG8NUJmP2SMm Zb2jMWuMMDMOR6AfwrXV09VZ2UuaXDq2DhrkshD4b3XO4HmkbTh8iG1mzs8BQmH2+LlH 6vhQ== X-Gm-Message-State: AKS2vOyzHeWkG7SLrRk9KV6kcR/UVOHh/qu7tC09JTr6cJqyFp5HLqBB MC+MSiQuWDKNeGER X-Received: by 10.55.20.95 with SMTP id e92mr30278844qkh.74.1497965667078; Tue, 20 Jun 2017 06:34:27 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.66]) by smtp.gmail.com with ESMTPSA id o50sm8944337qto.55.2017.06.20.06.34.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Jun 2017 06:34:26 -0700 (PDT) Date: Tue, 20 Jun 2017 09:34:26 -0400 From: Shawn Webb To: Pawel Biernacki Cc: Vladimir Terziev , "freebsd-security@freebsd.org" Subject: Re: The Stack Clash vulnerability Message-ID: <20170620133426.ysq47lyb7y666qrq@mutt-hbsd> References: <20170620131514.vdynljgemuz4fp3c@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="soa7tmuty6bursr3" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170428 (1.8.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 13:34:28 -0000 --soa7tmuty6bursr3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Right, because I use libprocstat. Instead of using libprocstat to dynamically figure out the start of the stack, you can do other tricks to find out where the stack lies. Feel free to modify the code to better suit your environment. On Tue, Jun 20, 2017 at 02:32:17PM +0100, Pawel Biernacki wrote: > Hi Shawn, >=20 > Nice p0c, but it don't work with security.bsd.unprivileged_proc_debug=3D0, > which was initially enabled in the menu with hardening options. >=20 > Pawel. >=20 >=20 > On 20 June 2017 at 14:15, Shawn Webb wrote: >=20 > > On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote: > > > Hi, > > > > > > I assume FreeBSD security team is already aware about the Stack Clash > > vulnerability, that is stated to affect FreeBSD amongst other Unix-like= OS. > > > > > > Just in case here is the analyses document of Qualys: > > > > > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > > > > FreeBSD is indeed affected. I've written a PoC, which works even with > > the stack guard enabled: > > > > https://github.com/lattera/exploits/blob/master/FreeBSD/ > > StackClash/001-stackclash.c > > > > Thanks, > > > > -- > > Shawn Webb > > Cofounder and Security Engineer > > HardenedBSD > > > > GPG Key ID: 0x6A84658F52456EEE > > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE > > >=20 >=20 >=20 > --=20 > One of God's own prototypes. A high-powered mutant of some kind never > even considered for mass production. Too weird to live, and too rare to d= ie. --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --soa7tmuty6bursr3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAllJJGAACgkQaoRlj1JF bu5rABAAx1hVI1NQ1HIWIpbHqEo3QoHJJ/tNg2pXL9CzgR7a/iJ0sd9nBwJeRlxy jVg2xfFs2Z72C1c+QxnCj60O2AbAB2a3OiFHQKLKgOYXFYfKmu3ckI5gp8IL6LNI O+g+8keqWoXpMqGkj9C8s8weegDvFfaKsTtUWmabyC5lJJTddnMrG+JlcGs5LbZH yGvoDeUbbqjNNcSqi+PZA08qTQBmcdg7LTlqceNpg9Z2jptPeZbQaztbk/RDPGGT pazNp98etd/n9qwn7IBC1s5r8KlN03fV3AmO3mcrJ2tauWd+Yy3lLcHp6liBatAa ty2Gj26CrQ0WnrrEE8VhRKbH6zByDhELZRpTWNkdP3I13V78vl91asWB7PaZGEki NYVh8oVMDF8MAjuXRO02uNr/Ayox4PUcc5gIHy28vq1oePd/X1iLikTK051A9mCW YGR/Th3KDDzFPvgq5xoUlm9js9gLxInK4psBpTGww7BtT6rb0aGZcBCleIxjZtFJ G8uCiDPUY9Gwd9VW98m7maC4rySrPyUWVPtVvsoFDlbmQpAQ2pR39ztlsb/oncfB jhvA9v6FlJqeqtPdKlpVnyMHtvZn1LKPf8VkKzQPDNw/4u0FcI+VNUtiYkmvb6dA tZ+HYqGZ8MPKPlTWHV2XhxBmyr3XBwZwBYwdf+CJwRcfDeGKfoY= =yjG7 -----END PGP SIGNATURE----- --soa7tmuty6bursr3-- From owner-freebsd-security@freebsd.org Tue Jun 20 19:41:20 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92EF5DA094E for ; Tue, 20 Jun 2017 19:41:20 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4783F70C1E for ; Tue, 20 Jun 2017 19:41:20 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk0-x232.google.com with SMTP id r62so66287122qkf.0 for ; Tue, 20 Jun 2017 12:41:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=3+vPmeuE6zQTpHKTiC22XNpNzCgGOpyj+a5IYBHFPao=; b=mBvs75FkaN6KNRUPp9HL2ItAuUcrDleQ2Ptq4/nYYi/PD6pOTfXn9EKOotQbDItT+v GwzT/S6Li/zGIizuy00pwM3loBKCc38NcbKn2loy6a9W4bjmQzIf6/pXZfKpmNXbwLPj wEjmpiDuD67FN2RKx+3y2jZMAwWP17tXUsXwTFrSutGvdxOdWsYXwa9Sk8IaRQTbNl/I vMm6+w3xx3+BxVOZnUAmIKLHveZwLgv3eEbfVKiyVZMYB8DivHLo/BVgVnL8sqVULMsg d24VXvzhyMI0RBqHunNiCotcfnFrToXnx2M4Dz33idSigYfyzxl3NouYGzC7Q2+KU0sF D/nA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=3+vPmeuE6zQTpHKTiC22XNpNzCgGOpyj+a5IYBHFPao=; b=n6Pl+pm6Zx9Si9ulbdTwXK6pf7ad07JrofkgbtQ5eEL0p5qatOeuFyjF4vhZ52Z3uP 7MBrrAiSZ+p+Uv7PEb1PmYTq13ypG3L41blsXsEw9CvgHQhI3gWEC/lJZU23JZEU4Fh4 QNLZiKC3dHOtFhFSsBPShRSN14ONxkiMmIPgv34FLmhC1k2PVDbrDw6xQegpF8TFEeVu kLtgP+9qDFFb5uUme8G+pgnsQcTH+BRSWNk81Skj4fjR8JDo1gDXLs1xK5+wvwH/oWQv KzHSs/Fgs2dg/7IMoe6Df7vMyWoLVoOhASVvU+aGsT78zD+aquWMZ1W0vB1osYIJik9J c7Cw== X-Gm-Message-State: AKS2vOzdDftVsPSCGTmPpQFECeBsUbYF/Fkf40Tomf5F0U63QniymR5t MVkJGnoavuW6IdLNiwt2sQ== X-Received: by 10.55.71.20 with SMTP id u20mr29774301qka.66.1497987679203; Tue, 20 Jun 2017 12:41:19 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.66]) by smtp.gmail.com with ESMTPSA id t42sm9352574qtg.43.2017.06.20.12.41.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Jun 2017 12:41:18 -0700 (PDT) Date: Tue, 20 Jun 2017 15:41:17 -0400 From: Shawn Webb To: Vladimir Terziev Cc: "freebsd-security@freebsd.org" Subject: Re: The Stack Clash vulnerability Message-ID: <20170620194117.45yggu3qvfidtybo@mutt-hbsd> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wwmflklaohoqymjp" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170428 (1.8.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 19:41:20 -0000 --wwmflklaohoqymjp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote: > Hi, >=20 > I assume FreeBSD security team is already aware about the Stack Clash vul= nerability, that is stated to affect FreeBSD amongst other Unix-like OS. >=20 > Just in case here is the analyses document of Qualys: >=20 > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt As a follow-up, Stack Clash should now be mitigated in HardenedBSD: https://github.com/HardenedBSD/hardenedBSD/compare/de8124d3bf83d774b66f62d1= 1aee0162d0cd1031...91104ed152d57cde0292b2dc09489fd1f69ea77c Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --wwmflklaohoqymjp Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAllJelsACgkQaoRlj1JF bu6uDg/9G2g12odIKpsFi7SW3WLocpL2Qf9ArM0qWxb8cG81rv+w4v8uli2UPMue c38V4Gq5hpQfXIF0TCE1nr35uWFoGTqjz6bsVBFvEytnPzOhGF3NdBPeL9kJDdae 2XTt1r6fDrlGGLPg7vBWCYkrK+0/XuDV2e7Nq8NjfJn2rk1Yi9TXOLdG0ILs7xaV ptmWtdXWXIRR0kW2RiE3BJNs79KITs1y0fCBc1WJfPZGcHjZW7cvMxE3z+OOnr4k GvCbfi7NCi/oTOPbQ8L8rBbCNCicXOqHfbRa7WJCs5L7IyCIHaQ6uHyMdBeavD5A ce7QF7z9+WFLD7EUldnJR3I6t0fLDfGpnDj5ulsus9Xsqif0Ec8LtK3UzXHbP20t 7PpDTpDrwhhW/s6XpTXugC12gLpluctcSztzNcwbGUpTtCnyYQoQ5cvVSad8ggoz 9xWTvNXijenkcc/IQzeiV0fEuB1eP2Dh4QG/YuNhi5LNbg5ZLB3zSElddFSF0KL3 RUuS3KGg8T8fc0/qgRTf5CeNJggNNPN1LSVro7irgAhc+o979q+HJQIc4zqYcQVm mhxNdB0DBAusdVOCJp4zKMaTgTFQzR1yiYZpMJrw5fjej5KupcfrY1sbSANdqAY4 tE3CG9wVbAjB0hipNihUZtpDwFbbUg5+aB5WDfDoGUg27wI1tTM= =XTy7 -----END PGP SIGNATURE----- --wwmflklaohoqymjp-- From owner-freebsd-security@freebsd.org Tue Jun 20 20:22:48 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9E1DDA15EA for ; Tue, 20 Jun 2017 20:22:48 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D9A872469 for ; Tue, 20 Jun 2017 20:22:48 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-it0-x235.google.com with SMTP id m47so20879935iti.1 for ; Tue, 20 Jun 2017 13:22:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=XaKzLQe4XWArlqSz81EPRxP8bwuhsFBGFR8mt8ivtr0=; b=pm6GhcvGwholW1ACtZMJ32SmYUtTavQ1FrdCM7bp5YFNNZwYDkehCxcmI3I5Rw9kuJ i/blAh3Zrz15CimwBRmGC6tz0h5BtmrQQ48kYjjjyLCrAT1nV8H21OyC796hO0ylwARd auWbUFZFb+qG/tMSxE8bdWjoBpV98LG9ieBP2sPGISAkkiw4ZYh/YzZ6IV/fHsEH9ilW Vrk2qhvISgjKTK9tiFKwoVdLytOnSdrd+iIKjbWK4K/g0yvgctmujfs9mfRjpV6r5Y/G MD4ZffTcw9Mlv4DwuRqo3eM7Dh78Vrcok0kNUr3NQvchIwAmMdmGf3IQghaRFy0e0P+l ZwnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=XaKzLQe4XWArlqSz81EPRxP8bwuhsFBGFR8mt8ivtr0=; b=OZxyK75t+sAGyHX0qBRYewiLi4tJ6yC/4AshovdFiw3nlX/vM2B1IiIgINasNLzE5L 64ZjjnsFzDaE++PMRzhaB+j2YmburCWv/218PDnf2j8kOwtwcMCVLkMOcjSx0ewsChnc ATNJxcPsEq3p8g+O82Bz7YivrqLIfC5f2V7l5evUsb1kTTaC0za8rDSwqFPGkQU78vZ3 R/YuRzDBsaSZK3MyfBW/rtJ3dY5vZcY0ipF6sgutFX/BFBpY52Qbz+NZ9U16GLszdjxf vg3fynJGnnDRUB+kVynkTe/M4e+nj/dY2vOTJl6EFMRsfRZ/dWIsQHFFzv8xmXX8L4Kl qfqg== X-Gm-Message-State: AKS2vOwLtNaTB7SY2b8LOvmFkPewm5TFlSKhpOSwEByMBqOQHeXRKv5G cIj+pGvckQ7T7/sI5tsUBG8LgOXIbw== X-Received: by 10.36.65.18 with SMTP id x18mr5473760ita.88.1497990167993; Tue, 20 Jun 2017 13:22:47 -0700 (PDT) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.10.86 with HTTP; Tue, 20 Jun 2017 13:22:27 -0700 (PDT) In-Reply-To: References: From: Ed Maste Date: Tue, 20 Jun 2017 16:22:27 -0400 X-Google-Sender-Auth: lcMrQ_VtfUIGzHX3dQeumvDqKuA Message-ID: Subject: Re: The Stack Clash vulnerability To: Vladimir Terziev Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 20:22:48 -0000 On 20 June 2017 at 04:13, Vladimir Terziev wrote: > Hi, > > I assume FreeBSD security team is already aware about the Stack Clash vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. Yes, the security team is aware of this. Improvements in stack handling are in progress (currently in review). From owner-freebsd-security@freebsd.org Thu Jun 22 00:22:58 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A08BD9BCF1 for ; Thu, 22 Jun 2017 00:22:58 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-it0-x244.google.com (mail-it0-x244.google.com [IPv6:2607:f8b0:4001:c0b::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E6CD88395C for ; Thu, 22 Jun 2017 00:22:57 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-it0-x244.google.com with SMTP id f20so2421292itb.2 for ; Wed, 21 Jun 2017 17:22:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=SyeHwK+Zp1OzVkm6Y9LlYXaNegrt32VMMvJqoYxqvZw=; b=d480C4zD44jJd7YmdIhsQryss5xWk7uc5ZavGUFewqXpvVoOdk/woldAZPCAO1l40L iLYYpfFxEJrMyIkqqju/AOoOPIpe6tAJsKxNaAKC1LBPiNeYI0QFAuucYFk6i+HOdnGw AzpU3P6Ccq7kpe5QAlxpjcl4vl6fQB/6dvPZx6OU4TgLfLYNshBca5uAI+wfAn4tLT++ kMTpNGIjI7kOfjzoG+iFgoalM4i3C85j/5XRfA5Mde14yipFHivET5DmgnN96jXZFbWK S3I7sFOtTT4ML+R7MpUOefhaRldPiq+yUbFdme+T0eMZKaOAHmFh37kv/g4V26XsxQG6 yEtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=SyeHwK+Zp1OzVkm6Y9LlYXaNegrt32VMMvJqoYxqvZw=; b=p1OFO1N1kkk1HS+MMOEba/mCzV4Uj21L6UZ83NpPE3n2gxgN1gxrm8YlYuJKjC5RsY L1xGOsLpU6d0vUr+/BTcWDlhsYIhNVgyTk0tKwKBLxpTjpaQP2AlW/dgiSciksxNFbsA 6Fqdw01O8PfVMaZ54623qFVta2DWEHexHRiPKretS8KwmNtbsRtYB4mVRzl5zLL7hbev Xx3wPmqW4pdyO1Y0KTVqKtPOBN8xd5UrkudG1zp2Z3gei3e9oExcJCd+i62bb6wOjWoG uYEXi7vHWWny3h56nHVOj/NSxmscoM9cxxhRlMnfCFa4AHhixpstnT2x3EotHgHq2jHV OnOg== X-Gm-Message-State: AKS2vOxu7lrlhMokdx+BzyqNV+ds3nKTXeRRPRn3Asl0K4eZ1XFzn4A+ vkiIFT6u7vZrL4DWra94RqGd4uXo4GwEIxE= X-Received: by 10.36.65.18 with SMTP id x18mr523666ita.88.1498090977160; Wed, 21 Jun 2017 17:22:57 -0700 (PDT) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.10.85 with HTTP; Wed, 21 Jun 2017 17:22:36 -0700 (PDT) In-Reply-To: References: From: Ed Maste Date: Wed, 21 Jun 2017 20:22:36 -0400 X-Google-Sender-Auth: hcrRh3MBuMw4QcJk8l30gJUYWI0 Message-ID: Subject: Re: The Stack Clash vulnerability To: "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 00:22:58 -0000 On 20 June 2017 at 16:22, Ed Maste wrote: > On 20 June 2017 at 04:13, Vladimir Terziev wrote: >> Hi, >> >> I assume FreeBSD security team is already aware about the Stack Clash vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. > > Yes, the security team is aware of this. Improvements in stack > handling are in progress (currently in review). I would like to provide some additional background on this issue. First I'd like to thank Qualys for their detailed and thorough investigation, which is contributing directly to improving FreeBSD. The FreeBSD security team is aware of and is monitoring this issue, but is not directly developing in the changes that are in progress. The issue under discussion is a limitation in a vulnerability mitigation technique. Changes to improve the way FreeBSD manages stack growth, and mitigate the issue demonstrated by Qualys' proof-of-concept code, are in progress by FreeBSD developers knowledgeable in the VM subsystem. These changes are expected to be committed to FreeBSD soon, and from there they will be merged to stable branches and into updates for supported releases. -Ed From owner-freebsd-security@freebsd.org Thu Jun 22 01:10:49 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F055FD9CB64 for ; Thu, 22 Jun 2017 01:10:49 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id D47CC84CC4; Thu, 22 Jun 2017 01:10:49 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from isux.com (firewall.isux.com [213.165.190.213]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0ORX004AICYMXB00@hades.sorbs.net>; Wed, 21 Jun 2017 18:18:23 -0700 (PDT) Subject: Re: The Stack Clash vulnerability To: Ed Maste , "freebsd-security@freebsd.org" References: From: Michelle Sullivan Message-id: Date: Thu, 22 Jun 2017 03:10:40 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 In-reply-to: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 01:10:50 -0000 Ed Maste wrote: > On 20 June 2017 at 16:22, Ed Maste wrote: >> On 20 June 2017 at 04:13, Vladimir Terziev wrote: >>> Hi, >>> >>> I assume FreeBSD security team is already aware about the Stack Clash vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. >> Yes, the security team is aware of this. Improvements in stack >> handling are in progress (currently in review). > I would like to provide some additional background on this issue. > First I'd like to thank Qualys for their detailed and thorough > investigation, which is contributing directly to improving FreeBSD. > > The FreeBSD security team is aware of and is monitoring this issue, > but is not directly developing in the changes that are in progress. > The issue under discussion is a limitation in a vulnerability > mitigation technique. Changes to improve the way FreeBSD manages stack > growth, and mitigate the issue demonstrated by Qualys' > proof-of-concept code, are in progress by FreeBSD developers > knowledgeable in the VM subsystem. These changes are expected to be > committed to FreeBSD soon, and from there they will be merged to > stable branches and into updates for supported releases. One would hope considering the nature and potential threat this would be one of those fixes back ported to previous -STABLE trees as well. -- Michelle Sullivan http://www.mhix.org/ From owner-freebsd-security@freebsd.org Thu Jun 22 10:00:21 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E52BD88246 for ; Thu, 22 Jun 2017 10:00:21 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (gandalf.elvandar.org [149.210.225.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C4CB9754A9; Thu, 22 Jun 2017 10:00:20 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 8ED0C4707B0; Thu, 22 Jun 2017 12:00:16 +0200 (CEST) Received: from [10.20.28.168] (gdm.snow.nl [213.154.248.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id F33071F9D9; Thu, 22 Jun 2017 12:00:12 +0200 (CEST) From: Remko Lodder Message-Id: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_EB28011D-2E8C-496C-8E6A-F96634FE3FD1"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: The Stack Clash vulnerability Date: Thu, 22 Jun 2017 12:00:33 +0200 In-Reply-To: Cc: Ed Maste , "freebsd-security@freebsd.org" To: Michelle Sullivan References: X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: 8ED0C4707B0 X-Spamd-Result: default: False [2.56 / 15.00] RCVD_VIA_SMTP_AUTH(0.00)[] IP_SCORE(1.26)[ip: (1.47), ipnet: 80.56.0.0/16(1.53), asn: 6830(3.46), country: AT(-0.16)] TO_DN_SOME(0.00)[] TO_DN_EQ_ADDR_SOME(0.00)[] RCVD_COUNT_TWO(0.00)[2] R_DKIM_NA(0.00)[] RCVD_NO_TLS_LAST(0.00)[] RBL_SPAMHAUS_PBL(2.00)[26.239.56.80.zen.spamhaus.org : 127.0.0.11] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] RBL_SENDERSCORE(2.00)[26.239.56.80.bl.score.senderscore.com] HAS_ATTACHMENT(0.00)[] MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain] FROM_EQ_ENVFROM(0.00)[] R_SPF_SOFTFAIL(0.00)[~all] DMARC_NA(0.00)[FreeBSD.org] FROM_HAS_DN(0.00)[] MV_CASE(0.50)[] TO_MATCH_ENVRCPT_ALL(0.00)[] ARC_NA(0.00)[] MID_RHS_MATCH_FROM(0.00)[] BAYES_HAM(-3.00)[100.00%] ASN(0.00)[asn:6830, ipnet:80.56.0.0/16, country:AT] RCPT_COUNT_THREE(0.00)[3] X-Rspamd-Server: mx1.jr-hosting.nl X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 10:00:21 -0000 --Apple-Mail=_EB28011D-2E8C-496C-8E6A-F96634FE3FD1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 22 Jun 2017, at 03:10, Michelle Sullivan = wrote: >=20 > Ed Maste wrote: >> On 20 June 2017 at 16:22, Ed Maste wrote: >>> On 20 June 2017 at 04:13, Vladimir Terziev = wrote: >>>> Hi, >>>>=20 >>>> I assume FreeBSD security team is already aware about the Stack = Clash vulnerability, that is stated to affect FreeBSD amongst other = Unix-like OS. >>> Yes, the security team is aware of this. Improvements in stack >>> handling are in progress (currently in review). >> I would like to provide some additional background on this issue. >> First I'd like to thank Qualys for their detailed and thorough >> investigation, which is contributing directly to improving FreeBSD. >>=20 >> The FreeBSD security team is aware of and is monitoring this issue, >> but is not directly developing in the changes that are in progress. >> The issue under discussion is a limitation in a vulnerability >> mitigation technique. Changes to improve the way FreeBSD manages = stack >> growth, and mitigate the issue demonstrated by Qualys' >> proof-of-concept code, are in progress by FreeBSD developers >> knowledgeable in the VM subsystem. These changes are expected to be >> committed to FreeBSD soon, and from there they will be merged to >> stable branches and into updates for supported releases. >=20 > One would hope considering the nature and potential threat this would = be one of those fixes back ported to previous -STABLE trees as well. >=20 Hi Michelle, On a general note: When we fix issues, they go to the supported branches / releases. 7.x = for example is no longer supported and is not likely to receive this = care and attention unless someone is willing to support such a change to = that branch. For supported branches, such a change is likely to be = merged to those branches and also to supported releases depending on the = determination. E.g. A Security Advisory (SA) or Errata Notice (EN) will = be merged to affected -RELEASES as well. If an issue does not get one of = those two markers, the issue will not be merged to -RELEASES but can be = merged to -STABLE branches. The above is a general note and not specifically pointed towards =E2=80=9C= The Stack Clash=E2=80=9D documents, so this can support potential future = questions in the same area as well :-) Cheers Remko >=20 > -- > Michelle Sullivan > http://www.mhix.org/ >=20 > _______________________________________________ > freebsd-security@freebsd.org = mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security = > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org = " --Apple-Mail=_EB28011D-2E8C-496C-8E6A-F96634FE3FD1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZS5VCAAoJEHE1jtY/d0B5SZwQAJDIs1XR6pOEDJCbaDSPa2xF SZtJlTyje5taJC8M9Llk+HS1Zzy/wxfXTCVb+n6o4LKUv8p3qkQFc0iU0ZSIRL5d jVwo4SCdSJVoNrqqSR3yrU4QFDwiSkUnRq+HJCEnIMqMnvwyMNMxAmiQCmwVsAp2 mP8ViB3rWQmby2PxNGeWoQ0e+YMP3LmmL2PD4IH2jB2qMCxsvdgS6l8xnvxJwFyc iDMKWMbFVsEo9Lm6KL0CxLtk8/GOTE6b5Rxxlar5oHlXxrRsMR2msfHw87nDOscJ XrlaGSDCttS9ccfUv8PyV+5LUQz8mvTxFTcnkCEHOFLDVhE19l5S/7ZFILLqrmdQ PMK6Q+OebI1VElLRaavXpFBJlJ1+C6m0HdrQjagm9KDhw9ev11Q9TIHEu8hgzZ9Q dfpLGLTjh+UIRLSt8HS1E6G+35GMPUTtf3oMGAnU58exaxL6JPq6s2J5wbMSBAWE HkKSXnYVFKmx7yJ5P2nsrX4hF5EOZ6wJ7xmY2NwmZsrOUhPLIr3QMUuAi0kdwxBg r0bJz8GUU+COaeoBkZiIehu0qOYSsbdCCs0nJ4x8LVMbc0753NVAR9gT03GwzSIT CPT+zh9s19UkilEEKnUSTvkFfjlTEw7jyWLnwnIp6Vm4Uan9M18Zw0K6n8W+ZJiK IW/4YAMoG+9Owv39iCSA =Vfz+ -----END PGP SIGNATURE----- --Apple-Mail=_EB28011D-2E8C-496C-8E6A-F96634FE3FD1-- From owner-freebsd-security@freebsd.org Thu Jun 22 11:14:39 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B7D41D89CB5 for ; Thu, 22 Jun 2017 11:14:39 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id 18A817775B; Thu, 22 Jun 2017 11:14:38 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=UTF-8; format=flowed Received: from isux.com (firewall.isux.com [213.165.190.213]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0ORY00KQI4X35M00@hades.sorbs.net>; Thu, 22 Jun 2017 04:22:17 -0700 (PDT) Subject: Re: The Stack Clash vulnerability To: Remko Lodder Cc: Ed Maste , "freebsd-security@freebsd.org" References: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> From: Michelle Sullivan Message-id: <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> Date: Thu, 22 Jun 2017 13:14:33 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 In-reply-to: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 11:14:39 -0000 Remko Lodder wrote: > >> On 22 Jun 2017, at 03:10, Michelle Sullivan > > wrote: >> >> Ed Maste wrote: >>> On 20 June 2017 at 16:22, Ed Maste >> > wrote: >>>> On 20 June 2017 at 04:13, Vladimir Terziev >>> > wrote: >>>>> Hi, >>>>> >>>>> I assume FreeBSD security team is already aware about the Stack >>>>> Clash vulnerability, that is stated to affect FreeBSD amongst >>>>> other Unix-like OS. >>>> Yes, the security team is aware of this. Improvements in stack >>>> handling are in progress (currently in review). >>> I would like to provide some additional background on this issue. >>> First I'd like to thank Qualys for their detailed and thorough >>> investigation, which is contributing directly to improving FreeBSD. >>> >>> The FreeBSD security team is aware of and is monitoring this issue, >>> but is not directly developing in the changes that are in progress. >>> The issue under discussion is a limitation in a vulnerability >>> mitigation technique. Changes to improve the way FreeBSD manages stack >>> growth, and mitigate the issue demonstrated by Qualys' >>> proof-of-concept code, are in progress by FreeBSD developers >>> knowledgeable in the VM subsystem. These changes are expected to be >>> committed to FreeBSD soon, and from there they will be merged to >>> stable branches and into updates for supported releases. >> >> One would hope considering the nature and potential threat this would >> be one of those fixes back ported to previous -STABLE trees as well. >> > > Hi Michelle, > > On a general note: > > When we fix issues, they go to the supported branches / releases. 7.x > for example is no longer supported and is not likely to receive this > care and attention unless someone is willing to support such a change > to that branch. For supported branches, such a change is likely to be > merged to those branches and also to supported releases depending on > the determination. E.g. A Security Advisory (SA) or Errata Notice (EN) > will be merged to affected -RELEASES as well. If an issue does not get > one of those two markers, the issue will not be merged to -RELEASES > but can be merged to -STABLE branches. > > The above is a general note and not specifically pointed towards “The > Stack Clash” documents, so this can support potential future questions > in the same area as well :-) > > I know, but with potentially serious issues even M$ issue patches for older release...I think given the time the code has been broken this is a serious issue (and my employer has set this to a 'high risk'... should a remote PoC be release it will be upgraded to the next and top level 'critical'. This issue has been around in the source for sometime (years) and is potentially remote rootable... there are many machines out there that are not running 'supported releases' that you would want patched. Some are not running supported releases because it is not possible to put the supported releases on the hardware (one recent (this week) case in the ports list, had a user asking how they could go from 9.x -> 11.x directly because all the 10.x are unbootable on their hardware.... I have 9.x servers that 10.x/11.x and even 12.x are unbootable (and given the nature of the hardware I expect people to say 'too old, you should replace the hardware' - not my call, and currently not possible.) Not asking for new versions or new releases.. just patches applied for previous -STABLE trees.... For example I have 9.3 on half my servers, 9.2 on 2 servers that 9.3 doesn't run on, and 4 servers running 6.x - because until I physically get my hands on the blades they can't be upgraded - the other 16 blades were upgraded when the drives were changed to new SSDs 6 months ago ... we ran out of time in the location for the last 4 being that they are production servers and reloading the OS and applications is not something trivial.... won't be back in Australia until October so can't upgrade the remainder until then. Regards, -- Michelle Sullivan http://www.mhix.org/ From owner-freebsd-security@freebsd.org Thu Jun 22 11:31:20 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83603D8A236 for ; Thu, 22 Jun 2017 11:31:20 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from mail.0x20.net (mail.0x20.net [217.69.76.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "0x20.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4565677EE5; Thu, 22 Jun 2017 11:31:19 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from e-new.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.0x20.net (Postfix) with ESMTPS id 5331C6E0081; Thu, 22 Jun 2017 13:31:17 +0200 (CEST) Received: from e-new.0x20.net (localhost [127.0.0.1]) by e-new.0x20.net (8.14.7/8.14.7) with ESMTP id v5MBVGon033445; Thu, 22 Jun 2017 13:31:16 +0200 (CEST) (envelope-from lars@e-new.0x20.net) Received: (from lars@localhost) by e-new.0x20.net (8.14.7/8.14.7/Submit) id v5MBVG71033363; Thu, 22 Jun 2017 13:31:16 +0200 (CEST) (envelope-from lars) Date: Thu, 22 Jun 2017 13:31:16 +0200 From: Lars Engels To: Michelle Sullivan Cc: Remko Lodder , "freebsd-security@freebsd.org" , Ed Maste Subject: Re: The Stack Clash vulnerability Message-ID: <20170622113115.GN19203@e-new.0x20.net> Mail-Followup-To: Lars Engels , Michelle Sullivan , Remko Lodder , "freebsd-security@freebsd.org" , Ed Maste References: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> X-Editor: VIM - Vi IMproved 7.4 User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Thu, 22 Jun 2017 17:41:34 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 11:31:20 -0000 On Thu, Jun 22, 2017 at 01:14:33PM +0200, Michelle Sullivan wrote: > I know, but with potentially serious issues even M$ issue patches for > older release... Microsoft even has 114,000 employees [1]. There are billions of paying customers, so Microsoft has staff and money to test and backport patches to unsupported releases. [1] https://en.wikipedia.org/wiki/Microsoft From owner-freebsd-security@freebsd.org Thu Jun 22 22:30:34 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D6B31D95955 for ; Thu, 22 Jun 2017 22:30:34 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.rulingia.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3E5E367B1C for ; Thu, 22 Jun 2017 22:30:33 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (ppp59-167-167-3.static.internode.on.net [59.167.167.3]) by vps.rulingia.com (8.15.2/8.15.2) with ESMTPS id v5MMTaKg066870 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 23 Jun 2017 08:29:42 +1000 (AEST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.15.2/8.15.2) with ESMTPS id v5MMTUx9094542 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 23 Jun 2017 08:29:30 +1000 (AEST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.15.2/8.15.2/Submit) id v5MMTUZR094541; Fri, 23 Jun 2017 08:29:30 +1000 (AEST) (envelope-from peter) Date: Fri, 23 Jun 2017 08:29:30 +1000 From: Peter Jeremy To: Michelle Sullivan Cc: "freebsd-security@freebsd.org" Subject: Re: The Stack Clash vulnerability Message-ID: <20170622222930.GA36405@server.rulingia.com> References: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline In-Reply-To: <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.8.2 (2017-04-18) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 22:30:34 -0000 --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2017-Jun-22 13:14:33 +0200, Michelle Sullivan wrote: >I know, but with potentially serious issues even M$ issue patches for=20 >older release... To my knowledge, Microsoft has issued a patch on one occasion for an especialy critical vulnerabilicy on an unsupported release. I've seen no indication that the Stack Clash vulnerability can be compared in severity to WannaCry. >hardware.... I have 9.x servers that 10.x/11.x and even 12.x are=20 >unbootable (and given the nature of the hardware I expect people to say=20 >'too old, you should replace the hardware' - not my call, and currently=20 >not possible.) FreeBSD is a volunteer project. Supporting old releases requires effort that increases as the release gets older. The Project as a whole has published a support policy that is intended to strike a balance between requiring customers to upgrade (we realise that upgrading incurs a cost) and spending volunteer effort on maintaining old releases. Note that I am referring to _free_ support here. Unlike Microsoft, FreeBSD is open source. If the level of free support provided by the Project is insufficient for your needs, you always have the option of paying someone to provide whatever level of support you want. With respect to your 9.x servers, no-one is saying you must replace the hardware, just that the FreeBSD Project will not continue to provide you with free support whilst you choose to run 9.x on them. Note that 10.0 was released in January 2014, so you have had 3=BD years to resolve the problem that your servers aren't compatible with 10.x. >Not asking for new versions or new releases.. just patches applied for=20 >previous -STABLE trees.... As has been stated, the FreeBSD project will patch the supported -STABLE trees. --=20 Peter Jeremy --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJZTETKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs06pQP/0N82xrfn0JHvgZbR6dz/icL Ad/DyBvkScmpcfB2Y/ZglCJiKUsXnn/3AMwMO119/y2HGiRmlTQ10jLcn52IDHCX FNMGGP0SrD80x9JV31Sij0wlyxI7hGchOM9uGQ/WcijvZHLfeLURk2dmUqGf11fZ y+A+omDAFvdIBeUr8I4kxJRE65zEV0ciG01zg17QSybS1YL/U3ZpMOQCPVoUxFV6 hF8yve9wVODzC+cyC0yhycXnGXaokWiZfgS3fW0EfG7i4SEKUdEDMMDTC4CXjRrH QsN857fEnDwrT8PiUTa1zpSZHwDKSVczzRvbEC+IiEnRobh9F27J0Blnqqvv7viM fFYxb3ai2jNVRaoMgHFTqLwizM8olQ4r4gtfZPQBVaSp9P4c+ywLFaz3pHyu+blY lC/dwuyPIndXFqJQTVExWQbCDEzND2kNM7qNQ3lpaA7dzBElrS7EAm7WkQdspJAw wSrxHT6CwwKljjW3qBKYOC0Qjm2BcZKeqoA2ht7xXlOz0OtqZTJ7oF2zDqWFjmWJ vQu8bT7i3H8hXwmAoRUXj6Sbyqbp6eCdQKcb91KwWrdvipW+l2ztDBMIxZ/4g5Sz G7aBws1zpQk+IcgEaj555nY19q4y0sCdJVb3LkKYXcqbNHZt2TJbm5RDsDcknTg2 McBDBtqpFcFrSJkuMg0Q =P3Cs -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH-- From owner-freebsd-security@freebsd.org Thu Jun 22 23:19:08 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F17ACD967EA for ; Thu, 22 Jun 2017 23:19:08 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id D310B6A635 for ; Thu, 22 Jun 2017 23:19:08 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from isux.com (firewall.isux.com [213.165.190.213]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0ORZ00KVH2GO5M00@hades.sorbs.net> for freebsd-security@freebsd.org; Thu, 22 Jun 2017 16:26:49 -0700 (PDT) Subject: Re: The Stack Clash vulnerability To: Peter Jeremy Cc: "freebsd-security@freebsd.org" References: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> <20170622222930.GA36405@server.rulingia.com> From: Michelle Sullivan Message-id: Date: Fri, 23 Jun 2017 01:19:05 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 In-reply-to: <20170622222930.GA36405@server.rulingia.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 23:19:09 -0000 Peter, Peter Jeremy wrote: > > paying someone to provide whatever level of support you want. With > respect to your 9.x servers, no-one is saying you must replace the > hardware, just that the FreeBSD Project will not continue to provide > you with free support whilst you choose to run 9.x on them. Note that > You mistake me for someone who needs or is asking for support. I already have the proposed patch available to me on my servers, I'm not convinced it solves the issue, merely making it a *lot* more difficult to exploit, however that was my 'first look' I have a lot more to understand and think about and there are many more people of higher intelligence looking at it than me. That said, I'm suggesting that given the amount of time this issue has been around and that it was supposedly fixed many years ago, that one should consider a special case backport for those that are not capable of creating their own patches... and before throwing accusations around you should consider how many times I have ever suggested that a particular bug gets backported... If you can't be bothered to check, this is the first since I started using FreeBSD in 2003. -- Michelle Sullivan http://www.mhix.org/ From owner-freebsd-security@freebsd.org Fri Jun 23 09:00:25 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DDD7D9FFFF for ; Fri, 23 Jun 2017 09:00:25 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (gandalf.elvandar.org [149.210.225.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EC4997DAA3 for ; Fri, 23 Jun 2017 09:00:22 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 133B74707B0; Fri, 23 Jun 2017 11:00:12 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id B428C1FED2; Fri, 23 Jun 2017 11:00:08 +0200 (CEST) From: Remko Lodder Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: The Stack Clash vulnerability Date: Fri, 23 Jun 2017 11:00:31 +0200 In-Reply-To: Cc: Peter Jeremy , "freebsd-security@freebsd.org" To: Michelle Sullivan References: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> <20170622222930.GA36405@server.rulingia.com> X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: 133B74707B0 X-Spamd-Result: default: False [2.70 / 15.00] RCVD_VIA_SMTP_AUTH(0.00)[] IP_SCORE(1.23)[ip: (1.42), ipnet: 80.56.0.0/16(1.48), asn: 6830(3.43), country: AT(-0.17)] TO_DN_SOME(0.00)[] TO_DN_EQ_ADDR_SOME(0.00)[] R_DKIM_NA(0.00)[] RBL_SENDERSCORE(2.00)[26.239.56.80.bl.score.senderscore.com] RBL_SPAMHAUS_PBL(2.00)[26.239.56.80.zen.spamhaus.org : 127.0.0.11] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] RCVD_TLS_ALL(0.00)[] HAS_ATTACHMENT(0.00)[] MIME_GOOD(-0.20)[multipart/signed,text/plain] FROM_EQ_ENVFROM(0.00)[] R_SPF_SOFTFAIL(0.00)[~all] DMARC_NA(0.00)[FreeBSD.org] ONCE_RECEIVED(0.10)[] RCVD_COUNT_ONE(0.00)[1] FROM_HAS_DN(0.00)[] MV_CASE(0.50)[] TO_MATCH_ENVRCPT_ALL(0.00)[] ARC_NA(0.00)[] MID_RHS_MATCH_FROM(0.00)[] BAYES_HAM(-2.93)[99.69%] RCPT_COUNT_THREE(0.00)[3] ASN(0.00)[asn:6830, ipnet:80.56.0.0/16, country:AT] X-Rspamd-Server: mx1.jr-hosting.nl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2017 09:00:25 -0000 --Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 23 Jun 2017, at 01:19, Michelle Sullivan = wrote: >=20 > Peter, >=20 > Peter Jeremy wrote: >>=20 >> paying someone to provide whatever level of support you want. With >> respect to your 9.x servers, no-one is saying you must replace the >> hardware, just that the FreeBSD Project will not continue to provide >> you with free support whilst you choose to run 9.x on them. Note = that >>=20 > You mistake me for someone who needs or is asking for support. >=20 > I already have the proposed patch available to me on my servers, I'm = not convinced it solves the issue, merely making it a *lot* more = difficult to exploit, however that was my 'first look' I have a lot more = to understand and think about and there are many more people of higher = intelligence looking at it than me. >=20 > That said, I'm suggesting that given the amount of time this issue has = been around and that it was supposedly fixed many years ago, that one = should consider a special case backport for those that are not capable = of creating their own patches... and before throwing accusations around = you should consider how many times I have ever suggested that a = particular bug gets backported... If you can't be bothered to check, = this is the first since I started using FreeBSD in 2003. Okay, lets cool this thread down. There are no accusations in this = thread, and they are not needed nor welcome either. I am going to make a general note below, this is not something that is = aimed at _you_ personally. My general note is about the policy we maintain to update supported = systems. Once we are ready with the currently supported branches, it = might be =E2=80=9Csimple=E2=80=9D for =E2=80=9Csomeone=E2=80=9D (not the = FreeBSD Security Team) to back port those changes into older -STABLE = branches. I am stating that we not perse will do that. But if someone = has time and effort to support such a change, it will be done. People = like hps@ merge periodically to older branches that are officially no = longer supported. That does not mean that they cannot do that, but that = they have an interest in doing so, which is perfectly fine (ofcourse). So; if the patch is applicable for older branches as well (stable I = mean), someone needs to find a committer that can vouch for it and also = import it into the stable branches. He or She has to understand that it = might cause problems and they need to be investigated by that person in = that case. If someone, who is commercially using our Operating System, has an = urgent need to have this in a -STABLE branch, I am sure that a few bucks = here and there can make it worth someone=E2=80=99s (free) time to = support that. That=E2=80=99s the way it works, we volunteer for this project, and we = do understand that people are using our product and even in a commercial = sense where people make a -lot- of money with =E2=80=9Cour=E2=80=9D = work. That is perfectly fine. But we have to draw a line in what we can = and will support. We also have families, hobby=E2=80=99s, other work = that obviously also costs time and generate our income(s). Even with = that we are happy to work on the project, and thus the =E2=80=9Cproduct=E2= =80=9D that we ship. But there is a line. There is no more hours in a = day then 24. We have to devide that in all those regions we are active = in. That is where the support policy comes in, we accept the fact that = we maintain and support releases and stable branches after we created = them. We do that for a limited amount of time, so that we can have a = good division between new products, and our other activities. So if = someone wants to keep a committer/programmer active while he could have = been playing with his kids, it should be worth his/her while (in = addition to the work he/she already does for the project) and it=E2=80=99s= for the committer to decide whether that is indeed worth the while. = Perhaps a committer is already being payed by someone to do this and he = or she will just do it =E2=80=9Cfor free=E2=80=9D, then everyone = benefits and we have to thank the sponsor for that. So given the above, and now I am responding to your request, I do not = think we should break our tradition. There are many things that are not = fixed in older branches, OpenSSL comes to mind, we simply have to make a = choice in what we can and cannot do, and be open about that. Branches = that are no longer supported, will not get official fixes anymore. A = committer is free to do so, with the note that it -might- cost a few = bucks to get that going. I hope the above is making it a bit more clear on why we have to draw a = line somewhere, and what it might take to get it in the STABLE branches. = It can be done, but you need to find someone who can do that, with = potential consequences. Thanks, Remko >=20 > -- > Michelle Sullivan > http://www.mhix.org/ >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIbBAEBCgAGBQJZTNiwAAoJEHE1jtY/d0B5dlEP+Jfa57bjtk9t7JTC3ShsPldB NdXyFJ2jyazSCsS0utlko16KC1c5EPb0vYgEuoUtj+C/WiWub9SeOlKoORIR2NCz ORMuT0CJMLjTVAjPA/VfKICCleJdG7hV9DsDsxdGzA4a7KI3kGIhwiB96TcjoX8Z ZrOIjfle44OeIKPSCS2AoZ+r4r5nBj5J6JEgWJv/S43NT7lokFfCF02US2ZfZEZy W3wSofOxdqmZmQThD8f/Acn95E4R0jA5270/z0g7wesVpzom4ATiFzOLFbJykKUv veNLq9fEBy4Zh8ePObLq9vcRlDgiTSRL9YTEIvHkAvSNApFqP8HDiyYYP9nWMLFy n5NcYledDG5J7sgMf4Ls33piOSfsYQHrcFsobXxlQn2MnJ/d4uTD+tny999PMOgn eibiiGl7vzRv/6xY9xeRACiR702Lyg0s908L8Fc/AmvcrW64KsHcLcQmTUCiku1y OwQmZj8BAf8XbrY4SiWgKGvr+ZkOdavcPdCtFjT+1eYDpiABjTAFzWv1PXjR9tcZ CmqYc9iLOc2o8LR6Pl8uMQd+pEfh17qpnOT7oN0tmb2p0NYn89QoTXkxyLZd9GGx 7jt0RQI1+L5NZmys57jVaEcXsV1jaM/AHajk+Zw0LFKgfsd3cAH8cb3Dvu8VlkLh MKkltEPfK3wSsBcm5FA= =ItKw -----END PGP SIGNATURE----- --Apple-Mail=_4D5BE125-8152-4F05-935A-859E0DC74764-- From owner-freebsd-security@freebsd.org Sat Jun 24 18:48:05 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 95595DA3DA5 for ; Sat, 24 Jun 2017 18:48:05 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5037375BD9 for ; Sat, 24 Jun 2017 18:48:05 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-it0-x236.google.com with SMTP id m84so6668714ita.0 for ; Sat, 24 Jun 2017 11:48:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=4fVPFgF5TIBGJAlPBQANAja96iWU5Ktznn+aGLcdODY=; b=JawctfZj5wXxeuZKXN4FAkrLHV8w88ZBL1gL1t47GVHCzi+jCt4dbbDWzpJV5UeIG9 f1BUl21RQUoiqjs95GTZuxeMUDFgWl6pnPhdpL82DqGi9D3Bho6ZDLG7gwTKRb9SwPMk ESWu6IDUcJHq9ToEHGRar8FLF5xYbYwCbb/8B0izrJjRK2uG7cpd6rixNtwMdypPkE0b 2e+RnwIC/PfvwFhhD9OW5ZuWJBp1Z+l7QNmP0i5MS1XFjDPHba0HeWccYK2bZ2XEUByk CLrST95AQkLIOVp4La2TyrlBbag88Hko27nNDToouBs3uMVL6CiudGy8rvNtwepFXZ56 +zmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=4fVPFgF5TIBGJAlPBQANAja96iWU5Ktznn+aGLcdODY=; b=gbP7KAegx+cGDCAxZghhYvzVANR8j61rYW/IR804G8BLMnMDKDN+W4LqpYX6NHVfvb 51Bk2ojXeVHdYy6wEMTbsdnkt2r+VlZ5l+mcXCf0C8EGLqpt4T7Bixd2eR87C3CrUKwa okbPpKHmS0BZ7rj9uxPICRnNWVpiPrLPVZQKZrS115liYFltB5m+2FUXBr6QJ4VKUgZ9 3FmU6EYw1X406Osd0EctnJUM2JIIbh+eIkk2hWWGC3xtz7RiKaKnoiFMjQNDBc8HxBHw wiXQdY4MW3f2T4VITXApCtRfs7TLnvUqrRdrlRkUuYqnbqv3U18y0fvIviZZTWcBwQHC 5tsw== X-Gm-Message-State: AKS2vOwMziejylmwurAegdS2ymSVWb9+queEDApjQZySVEkpXXguujsF zXPmLWxQjGBh3Zzdpg/aPl1XNsalFO289pI= X-Received: by 10.36.123.203 with SMTP id q194mr9900004itc.19.1498330084194; Sat, 24 Jun 2017 11:48:04 -0700 (PDT) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.10.85 with HTTP; Sat, 24 Jun 2017 11:47:43 -0700 (PDT) In-Reply-To: References: From: Ed Maste Date: Sat, 24 Jun 2017 14:47:43 -0400 X-Google-Sender-Auth: VzmXjcubs017UjqPpAffBwaH1ds Message-ID: Subject: Re: The Stack Clash vulnerability To: "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Jun 2017 18:48:05 -0000 On 21 June 2017 at 20:22, Ed Maste wrote: > These changes are expected to be > committed to FreeBSD soon, and from there they will be merged to > stable branches and into updates for supported releases. The changes have now been merged to HEAD in r320317. https://svnweb.freebsd.org/changeset/base/320317