From owner-freebsd-security@freebsd.org Sat Jan 6 21:37:21 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5CF4DF3837; Sat, 6 Jan 2018 21:37:21 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-lf0-x236.google.com (mail-lf0-x236.google.com [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48F7A81857; Sat, 6 Jan 2018 21:37:21 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-lf0-x236.google.com with SMTP id y71so8475234lfd.12; Sat, 06 Jan 2018 13:37:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=VeaCCrhahGTR5WjwlkG09R8dkN7k/hKE7TBnG6w2zuY=; b=SL72Fx5QJc0H5QWPX8SqdhZIv4VYWvvsv2eoOg5HIXeee4+rf7v6CR7X4qwezQf+kF 3iBiMitaya0BvyatHH4ntyal/bGMwxb8xzy/kMSAjXLB5Gbaow2tu9wxOlGA/tXuXKgX sdEGVFwG+MxBDZfZ6Rbm29AJXFTpJ7pbk3uyu5YWIyGJwLqo2eN8e7tjNB4hnvE8cXLz iQEtS1VrHlk9uG2IdmMhGbX++gPBP8uFN4BSN4dLsyqfhAsARWjdUA1BK5Hny+YX7bhs Ug9CMyFBJFqmCjPacByKwVnaSSPoFtonGZqqG+0O91Ql72TJ93RHcoil7E48hDIrjHg7 MPDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=VeaCCrhahGTR5WjwlkG09R8dkN7k/hKE7TBnG6w2zuY=; b=uRtu6XrljA1Q3lqzzfROasjQYY3oWrmdx1N/ETCMXp4BUGeWDqrN/I9JEWIBQ/SIX1 VQkjF1rMr48prJHyPmVzO9JYU8ut4Y5XziA31iy4/zSqvi+10pDCwRq1lK8BolhbOjtF JAt7fL4+hImy2KaanIP2b167tuPewdtMcKwMr+0dVYVAS0eUddcFsR5BImTRwBmIqTwX OQaozql11kkSEcx/CpY3zEQMqIFg9k7uAcVfIdc9rc5qhtt7oXhJDzuzM0fWfo20h6gl mwF51x9SVqKk0Xed7GpDBy2SmHDjsjCFo+TbQtp+ROd2D1sK1NtOJ2+NTgwvGCXiTl7W PRgw== X-Gm-Message-State: AKwxytdXWHFzrODCtfRxE8LEaCUTiswtcN1uaqsj0pADxWB9BiJSDtJO WlPpFOy/TuPZJhts56iPUEMvYa5OF7uDFOV6//Ny5A== X-Google-Smtp-Source: ACJfBotMFotIM1tbfdLMCAnsnlHdMM/WhEcPYKtsMIOHy83w/zxoB7a4xL3lsLZRDtHhtyohi/n0nRxgDRDTqui4OLQ= X-Received: by 10.25.86.17 with SMTP id k17mr3860615lfb.67.1515274638724; Sat, 06 Jan 2018 13:37:18 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.163.207 with HTTP; Sat, 6 Jan 2018 13:37:17 -0800 (PST) Received: by 10.25.163.207 with HTTP; Sat, 6 Jan 2018 13:37:17 -0800 (PST) In-Reply-To: <20180106195510.GH75576@funkthat.com> References: <20180105191145.404BC335@spqr.komquats.com> <20180106195510.GH75576@funkthat.com> From: Freddie Cash Date: Sat, 6 Jan 2018 13:37:17 -0800 Message-ID: Subject: Re: Intel hardware bug To: Freebsd Security , FreeBSD Hackers , "freebsd-arch@freebsd.org" X-Mailman-Approved-At: Sun, 07 Jan 2018 00:12:05 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jan 2018 21:37:21 -0000 On Jan 6, 2018 11:55 AM, "John-Mark Gurney" wrote: Freddie Cash wrote this message on Fri, Jan 05, 2018 at 11:53 -0800: > Spectre (aka CVE-2017-5715 and CVE-2017-5753) is the issue that affects all > CPUs (Intel, AMD, ARM, IBM, Oracle, etc) and allows userland processes to > read memory assigned to other userland processes (but does NOT give access > to kernel memory). No, Spectre does not allow one userland process to read another userland process's memory.. It allows an attacker to read any memory within the same process. That's variant 1 of Spectre. Variant 2 crosses process boundaries. It's the one that has VM hosting systems worried as a process running in VM1 can read memory assigned to VM2. Cheers, Freddie From owner-freebsd-security@freebsd.org Mon Jan 8 01:43:57 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2171E6D641 for ; Mon, 8 Jan 2018 01:43:57 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 86B6282D2F for ; Mon, 8 Jan 2018 01:43:56 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 9DFC43ACDA for ; Sun, 7 Jan 2018 17:43:50 -0800 (PST) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Re: Re "Intel responds to security research findings" In-Reply-To: <8ad62a54-cfc4-6d97-4045-303e6ee7806d@erdgeist.org> Date: Sun, 07 Jan 2018 17:43:50 -0800 Message-ID: <11633.1515375830@segfault.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 01:43:57 -0000 In message <8ad62a54-cfc4-6d97-4045-303e6ee7806d@erdgeist.org>, Dirk Engling wrote: >On 03.01.18 22:14, Ed Maste wrote: > >> The FreeBSD Security Team recently learned of the details of these >> issues that affect certain CPUs. > >Can you say, at what day you were informed? Yes. What did the team know and when did it know it? "There is a cancer growing on the Translation Lookaside Buffer." -- John Dean -- March 21, 1973 But seriously folks, although I have nothing but admiration for, and complete faith in the FreeBSD security team, specifically, and although I am completely sure that THEY have done, and will do, the Right Thing, I do wonder about a whole helluva lot of the other actors in this drama. Public reports indicate that various parties have known about either Meltdown or Spectre or both for something on the order of six months. Is it at all likely that any of the researchers who discovered these things would have waited months before informing Intel, Microsoft, or both? That seems highly unlikely. All this adds up to yet another marvelous opportunity for me to vent spleen about the peculiar foibles of our civil (in)justice system here in the U.S. (My apologies to anyone who thinks this is off-topic for this list. Under the present circumstances, I am not persuaded that it is.) What's going to happen now is as predictable as it is inevitable, at least here in the U.S. The various individual and class action lawsuits will proceed apace, at the usual snail's pace of civil litigation, over the coming months and years, and all of the various Plaintiff counsels will be granted pre-trial discovery, a great deal of which will seek to determine when Intel, ARM, and AMD knew about these flaws, and how many billions of dollars of known buggy chips they all knowingly shiped and sold (to all of us unsuspecting fools) thereafter. The responses to all of these discovery requests and motions will, alas, all be shrouded in the gretest of secrecy measures, or, as they are known in the legal profession, "protective orders". As a result, us poor sods who are not parties to any of the litigation (and even many or most of the actual plaintiffs) will never even find out just how much garbage these companies continued to ship out after they had been fully and fairly informed of these problems. Worse yet, the various attorneys for the Plaintiffs will most certainly use these embargoed bits of (potential liability) information as leverage to extract bigger settlements, even though they'll all be more than happy to carry these secrets to their graves... for the right price. Their "got you over a barrel" offer to the defendants in these cases will be simple: "Pay up, and pay us through the nose, or will will go to trial and in open court the whole world will learn that you just kept on dumping this buggy crap into your distributor pipeline, literally for months, after you knew about the problem(s)." And the defendants *will* pay up. The result being that none of us, the great unwashed masses, will ever find out the true depths of what went on here, and how the production lines were ordered, by top brass, to just keep on humming along, 24/7, in three shifts, even well after the same top brass should have stopped them and waited for new (corrected) photomasks. One doesn't have to look far, even in very recent history, to find examples of this exact legal scenario playing out. Just google for "Harvey Weinstein secret settlements" and start reading. Bottom line: If you are willing to pay up, you can get almost anything swept under the carpet, with the aid and assistance of corporate-defendant- friendly judges who are only too happy to give out protective orders like candy. It can be argued, and indeed, I personally WOULD argue, that these kinds of outcomes of our civil (in)justice system do not serve the public good, and rather, in fact, that they are counter to the public good, even through they clearly enrich a small set of lucky Plaintiffs and even moreso, their attorneys. But to bring this back on point, I would ask "What did Intel know and when did it know it?" It would appear that, as of now, the company is still attempting to make light of the situation, at least in their press statements, a fact from which I infer that their production lines are most probably *still* up and running, 24/7 in three shifts, cranking out even MORE buggy chips, even as we speak. (And likewise for ARM and AMD.) Indeed, all three companies are sort-of between a rock and a hard place at the moment. If they move to curtail production in even the slightest way, that action alone would provide yet more ammunition to the various Plaintiff's attorneys. The plaintiff attorneys would certainly jump on any production halt or slowdown as evidence that the companies do, at long last, grasp the seriousness of these issues, even if they've only elected to do so a good six months after they reasonably should have. And this is the only other point/question I wanted to raise herein: When does "responsible disclosure" cross the line into irresponsible suppression of information which, by all rights, consumers should be informed of? Who has been helped and who has been harmed by the embargoing of the information about these issues (Meltdown & Spectre) for a full six months? I can and do well and truly understand the argument that says that a reasonable period should be allowed for vendors to develop, test, and release patches, prior to public disclosure, most specifically when it comes to issues involving demonstratable security compromises, but... ah... SIX EFFING MONTHS?? Am I the only one who thinks that this is more than a bit generous (i.e. with respect to the vendors) and/or that the public interest would have been better served by NOT keeping all this stuff a secret for quite that long? How many people and companies have bought chips over the past six months with no idea that these problems/issues were barreling down the tracks on a collision course towards them? Did it really require the best minds within both Intel and Microsoft, working feverishly for a full six months, to develop the mitigations that have only just been released? How much of that time was spent by the respective engineering teams enjoying languid liquid lunches on the terrace followed by their obligatory afternoon naps? I understand that the exact parameters of what most people would agree constitutes "responsible disclosure" are still matters of ongoing and often (appropriately) heated debates within both the industry and, increasingly, within government and legal circles also. But although knowledgable and well-intentioned people may reasonably disagree about appropriate time frames... particularly when it comes to an issue, or set of issues with ramifications as huge as Meltdown and Spectre... I, for one, would like to know if there is anybody on this list, or elsewhere, who thinks that a full six months delay before general public disclosure in a case such as this was in any way reasonable. I, for one, do not feel that it was. And I, for one, see no reasonable justifiction for such a huge delay before general disclosure, even in this very unusual and special case. Keep this in mind: In this case, it isn't just that (purely theoretical, as far as we know) attackers were given an additional six months to exploit the holes, there is/was also the additional issue, noted above, that during these past six months the relevant semiconductor manufacturers have undoubtedly produced and distributed an untold number of additional buggy chips, which could, very easily, number into the hundreds of millions. And lots of somebodys bought all of those buggy chips. As of now, I'm sure that a lot of them wish they hadn't, or that, at the very least, they had been permitted to make a fully informed choice. (They wern't.) One thing, at least, seems clear -- Each of the researchers who found these issues, some six months ago, from that day onwards carried a heavy ethical burden, no matter how or when they ultimated elected to disclose what they had found. For this reason, I do not envy any of them. Regards, rfg From owner-freebsd-security@freebsd.org Mon Jan 8 17:57:56 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 006E8E7B032 for ; Mon, 8 Jan 2018 17:57:56 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B751E697B7 for ; Mon, 8 Jan 2018 17:57:55 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qt0-x235.google.com with SMTP id d4so14631852qtj.5 for ; Mon, 08 Jan 2018 09:57:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=lvdtn81VOnpb4kfHxbs+xjis55SlkztlzWtjhJTI460=; b=aKPoPqNfAlrvacymwNcO+PHmmjmVyjRWCjQ7WSMnFBlqIvFKrkMB7Srzv9qyTwZRNr dMglyDm8CpOxKdc0Z9xYsQqFmSf1p1vg4Kt3RmyYfwekZz6N+tlRHydfybr8nWk10FCB 7O5fx1EPwNl6/h9eOnvH1uAeNUOrYPmmV68dA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=lvdtn81VOnpb4kfHxbs+xjis55SlkztlzWtjhJTI460=; b=VodGtrj03neaJScKsxpmENOHqyZ11ApeNWjN3CPNzAfqb7StJ6HPGUQJF/tA5dSJS7 Wz5eABafzpXIMXrlO++eODrKwd+E+q/KWNIW0ygo8fRyzNMTDAJDbAWRgh6qwzLDBElH 7euWZZm3PkHJYjDTMaS1Bbj08wKZklb/n4pEI74iToGlgShtvjnJn3xrnFEwQz3Kfiob XvufBVuSStv8NYKbxNaqOHkfHIzdK0XegbKIZpZ+pJVviStmu1UJtgwOBkIVlfAcwtGh ssVexGE2y44pgEgyZAxizIzS2JcasSthbuDYriOtQKZKc1RT3Sca8EUGgKAwAB2E+XkI Pg/g== X-Gm-Message-State: AKwxytfoJdC7RrW/RKY6kTyLa/y0UMkRp8+Jg0Ep9S0o+5sp3Ck1RVIZ BcmhoA/jLKrPOOLA1cQn8m76/Axomg== X-Google-Smtp-Source: ACJfBouvH9/cjBK0rWpRVRtk5Y0ol5Cs4AxuElZRaR9bbPuk/+ME8O2PnvRcz7lJTZhJJn96y54pDQ== X-Received: by 10.237.41.231 with SMTP id o94mr17826302qtd.184.1515434274369; Mon, 08 Jan 2018 09:57:54 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id v29sm1550954qkv.40.2018.01.08.09.57.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jan 2018 09:57:53 -0800 (PST) Date: Mon, 8 Jan 2018 09:57:51 -0800 From: Gordon Tetlow To: freebsd-security@freebsd.org Subject: Response to Meltdown and Spectre Message-ID: <20180108175751.GH9701@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ZNotpC0yWfjHZxBL" Content-Disposition: inline User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 17:57:56 -0000 --ZNotpC0yWfjHZxBL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline By now, we're sure most everyone have heard of the Meltdown and Spectre attacks. If not, head over to https://meltdownattack.com/ and get an overview. Additional technical details are available from Google Project Zero. https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html The FreeBSD Security Team was notified of the issue in late December and received a briefing under NDA with the original embargo date of January 9th. Since we received relatively late notice of the issue, our ability to provide fixes is delayed. Meltdown (CVE-2017-5754) ~~~~~~~~~~~~~~~~~~~~~~~~ In terms of priority, the first step is to mitigate against the Meltdown attack (CVE-2017-5754, cited as variant 3 by Project Zero). Work for this is ongoing, but due to the relatively large changes needed, this is going to take a little while. We are currently targeting patches for amd64 being dev complete this week with testing probably running into next week. From there, we hope to give it a short bake time before pushing it into the 11.1-RELEASE branch. Additional work will be required to bring the mitigation to 10.3-RELEASE and 10.4-RELEASE. The code will be selectable via a tunable which will automatically turn on for modern Intel processors and off for AMD processors (since they are reportedly not vulnerable). Since the fix for Meltdown does incur a performance hit for any transition between user space and kernel space, this could be rather impactful depending on the workload. As such, the tunable can also be overridden by the end-user if they are willing to accept the risk. Initial work can be tracked at https://reviews.freebsd.org/D13797. Please note this is a work in progress and some stuff is likely to be broken. Spectre (CVE-2017-5753 and CVE-2017-5715) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When it comes to the Spectre vulnerabilities, it is much harder to sort these out. Variant 1 (CVE-2017-5753) is going to require some static analysis to determine vulnerable use cases that will require barriers to stop speculation from disclosing information it shouldn't. While we haven't done the analysis to determine where we are vulnerable, the number of cases here are supposed to be pretty small. Apparently there have been some Coverity rules developed to help look for these, but we are still evaluating what can be done here. The other half of Spectre, variant 2 (CVE-2017-5715) is a bit trickier as it affects both normal processes and bhyve. There is a proposed patch for LLVM (https://reviews.llvm.org/D41723) that introduces a concept called 'retpoline' which mitigates this issue. We are likely to pull this into HEAD and 11-STABLE once it hits the LLVM tree. Unfortunately, the currently supported FreeBSD releases are using older versions of LLVM for which we are not sure the LLVM project will produce patches. We will be looking at the feasibility to backport these patches to these earlier versions. There are CPU microcode fixes coming out when in concert with OS changes would also help, but that's a bit down the road at the moment. If anything significantly changes I will make additional posts to clarify as the information becomes available. Best regards, Gordon Tetlow with security-officer hat on --ZNotpC0yWfjHZxBL Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAlpTsQhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJC MjhENDBCMzYwRUVFOTM2QUVEMTU2RkU1RjdCQ0NCQTNCRERERjgACgkQ5fe8y6O9 3fiijQf7BY4QyGyjmib2oDXVvX0pyKkGfe8RYSB0bTnUvc/SJIB/IOgd4LXA8xAy ue76Euezh9uLwMVdppKBr9seZkfD5FWCDVgUN0fGH1QWGxCmqqA7JkeIvp0ImGpm +Kw4Etc7kjN67vmjyJlHIwhmC26iwPS9tmdyrr4mvIDZRBP70mwjqKLcxiDHxNsP STta0+MjAqs2feMCpI7zZd+CQI7p1FyiDU48dnnQTMIKoOxZjfDfa4Axea8JRhJA 0306c7CpUj20jVwAGHCrS3R65z8qxSbWqbyOWmIb0bDoI8q60Oi5D3lS6XkEwh/v 5duL1oOGqcUqqWWs+FU/soVEryu+SA== =6Y+Y -----END PGP SIGNATURE----- --ZNotpC0yWfjHZxBL-- From owner-freebsd-security@freebsd.org Mon Jan 8 18:15:03 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22EF3E7C51B for ; Mon, 8 Jan 2018 18:15:03 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [IPv6:2607:f3e0:80:80::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 929926AE40 for ; Mon, 8 Jan 2018 18:15:02 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (lava.sentex.ca [IPv6:2607:f3e0:0:5::11]) by smarthost2.sentex.ca (8.15.2/8.15.2) with ESMTPS id w08IF02B018193 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2018 13:15:01 -0500 (EST) (envelope-from mike@sentex.net) Received: from [192.168.43.26] (saphire3.sentex.net [192.168.43.26]) by lava.sentex.ca (8.15.2/8.15.2) with ESMTP id w08IEwVg052699; Mon, 8 Jan 2018 13:14:58 -0500 (EST) (envelope-from mike@sentex.net) Subject: Re: Response to Meltdown and Spectre To: Gordon Tetlow , freebsd-security@freebsd.org References: <20180108175751.GH9701@gmail.com> From: Mike Tancsa Organization: Sentex Communications Message-ID: <35bd5450-5a7e-afc2-4b80-5b03ae891f53@sentex.net> Date: Mon, 8 Jan 2018 13:15:00 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <20180108175751.GH9701@gmail.com> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 18:15:03 -0000 Thanks very much for the updates! ---Mike On 1/8/2018 12:57 PM, Gordon Tetlow wrote: > By now, we're sure most everyone have heard of the Meltdown and Spectre-- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@freebsd.org Mon Jan 8 23:02:54 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4FF0E698C2 for ; Mon, 8 Jan 2018 23:02:54 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3CC287A0CE for ; Mon, 8 Jan 2018 23:02:54 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: by mail-wm0-x243.google.com with SMTP id a79so17132903wma.0 for ; Mon, 08 Jan 2018 15:02:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WTcO+kLeHZqLd/YC6Gs9E9KhR7oy1yB+wRDtSwBLXgA=; b=laKtKYglwruNrMbDAxAZq9S84+lYr7/2/xrvoK3IahrvjTVk6y6+D8EDRIQ0WPKesq osK2CrQiObdTsC3Iub08UMdxenVpCQ0D8NediYJ5kF8UmREcFnOWJ+65EfRQ6H9DRKlv uOR2/qiIouuf1IEzrONRbOcH3S+Zk4pnwB0X3aEZkpcNfwmUWgubTMUTRItrC8A06pHn hkE8SH1N4WjDXPzUYupf4WOG0KkDhKtyrj+CqNSH38ZSHrtnMdMMQEswEDcxghUswWuy l5vR7cRFZRV+W8a7zTkeATWbMZl2ntiJ4MEIDuygKVgrD4U5nL8NCCdg3a+bX2EQqTXJ PgqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WTcO+kLeHZqLd/YC6Gs9E9KhR7oy1yB+wRDtSwBLXgA=; b=E2j3fGzUoMoHElGjsg1TB/gwoFCyV2zFqsokkFvn8Z4paDcwuSxGzxV7LmtuqB2O1T xA7MSAOG9Nnob0S7Pc/c6iFPhfnevTe6LUrUO6oUCJ7xM5HFzhOBRq7Ba9VhxJE+SKLH KW4lrLHesgT/5HyAVrjo6w7R123dKInsZLjaDlNzLm8qY7Yj/pyu0tGGLqMO/YV/VZw5 Kc8us0byCaIrXS+G6GVuq/UOUfUwBSV7lAsiX1Yl0LCdWwBYJiB6dRwHLxGxOjhn9uA1 XZK4dhafIttKzHLGx/cUrNu7hm33pe8/XnEjMOEfkaa431MxwbYTbyw3T7q/bULMdy8s cucg== X-Gm-Message-State: AKwxytftuAnI1SlOnsmpaFjPa07P10MpLt7/6G0iIvWCQFTpC9HgjrJx 84Q6vIvWMGx5SSKBpxDPr6ff3DF5ekdOFOr8pP3mhQ== X-Google-Smtp-Source: ACJfBouGiDFJoZI7v8sJ0Dm/6HJFVC7Bx2sMINu0BF3nv2Fu/Zo0DpqcfNEDYT+pHJUCcKDW8scZMWI9JBxZ5oSFWhA= X-Received: by 10.80.165.253 with SMTP id b58mr57764edc.201.1515452572757; Mon, 08 Jan 2018 15:02:52 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.149.174 with HTTP; Mon, 8 Jan 2018 15:02:52 -0800 (PST) In-Reply-To: <20180108175751.GH9701@gmail.com> References: <20180108175751.GH9701@gmail.com> From: Oliver Pinter Date: Tue, 9 Jan 2018 00:02:52 +0100 Message-ID: Subject: Re: Response to Meltdown and Spectre To: Gordon Tetlow Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 23:02:54 -0000 On 1/8/18, Gordon Tetlow wrote: > By now, we're sure most everyone have heard of the Meltdown and Spectre > attacks. If not, head over to https://meltdownattack.com/ and get an > overview. Additional technical details are available from Google > Project Zero. > https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html > > The FreeBSD Security Team was notified of the issue in late December > and received a briefing under NDA with the original embargo date of > January 9th. Since we received relatively late notice of the issue, our > ability to provide fixes is delayed. > > Meltdown (CVE-2017-5754) > ~~~~~~~~~~~~~~~~~~~~~~~~ > In terms of priority, the first step is to mitigate against the Meltdown > attack (CVE-2017-5754, cited as variant 3 by Project Zero). Work for > this is ongoing, but due to the relatively large changes needed, this is > going to take a little while. We are currently targeting patches for > amd64 being dev complete this week with testing probably running into > next week. From there, we hope to give it a short bake time before > pushing it into the 11.1-RELEASE branch. Additional work will be > required to bring the mitigation to 10.3-RELEASE and 10.4-RELEASE. > > The code will be selectable via a tunable which will automatically turn > on for modern Intel processors and off for AMD processors (since they > are reportedly not vulnerable). Since the fix for Meltdown does incur a > performance hit for any transition between user space and kernel space, > this could be rather impactful depending on the workload. As such, the > tunable can also be overridden by the end-user if they are willing to > accept the risk. > > Initial work can be tracked at https://reviews.freebsd.org/D13797. > Please note this is a work in progress and some stuff is likely to be > broken. > > Spectre (CVE-2017-5753 and CVE-2017-5715) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > When it comes to the Spectre vulnerabilities, it is much harder to sort > these out. Variant 1 (CVE-2017-5753) is going to require some static > analysis to determine vulnerable use cases that will require barriers to > stop speculation from disclosing information it shouldn't. While we > haven't done the analysis to determine where we are vulnerable, the > number of cases here are supposed to be pretty small. Apparently there > have been some Coverity rules developed to help look for these, but we > are still evaluating what can be done here. > > The other half of Spectre, variant 2 (CVE-2017-5715) is a bit trickier > as it affects both normal processes and bhyve. There is a proposed patch > for LLVM (https://reviews.llvm.org/D41723) that introduces a concept > called 'retpoline' which mitigates this issue. We are likely to pull > this into HEAD and 11-STABLE once it hits the LLVM tree. Unfortunately, > the currently supported FreeBSD releases are using older versions of > LLVM for which we are not sure the LLVM project will produce patches. We > will be looking at the feasibility to backport these patches to these > earlier versions. > > There are CPU microcode fixes coming out when in concert with OS changes > would also help, but that's a bit down the road at the moment. > > > If anything significantly changes I will make additional posts to > clarify as the information becomes available. > > Best regards, > Gordon Tetlow > with security-officer hat on > Thanks for the information and for the hard work too! From owner-freebsd-security@freebsd.org Wed Jan 10 11:16:03 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F227E79A8B for ; Wed, 10 Jan 2018 11:16:03 +0000 (UTC) (envelope-from sjt.kar@gmail.com) Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5B1A86EA64 for ; Wed, 10 Jan 2018 11:16:03 +0000 (UTC) (envelope-from sjt.kar@gmail.com) Received: by mail-qt0-x22d.google.com with SMTP id m59so21552285qte.11 for ; Wed, 10 Jan 2018 03:16:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Clynx0ecSwvH67XPHRqzRmRl70M7zbTQir//yFStfhA=; b=DHoA8g8XPc/K00YMyT9oXuDeQ56PV1Xqc76sEJit2/7o8+mfhpRLIT0gQLZuOy9QJ0 nqKSG075cHTdxRU8NxELqmSapSNbTqZcWsTeRYjIgJtGMrkpWsrmDz2/9WrqLFdnYY3e fjeUh/s1J5IOXTfN5p6PAP2yhKZ2HXSts6OCAGDbH7riHA/bX2GdPDXBla2OdkX3sSo/ 0HayypjiFdnsMKO9TERAYDJV5dYtHgdzBLzCu+jFmGIMBZGRH9XWyFQ6oz7vilVKjaJW 08hVAPY22VnDH9AFVOriWLD8RKEYxoQ2Cs/ukkjXw5/XsmTCtwqNN/BMnh2Aon7HOcKl Vb8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Clynx0ecSwvH67XPHRqzRmRl70M7zbTQir//yFStfhA=; b=BOx1hLEfrfplXdQgFnwXk0sJGWHcDuJoYuahgpiwPBanE+qY6eHhZ4/K6ahLfwUTP3 i8Q1iEE0QQUPWjOJbMbJfnC+NKH+3K/2QgUrg9GwcKYiqiRlnNihflfmRkGYYOvrL3pL tCOFjGKXFqyBdzqOZQAK9wBjMUQ+F3rPjRLIv7wI78ljLGT8/UDIlfUOvFlmya9Rxjmm 2Hp4yfnze2DaYAITDMcx2fHcI/YFbO6l9H1FG1z5DRTawauYdrL+fto61yZ5i2pvoeS9 /YH5zui6kNCz0cDEjhG9fDD/e6kkN60n970Xu4J4Z1uAre3uODLIjD9PJWVzxwOM4jWN JRkA== X-Gm-Message-State: AKwxytcajF7xP0WVIbn9GN1wHAgdivfmz3v1tCrz1fT24H+DhDeuqybL yQRRith98y1Kr/tkpeuTVp6EzVp2s+Lbl8Lrccs= X-Google-Smtp-Source: ACJfBovk8Ut0+u/v5PeweJOSd/+ddy3ZpA0/3pc8XiU/5PDI1clhXqUyNdBs1j5S9eteH6F12IhVA6FBmPPeJVPpoI4= X-Received: by 10.200.37.41 with SMTP id 38mr26576380qtm.306.1515582962265; Wed, 10 Jan 2018 03:16:02 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.52.141 with HTTP; Wed, 10 Jan 2018 03:16:01 -0800 (PST) In-Reply-To: <20180108175751.GH9701@gmail.com> References: <20180108175751.GH9701@gmail.com> From: Sujit K M Date: Wed, 10 Jan 2018 16:46:01 +0530 Message-ID: Subject: Re: Response to Meltdown and Spectre To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Wed, 10 Jan 2018 11:56:11 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jan 2018 11:16:03 -0000 > Meltdown (CVE-2017-5754) > ~~~~~~~~~~~~~~~~~~~~~~~~ > In terms of priority, the first step is to mitigate against the Meltdown > attack (CVE-2017-5754, cited as variant 3 by Project Zero). Work for > this is ongoing, but due to the relatively large changes needed, this is > going to take a little while. We are currently targeting patches for > amd64 being dev complete this week with testing probably running into > next week. From there, we hope to give it a short bake time before > pushing it into the 11.1-RELEASE branch. Additional work will be > required to bring the mitigation to 10.3-RELEASE and 10.4-RELEASE. > > The code will be selectable via a tunable which will automatically turn > on for modern Intel processors and off for AMD processors (since they > are reportedly not vulnerable). Since the fix for Meltdown does incur a > performance hit for any transition between user space and kernel space, > this could be rather impactful depending on the workload. As such, the > tunable can also be overridden by the end-user if they are willing to > accept the risk. > > Initial work can be tracked at https://reviews.freebsd.org/D13797. > Please note this is a work in progress and some stuff is likely to be > broken. > > Spectre (CVE-2017-5753 and CVE-2017-5715) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > When it comes to the Spectre vulnerabilities, it is much harder to sort > these out. Variant 1 (CVE-2017-5753) is going to require some static > analysis to determine vulnerable use cases that will require barriers to > stop speculation from disclosing information it shouldn't. While we > haven't done the analysis to determine where we are vulnerable, the > number of cases here are supposed to be pretty small. Apparently there > have been some Coverity rules developed to help look for these, but we > are still evaluating what can be done here. > > The other half of Spectre, variant 2 (CVE-2017-5715) is a bit trickier > as it affects both normal processes and bhyve. There is a proposed patch > for LLVM (https://reviews.llvm.org/D41723) that introduces a concept > called 'retpoline' which mitigates this issue. We are likely to pull > this into HEAD and 11-STABLE once it hits the LLVM tree. Unfortunately, > the currently supported FreeBSD releases are using older versions of > LLVM for which we are not sure the LLVM project will produce patches. We > will be looking at the feasibility to backport these patches to these > earlier versions. > > There are CPU microcode fixes coming out when in concert with OS changes > would also help, but that's a bit down the road at the moment. > > > If anything significantly changes I will make additional posts to > clarify as the information becomes available. > > Best regards, > Gordon Tetlow > with security-officer hat on >From my understanding what is happening is that an array overflow is happening. Can't it be handled more generically. -- -- Sujit K M blog(http://kmsujit.blogspot.com/) From owner-freebsd-security@freebsd.org Thu Jan 11 08:12:01 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E78F0E7662A for ; Thu, 11 Jan 2018 08:12:01 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.rulingia.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 88B79DB8 for ; Thu, 11 Jan 2018 08:12:00 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (ppp59-167-167-3.static.internode.on.net [59.167.167.3]) by vps.rulingia.com (8.15.2/8.15.2) with ESMTPS id w0B8BiNv075438 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=OK); Thu, 11 Jan 2018 19:11:51 +1100 (AEDT) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.15.2/8.15.2) with ESMTPS id w0B8BcHj010087 (version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Thu, 11 Jan 2018 19:11:38 +1100 (AEDT) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.15.2/8.15.2/Submit) id w0B8Bc66010086; Thu, 11 Jan 2018 19:11:38 +1100 (AEDT) (envelope-from peter) Date: Thu, 11 Jan 2018 19:11:38 +1100 From: Peter Jeremy To: Sujit K M Cc: freebsd-security@freebsd.org Subject: Re: Response to Meltdown and Spectre Message-ID: <20180111081138.GA10072@server.rulingia.com> References: <20180108175751.GH9701@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2018 08:12:02 -0000 --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-Jan-10 16:46:01 +0530, Sujit K M wrote: >>From my understanding what is happening is that an array overflow is happ= ening. >Can't it be handled more generically. The array overflow in the example code is solely a convenient mechanism to make C reference an arbitrary virtual address. An attacker could import code from another system so it's not possible to mitigate the vulnerability by (eg) implementing bounds checking in a compiler. --=20 Peter Jeremy --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAlpXHDpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzScxQ//eUrTDRLDkdXM/mr7XvQI04/L8rVdOWToPoopZumfnBBu94gJZuUDbda9 uLfJr19ObHQaf0sRFyJ0KVDPnzCj/quhYiFVtDUvNWbhv2IkUIFZKFoLbiDBLGOv TCgcCcI8LhAKdZd6vv6p73Lyv2rojIxOJ+nke1hIaqiQH4TEDt0+epwWGFtriI+r 2KKCwycufBaRriAxExqIG7Bkh4svaZQmWpN4uyg6sYjxKsPYN6iMUNYgEmFR0NiV eJZIst3mvwYhorECNyiVVf+T8U1S/MHOFTBnzgKZN3qMFZJZr426GNsy/Wnz4k3d tIEX0bGKSIRFtTEdlytKOZW/WkqNsyGtAeyMjFaPjUWK9w7z5YJeDg2171KcG+YG bwKCsbfhdy4wpGk6RvjNLQ/Smvg63XLIq6BrVBlUvy5A/cbmVsUpoht6eidpxs/N PGobjq9drbiB4RZ+rV1Ij/R5/JUgCEVJVzTYXBMr859w1L+9crXqpwA/KA/+fTZv /J/C8Usc6AFX4Ds9NSnYd71/EiNmgPCZSZYAWneJWYdvkPAoxrDr5Ujpi1OQD/aW 59COG6eftLV6KBPPpv93zHM1cRq1gp3RYDZzKO2a9YJOutuXIPhRE0XIV4dVnpQZ DB8pJeWabC3V5t8qxXZiMwhzArgT7Rox637oniQe+IdCSo7uQV0= =psn/ -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- From owner-freebsd-security@freebsd.org Thu Jan 11 16:43:49 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A52B2E6E292; Thu, 11 Jan 2018 16:43:49 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6C40E799E2; Thu, 11 Jan 2018 16:43:49 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: by mail-it0-x22b.google.com with SMTP id b77so5641870itd.0; Thu, 11 Jan 2018 08:43:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=RBWSR8adUtpJLUXS/ICEhbvl/WX0SlNjeNSZyZ/wWhM=; b=XgDOu17X5+rYA6/OR2CQbxgI/Sh5xMcnrykCM+PYkqx8VJcUd4dcpwGaxISGlrYIpC he12A0wyBBvwI9JTCM+Pku/Y+6jj5ZDKbVE1/luo8eEym5RDxvU3xZrl6kyt23GSyKMk 696Phr+8P2w6GD7Io2uVhlvujc9jfMh15VwL+ntMpoy+cDlojQ0eBqcYTdRg9qS+RsPl CDluZdvqs3yI63rIjZ6QZ0PAAms8eo0pwFMXgjHiOl4J1ciWf0NpkHeUyNShrD4+EcVx OxxPTZD/LEdcRjzLJqAChXHC0fzhC2hLO1SVW1dQyHQJnZTTEiWnCOV61o4B0MJ64NS9 uUgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=RBWSR8adUtpJLUXS/ICEhbvl/WX0SlNjeNSZyZ/wWhM=; b=mRcHJ/eGNk7Un/uJvmMZD2C+dKPu+66pHMt0SfHSYyKaTFI2oA4eQWRwyAvU32w3cx DVckxmAP0bJMANaf6c3bUavk3S4XJHVXZS7TjdWXCYIdC0iC6rp5bEIPJWdFsVje1BPT hExGFOUm+PiXUIR/Pp+FRTH92CeyIbkP11SoduKR1Ogptk4vVHlcv3n06x8I8Oji4Zag JHw8wM8gKVxRwoMQMKJSdfvISwva8gWFTZPJQThB//wTEuGC34ex2MhnE3dGgAr11l6N VG32pWiHeJ8AZ4EOVkUhG3zNub6iXVyfdeIbuKd4n96r8jVJbnVaytyn49Ya68TmAzU8 NkXg== X-Gm-Message-State: AKwxytfYY4noL6EVcLxKrUuj1pyQuR+09BE8v77vzdljPphGxsTAT2Xd 42t/Majye//8VP3JgpXmA0HWVW3ae3WJ0KaTYEw= X-Google-Smtp-Source: ACJfBouRa9KwLexQR7p/5seUcfbfpag4b1shVa35DKBVvyOxgiIYWrGh17q8K4X97hbcOhaY1U6KtHTulyDicWBcX/c= X-Received: by 10.107.136.198 with SMTP id s67mr2727270ioi.177.1515689028748; Thu, 11 Jan 2018 08:43:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.46.85 with HTTP; Thu, 11 Jan 2018 08:43:48 -0800 (PST) In-Reply-To: References: From: Brahmanand Reddy Date: Thu, 11 Jan 2018 22:13:48 +0530 Message-ID: Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch To: freebsd-security-owner@freebsd.org, freebsd-security@freebsd.org X-Mailman-Approved-At: Thu, 11 Jan 2018 17:24:15 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2018 16:43:49 -0000 > > Dear Team, > > Thanks for responding. > > Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial > sequence numbers*) latest patch. > > the original problem reported on : > https://www.freebsd.org/security/advisories/FreeBSD-SA-00%3A52.tcp-iss.asc > > below list of similar CVEs > > CVE-2001-0328 > CVE- 1999-0077 > CVE-2000-0916 > > > Thanks and regards, > Brahma > > On Thu, Jan 11, 2018 at 7:37 PM, > wrote: > >> Your request to the freebsd-security mailing list >> >> Posting of your message titled "Need FreeBSD-SA-00:52 patch on >> FreeBSd 10.2 Kernel" >> >> has been rejected by the list moderator. The moderator gave the >> following reason for rejecting your request: >> >> "As noted in the rejection message for the attempt to post to >> freebsd-security-notifications, that list is only for messages from >> the FreeBSD Security Officer. Accordingly, it should never be Cc:ed >> on a message from anyone else. >> >> You may re-submit your message without the Cc:, but you should be >> aware that FreeBSD-10.2 reached end-of-life 31 December, 2016 -- just >> over a year ago (Please refer to >> https://www.freebsd.org/security/unsupported.html). >> >> -- postmaster@freebsd.org" >> >> Any questions or comments should be directed to the list administrator >> at: >> >> freebsd-security-owner@freebsd.org >> > > From owner-freebsd-security@freebsd.org Fri Jan 12 01:20:47 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D458E651EB; Fri, 12 Jan 2018 01:20:47 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 031266F362; Fri, 12 Jan 2018 01:20:47 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: by mail-io0-x233.google.com with SMTP id f6so4085584ioh.8; Thu, 11 Jan 2018 17:20:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=NDD2NL/LGMovDOVELvVgnE0YC2VUnTwL7WVkKxCu5kM=; b=DsnKRJXjxEmR3wZXCCH9JmJATwAsDuDLhQjo3XBosQVPoILzoZInw+6i5+r+xdakNh LTnxd7lTQWJ5NgsrSZEidp7RPB/0e9qj8MKxExlx8xhOYmfMVAXDsRMU5eXgOAsWIQWk BwcArU8ebbg1WeVE6KnaxUzXsAG4PCn3n0bCWn/4XlJ89AX6cPRiS8lm9f/3hb0eUSQX XK/UP9O1GC+85NbG3uhaoGE26teNjYn/ZtBt0Uo8Yt3qDLxedZXs1jXwCcLFRDcElOd0 iBkIsEijSd5V4FWOwEW2DVFIG3Ce+TADtoueSgV5/DxZge0cNPgqCYqZmv2/wCUelBKx ZRoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=NDD2NL/LGMovDOVELvVgnE0YC2VUnTwL7WVkKxCu5kM=; b=PWTeM7///8clA+/V1n3KX0HvEk7QTq+it3p79iSaAlsTUDcHN7Qpq2KNhrJuLgWq8l h1ac7cxUz76NDEauKRYFQkwjuS2YXp7m8MzOhmjhusSer70MmzxTacbcjynfrzwaKh3Y bdvaalRtWUbGwjTAww/kWFH4aARsWPot6v8Sl0xgWMZQvp5s18L5mWwSYjrtAylswhkq 5HHp8RqveI+ZqHRoYLjgzsw9mo4GR89k4VrKE+EDJWPr9p2SG2zZJ0hpQcuWQFnQwYzY IjyLo9ZR1eOlxorqj0cIIUvPo4bhEVixBwZs+/kvaoH4Ix73qX0KiKDz/J5dui8LgtBr LfHg== X-Gm-Message-State: AKwxyteip0qfNgccEwt2U1C7BS6HhIsQru/YO3HKl5XtkeoVjJBAepi1 c9QluUqveHjgbvYtc+lgzG+OL++b87EhpxXT4UPmUCpj X-Google-Smtp-Source: ACJfBotOOg89Dszh6c58s+j5yiyOM5rmlH7MSUspxmGAlfDgorzXvGyfX/b3d6cvr4KijZ0zWCDecoUGlDghobhJjLI= X-Received: by 10.107.82.16 with SMTP id g16mr25450068iob.157.1515720046024; Thu, 11 Jan 2018 17:20:46 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.46.85 with HTTP; Thu, 11 Jan 2018 17:20:45 -0800 (PST) In-Reply-To: <20180111171545.GC68137@fc.opsec.eu> References: <20180111171545.GC68137@fc.opsec.eu> From: Brahmanand Reddy Date: Fri, 12 Jan 2018 06:50:45 +0530 Message-ID: Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch To: Postmaster Team , freebsd-security-owner@freebsd.org, FreeBSD-security@freebsd.org X-Mailman-Approved-At: Fri, 12 Jan 2018 01:54:59 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 01:20:47 -0000 Hi Kurt, Thanks lot responding my mail, Please explain why you think this should be an issue for FreeBSD 10.2 ? Currently i am using 10.2 and 10.4, i found this problem/vulnerability still exist using below script #!/usr/local/bin/python from scapy.all import * # VARIABLES src = str(input('IP SRC: ')) dst = str(input('IP DST: ')) sport = random.randint(1024,65535) dport = int(input("DST PORT: ")) # SYN ip=IP(src=src,dst=dst) SYN=TCP(sport=sport,dport=dport,flags='S',seq=random.randint(1024,1048576), ack=0) SYNACK=sr1(ip/SYN) print('Seq1 Number is :',SYNACK[TCP].seq) ==> Seq1 # RST RST=TCP(sport=sport, dport=dport, flags='R', seq=SYNACK.ack, ack=0) send(ip/RST) #SYN SYN2=TCP(sport=sport,dport=dport,flags='S',seq=random.randint(1024,1048576), ack=0) SYNACK2=sr1(ip/SYN2) print('Seq2 Number is :',SYNACK2[TCP].seq) ==> same ISN number i observed/receiving. I mean seq1=seq2, TCP ISN reusing. i think the patch is available on 10.4 on wards, but i dint found exactly/similar patch from https://www.freebsd.org/security/patches/ It could be great to confirm what is the corresponding latest patch this problem would be solved. Kindly correct me anything i am missing. Sincerely, Brahma On Thu, Jan 11, 2018 at 10:45 PM, Kurt Jaeger wrote: > Hi! > > > Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial > > sequence numbers*) latest patch. > > > > the original problem reported on : > > https://www.freebsd.org/security/advisories/FreeBSD- > SA-00%3A52.tcp-iss.asc > > That's a security annoucement for FreeBSD 3.x to 5.x. > > Please explain why you think this should be an issue for FreeBSD 10.2 ? > > And, by the way: FreeBSD 10.2 is a old, no-longer supported version. > > https://www.freebsd.org/releases/ > > lists which versions are still supported. > > -- > pi@FreeBSD.org +49 171 3101372 2 years to go ! > From owner-freebsd-security@freebsd.org Fri Jan 12 02:20:51 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E55B4E68A30 for ; Fri, 12 Jan 2018 02:20:51 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id C1C8771261 for ; Fri, 12 Jan 2018 02:20:51 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: by be-well.ilk.org (Postfix, from userid 1147) id 3069033C3E; Thu, 11 Jan 2018 21:20:43 -0500 (EST) From: Lowell Gilbert To: Brahmanand Reddy Cc: freebsd-security@freebsd.org Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch References: Reply-To: freebsd-security@freebsd.org Date: Thu, 11 Jan 2018 21:20:43 -0500 In-Reply-To: (Brahmanand Reddy's message of "Thu, 11 Jan 2018 22:13:48 +0530") Message-ID: <44k1wnes1w.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 02:20:52 -0000 Brahmanand Reddy writes: >> >> Dear Team, >> >> Thanks for responding. >> >> Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial >> sequence numbers*) latest patch. >> >> the original problem reported on : >> https://www.freebsd.org/security/advisories/FreeBSD-SA-00%3A52.tcp-iss.asc >> >> below list of similar CVEs >> >> CVE-2001-0328 >> CVE- 1999-0077 >> CVE-2000-0916 >> >> >> Thanks and regards, >> Brahma Those reports were fixed in FreeBSD almost 20 years ago, so you already have the fixes. Moreover, it seems silly to worry about minor security patches when you're running a FreeBSD release that has been out of support for over a year. From owner-freebsd-security@freebsd.org Fri Jan 12 02:46:40 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 057CEE6A212 for ; Fri, 12 Jan 2018 02:46:40 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C394871FEC for ; Fri, 12 Jan 2018 02:46:39 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: by mail-it0-x235.google.com with SMTP id 68so7525183ite.4 for ; Thu, 11 Jan 2018 18:46:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ft6YQ2cowqKsXqp4l82G5x7evnK/t5YrsFlMbT44pcg=; b=kwNOakApi6/XeaY/y/rTYFlBPoXnYCIyguMq25ZXOazYausOJAOlgR9U15xbGPu9lG FDIbbIvT4K74TYKFcbQjahaSLgiWWfksRskbC6gmq7V9EeAwnkXGWrpofxHTVe3PzyFu ZWhDsznguKHaV/NoqRW8DBMc2RJJ7F6LOR/PLRJ9A8jt3mKIkPZ1ey0bzNBcF6m77Ypx Qaehp9xJHHzxfjrkzIXclaxklKM0EiCrHlCajaZKViEsGRl4trno+y0iBMtdxsPzTHz3 tDkkU53MCghom0ieHA98LOg1Gadt8HLBqtSFsBJIfDTu4a1wpGZ/lWyw+lOqWkBwdrFw 94WA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ft6YQ2cowqKsXqp4l82G5x7evnK/t5YrsFlMbT44pcg=; b=CeFGRPFw41zjvXXlgKlzlBljzw5769PWaTsnDAdS50vh1mQeLRQNAeVj6cxUgd2/sm HndocHrzbB1HbARVM0g71ao9y0JzN2l3qAeW0glFg8NYlJwmBngG5tq9U35XoksCc3Ll RZJID3RZ50b0/uKn3d/Z8+aOogA8aoixrSXMSVEsakgzcNdWpyT9sz02D0ez7oROH9Mu pfNpbvUCpUclN69qvIMY+JhubbaFw2eTk7bgm2wNRiHPJEOP1SDYYARqaE7leB3pHEa5 71UWFN3jxifjisOhJcvXA5Hx05QS9m0BbuDu7wdV8pWDxMrA27F1SZJzsODotthG/PnF +qFw== X-Gm-Message-State: AKwxytc8qyG7BxBlPnk+5/uMy0ar1x9f4Qv5zhOnd5V3Ci85tQlGSpm3 liUUd64O17ddk3IcqXSkZUfvbqcLSuRIH17A1MWocg== X-Google-Smtp-Source: ACJfBosk4pL0/joLckbPUDBwccF5XgxFU5Mn/YeIWj7s0SRSV4KfDcreSTQ3oxuGBFgZl/Fy4RNOB4NggbneBb+9KH0= X-Received: by 10.36.16.142 with SMTP id 136mr3517066ity.18.1515725198647; Thu, 11 Jan 2018 18:46:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.141.219 with HTTP; Thu, 11 Jan 2018 18:46:38 -0800 (PST) In-Reply-To: <44k1wnes1w.fsf@be-well.ilk.org> References: <44k1wnes1w.fsf@be-well.ilk.org> From: Brahmanand Reddy Date: Fri, 12 Jan 2018 08:16:38 +0530 Message-ID: Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch To: freebsd-security@freebsd.org X-Mailman-Approved-At: Fri, 12 Jan 2018 03:45:02 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 02:46:40 -0000 Hi Lowell, Yes its has been fixed 20 years back, but this patch not available on 10.2/10.4 source code, still the problem exist on 10.4 too, Please find below snip of patch Index: tcp_seq.h =================================================================== RCS file: /usr2/ncvs/src/sys/netinet/tcp_seq.h,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- tcp_seq.h 1999/12/29 04:41:02 1.11 +++ tcp_seq.h 2000/09/29 01:37:19 1.12 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_seq.h 8.3 (Berkeley) 6/21/95 - * $FreeBSD: src/sys/netinet/tcp_seq.h,v 1.11 1999/12/29 04:41:02 peter Exp $ + * $FreeBSD: src/sys/netinet/tcp_seq.h,v 1.12 2000/09/29 01:37:19 kris Exp $ */ #ifndef _NETINET_TCP_SEQ_H_ @@ -91,7 +91,7 @@ * number in the range [0-0x3ffff] that is hard to predict. */ #ifndef tcp_random18 -#define tcp_random18() ((random() >> 14) & 0x3ffff) +#define tcp_random18() (arc4random() & 0x3ffff) #endif #define TCP_ISSINCR (122*1024 + tcp_random18()) Index: tcp_subr.c =================================================================== RCS file: /usr2/ncvs/src/sys/netinet/tcp_subr.c,v retrieving revision 1.80 retrieving revision 1.81 diff -u -r1.80 -r1.81 --- tcp_subr.c 2000/09/25 23:40:22 1.80 +++ tcp_subr.c 2000/09/29 01:37:19 1.81 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95 - * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.80 2000/09/25 23:40:22 bmilekic Exp $ + * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.81 2000/09/29 01:37:19 kris Exp $ */ #include "opt_compat.h" @@ -178,7 +178,7 @@ { int hashsize; - tcp_iss = random(); /* wrong, but better than a constant */ + tcp_iss = arc4random(); /* wrong, but better than a constant */ tcp_ccgen = 1; tcp_cleartaocache(); i suspect 10.4.& above the patch is released, but i didn't found exactly /corresponding from https://www.freebsd.org/security/patches/ i would expecting .. confirm the relevant patch for this problem Kindly correct me anything missing Regards, Brahma On Fri, Jan 12, 2018 at 7:50 AM, Lowell Gilbert < freebsd-security-local@be-well.ilk.org> wrote: > Brahmanand Reddy writes: > > >> > >> Dear Team, > >> > >> Thanks for responding. > >> > >> Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial > >> sequence numbers*) latest patch. > >> > >> the original problem reported on : > >> https://www.freebsd.org/security/advisories/FreeBSD- > SA-00%3A52.tcp-iss.asc > >> > >> below list of similar CVEs > >> > >> CVE-2001-0328 > >> CVE- 1999-0077 > >> CVE-2000-0916 > >> > >> > >> Thanks and regards, > >> Brahma > > Those reports were fixed in FreeBSD almost 20 years ago, > so you already have the fixes. > > Moreover, it seems silly to worry about minor security > patches when you're running a FreeBSD release that has > been out of support for over a year. > From owner-freebsd-security@freebsd.org Fri Jan 12 06:14:45 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BBB6E75240 for ; Fri, 12 Jan 2018 06:14:45 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.rulingia.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D280F79469 for ; Fri, 12 Jan 2018 06:14:44 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (ppp59-167-167-3.static.internode.on.net [59.167.167.3]) by vps.rulingia.com (8.15.2/8.15.2) with ESMTPS id w0C6EWTB084982 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=OK); Fri, 12 Jan 2018 17:14:39 +1100 (AEDT) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.15.2/8.15.2) with ESMTPS id w0C6EPZ5078683 (version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Fri, 12 Jan 2018 17:14:25 +1100 (AEDT) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.15.2/8.15.2/Submit) id w0C6EPSE078682; Fri, 12 Jan 2018 17:14:25 +1100 (AEDT) (envelope-from peter) Date: Fri, 12 Jan 2018 17:14:25 +1100 From: Peter Jeremy To: Brahmanand Reddy Cc: freebsd-security@freebsd.org Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch Message-ID: <20180112061425.GA75633@server.rulingia.com> References: <44k1wnes1w.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 06:14:45 -0000 --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-Jan-12 08:16:38 +0530, Brahmanand Reddy wrot= e: >Yes its has been fixed 20 years back, but this patch not available on >10.2/10.4 source code, still the problem exist on 10.4 too, Please find >below snip of patch That code (now r66433) has been completely superseded by r82122 so the code no longer exists in that form. Please advise what problem you believe still exists in FreeBSD 10.4. --=20 Peter Jeremy --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAlpYUkFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzSh7Q/+PYRGZgNweiLsLlPUWbg69SbDvbmMcMseONBNXTwcrTm8xz1HvusyAg6U przG0ZJZZPqx3qpYPXhSMn9DhkrsELl/Re1p0pxBI+75fTCuQAf9Ub+LzDher/Vg cCsOB9IFWleT+BvWIq9n2oIwA/9Eiae8j2b5XQeIdnpBVusGgagjdWdM/WXzm675 Wtbx603SixGoKgh6vypu4EI6qovU8uv8byZ6HaX5BVfmWX7bPCkkTybiH/bAxQw+ 5wSVLhVQkWBxao06Av0jsRL6nOBtekquznVgwnFeM3NqCYIpcG3YwmVfmUxvS+Ck dF1QssPcD/EgnGHPlCoI6ZhBrCgWHge/FcmrmrSFkh+/VnkeGI85flIWiaNBvmqG hqUxWivAVKLaX3qQOv2RqnqqLsDDOT7n64h8tV4dkvedGTDOE7wjbxIGjcocjcXV XeCRsc71/GPQEP3SYBqxUxiIuyx2i/U7py0rAexc2aHUK/HVnU4MUMeYh6RIjknW uIwH+ytV1b6dhST3LhW/csr4w7ZGU9Ej41BO6HtP+cGuqYk4rjaOA9aq2IWEP+eT kczUrPJmzTwRaJ9/+3POILd2zDWV6mR3wZOexm53eXllHoFf1LEEj2LNQ/xsIOLU THUjLQSH7s8XaNepNZ0C/Pkq9Zau7CrdYqmifDruopvQo/KRtnQ= =E4ZA -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C-- From owner-freebsd-security@freebsd.org Fri Jan 12 07:41:37 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0916CE78AD3 for ; Fri, 12 Jan 2018 07:41:37 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.rulingia.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B0B817C22E for ; Fri, 12 Jan 2018 07:41:32 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (ppp59-167-167-3.static.internode.on.net [59.167.167.3]) by vps.rulingia.com (8.15.2/8.15.2) with ESMTPS id w0C7fLdM085457 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=OK); Fri, 12 Jan 2018 18:41:27 +1100 (AEDT) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.15.2/8.15.2) with ESMTPS id w0C7fF2p079182 (version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Fri, 12 Jan 2018 18:41:15 +1100 (AEDT) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.15.2/8.15.2/Submit) id w0C7fFY4079181; Fri, 12 Jan 2018 18:41:15 +1100 (AEDT) (envelope-from peter) Date: Fri, 12 Jan 2018 18:41:15 +1100 From: Peter Jeremy To: Brahmanand Reddy Cc: freebsd-security@FreeBSD.org Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch Message-ID: <20180112074115.GB75633@server.rulingia.com> References: <44k1wnes1w.fsf@be-well.ilk.org> <20180112061425.GA75633@server.rulingia.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="v9Ux+11Zm5mwPlX6" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 07:41:37 -0000 --v9Ux+11Zm5mwPlX6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-Jan-12 12:33:21 +0530, Brahmanand Reddy wrot= e: >TCP uses weak initial sequence numbers >https://www.freebsd.org/security/advisories/FreeBSD-SA-00%3A52.tcp-iss.asc As has been pointed out to you several times in this thread, that SA is nearly 20 years old and there is no evidence that TCP on any recent FreeBSD uses weak ISNs. >actually "arc4random()" will take care on https://github.com/freebsd/ >freebsd/blob/master/sys/netinet/tcp_subr.c#L2374 Without studying the code in detail, that code appears to correctly use arc4random() to initialise the ISN - which is as expected. > I suspecting 10.4 already having fix... but i didn't found on exactly >which this problem from https://www.freebsd.org/security/patches/ Well, the original patch is https://www.freebsd.org/security/patches/SA-00%3A52/ and was committed as what is now https://svnweb.freebsd.org/base?view=3Drevision&revision=3D6= 6433 Since that patch is integrated into the FreeBSD codebase, there's no need to update the contents of https://www.freebsd.org/security/patches/SA-00%3A= 52/ and it is not relevant to the current codebase. > i would like expecting where is the fix in 10,4 kernel. That code was re-written in r82122, retaining the use of arc4random() for ISN initialisation. As a result, it's no longer possible to point at specific code and say "that code fixes weak TCP ISNs". --=20 Peter Jeremy --v9Ux+11Zm5mwPlX6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAlpYZppfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzQkpRAAhhhontw1LuvqHKZ6WjoDHgPJDYVi3a3MTp7YLsjuKBGcBIKj8TP54UOB qAS28lrwInizLVLW7pnwoOkfEmtxtCW5jRAFn9P9fnGmhtxLh4eFydtEopo4yybQ 6eQeMyN+EHrJSMqZJhJ2mxSHfrF/IjY28d3i1e25AXeu9P4ZC+McCsV0VlWQ6V4i PYtTLQm+xo1/3fJZqh/uu4gfHV2aMH4yjjDpk7XL5jxvRXcF1Y/+jVoMI4ktuX8+ gvakONIdQfVGIQ97p/Wf6Iwzgr86+STw40wRoPFhf/GXUae1P4HspedSnnqatiVn YOSdMgfV8YAIW7vC3eJE5NNrz+MkgpF1j1EKq9ld+hLV/L6ISedtnNyxu5QSZbOu W7IoPtYksyuftRdaOB3HcgHW42tcA38BJLESHGoWAIWEmFl21lkUyeXCyZoqpGSO zeEGOh30t+5c84VxzOwZlsp7QfUTZR7cS6bXk+TysZOhp+vrXqJNMCHZ1ICinj7k lFOuTkfXFgJ/53OVVqmF3P8X8r9aKGP1Rj/A6DHBfwxwimJEKvfmb67xH2LfQaEv 4kRs17TMxFMYNhVSIbpQ8i5oemXjm6TnYrrW0QtNDLq4hFA5ThAMm55n+Mdo8F7A VxN5F2b38EH5dk4hvOQuUACLtD2r9FOeSLV6m0e4UAfciIyuaMg= =tQEs -----END PGP SIGNATURE----- --v9Ux+11Zm5mwPlX6-- From owner-freebsd-security@freebsd.org Fri Jan 12 11:03:56 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08206EA5E50 for ; Fri, 12 Jan 2018 11:03:56 +0000 (UTC) (envelope-from Abderrahmane.Zahrir@ca.com) Received: from mx0a-001c7801.pphosted.com (mx0a-001c7801.pphosted.com [148.163.156.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "thawte SHA256 SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B60348380B for ; Fri, 12 Jan 2018 11:03:55 +0000 (UTC) (envelope-from Abderrahmane.Zahrir@ca.com) Received: from pps.filterd (m0082004.ppops.net [127.0.0.1]) by mx0a-001c7801.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0CAXIfU000778 for ; Fri, 12 Jan 2018 05:36:15 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ca.com; h=from : to : subject : date : message-id : content-type : mime-version; s=20151012; bh=p8DsLbtudWRsBLEckDvJzZTNJMIwL76LrbQKwTSt2Ic=; b=AUxN3cAyMZz9vfCyyEP/HgHtP5Mx/rg0LKn594LgGot1kW4HGIpDr+gmJipYSNbYLVpD aFfUfM6rQIGbJWrdBl6gCeL4A8NaJPrWIZee3fqyF4osAqqfMpr/7x8iUfPcBgAdtMrM t7+vbXfpcE6wchVDZ9P3cAepeZi8AOL4/wbDCyrTGiPNuqpOjA1fd3X5cQGKR1P1ArE8 jTCoapNsPfZYV2aAGML1OCq5fzFXGVRvTaotyRwCBXFJgAatGWy9aT6u+xLubr0ZPRb+ DHKFgEWpP4xu9cCHWDU24mAx9uqyDRoBMCdTd4RhK8UxYR5hyAOdOwQs0YmluAJAGNvI YQ== Received: from usilms290.ca.com (usilms290.ca.com [141.202.246.44]) by mx0a-001c7801.pphosted.com with ESMTP id 2fec771xxd-1 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 12 Jan 2018 05:36:15 -0500 Received: from usilms213.ca.com (141.202.6.103) by usilms290.ca.com (141.202.246.44) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 12 Jan 2018 05:36:14 -0500 Received: from usilms215.ca.com (141.202.6.105) by usilms213.ca.com (141.202.6.103) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 12 Jan 2018 05:36:13 -0500 Received: from usilms290.ca.com (141.202.246.44) by usilms215.ca.com (141.202.6.105) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Fri, 12 Jan 2018 05:36:13 -0500 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (216.32.180.16) by o365smtp.ca.com (141.202.246.44) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 12 Jan 2018 05:36:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ca.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=p8DsLbtudWRsBLEckDvJzZTNJMIwL76LrbQKwTSt2Ic=; b=F9WgaN8fwApH8dHpPb350D1YCpHOS5tJaYoO+mxJcL/Y6C2lbRSao25oyB4fG3i2oftgUoWErsuC97d5D6GD1n3+IJIGcoJUx1hRAoGjr5gRsnVknzl7JjjNFFpkF7pGM+txoVlR2CQcPVLw+LVY7E0Tfv6Zu/p6/Bzm6eAVWd0= Received: from CY1PR01MB1247.prod.exchangelabs.com (10.163.17.29) by CY1PR01MB1248.prod.exchangelabs.com (10.163.17.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.386.5; Fri, 12 Jan 2018 10:36:11 +0000 Received: from CY1PR01MB1247.prod.exchangelabs.com ([10.163.17.29]) by CY1PR01MB1247.prod.exchangelabs.com ([10.163.17.29]) with mapi id 15.20.0386.009; Fri, 12 Jan 2018 10:36:11 +0000 From: "Zahrir, Abderrahmane" To: "freebsd-security@freebsd.org" Subject: Re: Response to Meltdown and Spectre Thread-Topic: Re: Response to Meltdown and Spectre Thread-Index: AdOLkQI0JmSCRlohTrWavodA9QvhKw== Date: Fri, 12 Jan 2018 10:36:10 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [194.75.229.113] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; CY1PR01MB1248; 20:L9co3zYFYQ894Ux0Th1Y1ecuf0r3w0hOPa+yK7CxOVu9Dtyq0AKgk3C9pp2KndbqupJUy7kiNjOf5MJhM9+debqis6/JVa+NXVWcYL/tQgjHExV5r56DPLi4u1O3I6vy+9iiBvEK/PERGO3woyuwbpd7ib6acix9fYhTKC8aPTKczUcHpp3DDLj2UUcGQHQcjRc1wK0w9cDFcKg6UZuTnyBKAoG3dEdyjLq6bzueYExEIC1HDX2xwhwmLinPnLnY x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: a0b4228f-bd6e-49da-f779-08d559a84c43 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(3008032)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:CY1PR01MB1248; x-ms-traffictypediagnostic: CY1PR01MB1248: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(5005006)(8121501046)(3231023)(944501075)(93006095)(93001095)(10201501046)(3002001)(6041268)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011); SRVR:CY1PR01MB1248; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:CY1PR01MB1248; x-forefront-prvs: 0550778858 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(39380400002)(346002)(376002)(39860400002)(189003)(199004)(3846002)(55016002)(9326002)(6306002)(53936002)(8936002)(68736007)(81156014)(9686003)(3660700001)(97736004)(8676002)(558084003)(33656002)(229853002)(6436002)(81166006)(3280700002)(77096006)(106356001)(790700001)(6116002)(5640700003)(105586002)(2501003)(54896002)(2900100001)(2906002)(5630700001)(2351001)(6246003)(14454004)(6916009)(7736002)(5660300001)(10090500001)(6506007)(7696005)(86362001)(99286004)(74316002)(478600001)(25786009)(66066001)(102836004)(72206003)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR01MB1248; H:CY1PR01MB1247.prod.exchangelabs.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: ca.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: NkoC4DDmwY5U5JLWlAnUpFCiYjL/ZTrIwRCRD4T7kHtxerZICS5/Bv+JRQDDfwAfQe0K5zrMbcAWvc4cDI7ejw== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: a0b4228f-bd6e-49da-f779-08d559a84c43 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2018 10:36:11.0131 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 1194df16-3ae0-49aa-b48b-5c4da6e13689 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR01MB1248 X-WgnSS: 01000000010010usilms290.ca.com ID004C X-OriginatorOrg: ca.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-12_05:, , signatures=0 X-Proofpoint-Outbound-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=274 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801120143 X-Mailman-Approved-At: Fri, 12 Jan 2018 12:12:00 +0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 11:03:56 -0000 Hi Gordon, Is it possible to include me in your distribution list so that I can get no= tified when the FreeBSD patch is available. Regards, Dahman From owner-freebsd-security@freebsd.org Fri Jan 12 12:14:39 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5FEFFE60DDF for ; Fri, 12 Jan 2018 12:14:39 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 78ED23943 for ; Fri, 12 Jan 2018 12:14:36 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: by mail-wm0-x22d.google.com with SMTP id 143so11602029wma.5 for ; Fri, 12 Jan 2018 04:14:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=sUQ0a0MV/DIL/lrfAcOzKgmF1ertjrNbB96WyaUCJL0=; b=C6/2T1ETY8k0R6K2qvRwVKY9PW/FWSdY2oq1KJIWTnXaBQkm6TjkI0hxWKVrFieIoi jgaonsBfst9HcIrvBN2VS4Kxl+X4nw4F8ddUrfoEmePjMHx17EhIW2S4rCZ00moihgKJ N6YFB3DKyKYOOh+DLHL9ncrDs2Uj5M6VZVg1VKhWTWlm4nBblQ3A5A6gcfUAoUBDVK9A I/vdsHIxCYSZ/8ne8mibgt94rwMr/d+v+ssot5L/0r1dnIxVBBS6U1p2SyMO6KafhHGK WiLT/dHkje/9Yo6nde8fcGibqENHM1+/ejUgDyDD19t7f7WBe+x3rJu5sxK75doRrR58 fpOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=sUQ0a0MV/DIL/lrfAcOzKgmF1ertjrNbB96WyaUCJL0=; b=Jr/4NjBLCP8clGnmdWRNX6uEWtpEpBtPIhLVroHLCRYil9SinSNScXI3S2qiAxm1Qp 7GV8U83Dqh5MlWP6UzCRBAW53hZ49Be/OifZ9nc8wKE0UWr49J7/NpbyqR8OxeJnT5xd UQrtOmCOW7KCf6FoPbdWU8BAY4Dy1Nm696djC87mtmVm+grEi3plT/m46FyPPwmQP8a8 GjAffgXLA8jCoA6QklqaMWQThieNGqY4N1cVhH65iKGZ88r0FBe7wiCgCdi806F/IdOk /dihNXY3pkz17yX/xCscEIbyuTYz0fxStSv6DMTp0qmpv7tQ8i0qxvpnCXkk9lNr4xwj zu8Q== X-Gm-Message-State: AKwxytcDxDERbqxcJMPQy8sCNOdKtfBqLjEcmp/4tyfiRR2tD9qmvD2F JTsAgd5+l4Gy9hbRL8JtM4/zSZ1IKtKNDH2FoUFtuA== X-Google-Smtp-Source: ACJfBou4n9xMpTZd0QEeMjhnKUg+hMRfWySNvn6H1lzosudM0jISx6gzuhD1IqQMCEr5g+WEr9y/SOtMwUk6V0YwaXM= X-Received: by 10.80.165.243 with SMTP id b48mr16074076edc.201.1515759275063; Fri, 12 Jan 2018 04:14:35 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.149.174 with HTTP; Fri, 12 Jan 2018 04:14:34 -0800 (PST) In-Reply-To: References: From: Oliver Pinter Date: Fri, 12 Jan 2018 13:14:34 +0100 Message-ID: Subject: Re: Response to Meltdown and Spectre To: "Zahrir, Abderrahmane" Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 12:14:39 -0000 The test patch is here: https://reviews.freebsd.org/D13797 On Friday, January 12, 2018, Zahrir, Abderrahmane < Abderrahmane.Zahrir@ca.com> wrote: > Hi Gordon, > > Is it possible to include me in your distribution list so that I can get > notified when the FreeBSD patch is available. > > Regards, Dahman > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Fri Jan 12 18:18:14 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C21BDE74113 for ; Fri, 12 Jan 2018 18:18:14 +0000 (UTC) (envelope-from brett@lariat.org) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 8178278430 for ; Fri, 12 Jan 2018 18:18:14 +0000 (UTC) (envelope-from brett@lariat.org) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id LAA16736; Fri, 12 Jan 2018 11:07:48 -0700 (MST) Message-Id: <201801121807.LAA16736@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 12 Jan 2018 11:07:06 -0700 To: Oliver Pinter , "Zahrir, Abderrahmane" From: Brett Glass Subject: Re: Response to Meltdown and Spectre Cc: "freebsd-security@freebsd.org" In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 18:18:14 -0000 All: The fix in this patch appears to be unconditional. I do a lot of work with embedded Intel Atom processors, which do not implement speculative execution. (Only one of them even implements limited out-of-order execution.) These systems aren't terribly powerful by today's standards, and would suffer serious performance impacts should the fix be turned on unnecessarily. Will there be automatic detection of 32-bit Atoms (all of which are definitely not susceptible) and 64-bit Atoms (all of which, except for Avoton, are definitely not susceptible; Avoton might have some very limited exposure due to out-of-order execution, but may also not be vulnerable because the OOE is not speculative) to avoid unnecessary performance impacts? --Brett Glass At 05:14 AM 1/12/2018, Oliver Pinter wrote: >The test patch is here: https://reviews.freebsd.org/D13797 From owner-freebsd-security@freebsd.org Fri Jan 12 18:26:33 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 986E1E74917 for ; Fri, 12 Jan 2018 18:26:33 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [IPv6:2607:f3e0:80:80::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3885D78D03 for ; Fri, 12 Jan 2018 18:26:33 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (lava.sentex.ca [IPv6:2607:f3e0:0:5::11]) by smarthost2.sentex.ca (8.15.2/8.15.2) with ESMTPS id w0CIQWbI026897 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 12 Jan 2018 13:26:32 -0500 (EST) (envelope-from mike@sentex.net) Received: from [192.168.43.26] (saphire3.sentex.net [192.168.43.26]) by lava.sentex.ca (8.15.2/8.15.2) with ESMTP id w0CIQT3K087601; Fri, 12 Jan 2018 13:26:29 -0500 (EST) (envelope-from mike@sentex.net) Subject: Re: Response to Meltdown and Spectre To: Brett Glass , Oliver Pinter , "Zahrir, Abderrahmane" Cc: "freebsd-security@freebsd.org" References: <201801121807.LAA16736@mail.lariat.net> From: Mike Tancsa Organization: Sentex Communications Message-ID: Date: Fri, 12 Jan 2018 13:26:29 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <201801121807.LAA16736@mail.lariat.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 18:26:33 -0000 On 1/12/2018 1:07 PM, Brett Glass wrote: > All: > > The fix in this patch appears to be unconditional. The original email said "The code will be selectable via a tunable which ..." Perhaps wait for the final product. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@freebsd.org Fri Jan 12 18:52:09 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A610EE75D0B for ; Fri, 12 Jan 2018 18:52:09 +0000 (UTC) (envelope-from brett@lariat.org) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 7258D79D05 for ; Fri, 12 Jan 2018 18:52:09 +0000 (UTC) (envelope-from brett@lariat.org) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id LAA17145; Fri, 12 Jan 2018 11:51:59 -0700 (MST) Message-Id: <201801121851.LAA17145@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 12 Jan 2018 11:51:36 -0700 To: Mike Tancsa , Brett Glass , Oliver Pinter , "Zahrir, Abderrahmane" From: Brett Glass Subject: Re: Response to Meltdown and Spectre Cc: "freebsd-security@freebsd.org" In-Reply-To: References: <201801121807.LAA16736@mail.lariat.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 18:52:09 -0000 At 11:26 AM 1/12/2018, Mike Tancsa wrote: >"The code will be selectable via a tunable which ..." Perhaps wait for >the final product. > > ---Mike Yes, I will be eagerly awaiting the final patch! In the meantime, I have located some architectural information about the latest Intel Atoms which indicates that they are not vulnerable even without the patch. As the article at https://www.anandtech.com/show/6936/intels-silvermont-architecture-revealed-getting-serious-about-mobile/2 from AnandTech (among other sources) explains, even the Atoms that do OOE only do it on wholly register-based operations. This means that operations which are accelerated and then conditionally committed later cannot affect the cache. So, no processor from the Atom family should be susceptible to Meltdown or Spectre, and the extra security measures can safely be turned off automatically on all of them. This would be a big help to those of us who would otherwise have to recompile the kernel and/or set a special tunable. --Brett Glass From owner-freebsd-security@freebsd.org Sat Jan 13 02:59:32 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 60E8DE6C34A for ; Sat, 13 Jan 2018 02:59:32 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2E5656E94F for ; Sat, 13 Jan 2018 02:59:32 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io0-x22b.google.com with SMTP id k18so7871299ioc.11 for ; Fri, 12 Jan 2018 18:59:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=7g3K2d2NcNJagWoVSeN4bHUQ08qDUNgLNKwLxa99jDc=; b=W57aDZGvRF42WSRQ4DB4VC97JiITtKZdLfMWQQC5XwcoXClYgIpnz5y2h4f03hqdUc TZkJ0OikA4ZhtQZNy8teP76UBoEYN7IqY4L8vLK2F3VPfOPwZ6APw4ymuGwpU10v1QbL 3jyGp66HfPC2bohKROtESMWec38GN1V5yNEHbVpxFAWMXWf7KRu25eD/35rtpriIvoya 3LWeRn5H/wl65n3V+gQmFvyuqt86jaoKk/hszgENPPXlxmjJKrwDTJsR7eBcL9FPnDRX RFqemFSOQqlyG+V0hPGL/JqfMKAR2Vu9f9Tyrz1FS/dUMBOpkb+9AGenFdiMRPZJAGlH 0jaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=7g3K2d2NcNJagWoVSeN4bHUQ08qDUNgLNKwLxa99jDc=; b=d/HR9RSg1XPpXAjNdUQWVRHT7eLCO7TKJztws0VnJfUf2qEbCxewJeBEqBSxGk1V1Z dPjIq9kdKx3hq/wkUBE9SZN+y+v7QgDqK/DBfioiNS6HyRzWw52Lpq7KzZNdydImS+9z 31m3YSbJPDn/+Pvmc9pxbLmB9zf+Deb7koTYSPCgrxy8MQTaofacIBwexDgYx9WBN3Ge OSzSc5PU1kIAKWDXbZxzukx9Jasif5RCBYmkgU2+PlK23rAbw8Ksu0m5DWJOTa3JQfZ9 uT0KiqzByXeXDA3D3JXTiTJQSIQEVAKbCTgaP4boBEbNt3GDw1tGazmhHO50Uc8HaKTa Z9Lw== X-Gm-Message-State: AKwxytc2ShEUIgIvS9QDSdoknmfhzKMqYyjrVwK5BfbKB9TOC1RU/4QE PCQrOB3kYplB7h1Xj2QoMl2O140ZKmUBAn+AfI95KR72 X-Google-Smtp-Source: ACJfBotyYnqDCwpu1OyuTdb7iVJvjFHaJkbLV4h08FBYzBFBaVTnabts3qRTb/RmCTOecULmtMxW8jX4FhqumXTwmB8= X-Received: by 10.107.169.94 with SMTP id s91mr3205259ioe.83.1515812371465; Fri, 12 Jan 2018 18:59:31 -0800 (PST) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.131.163 with HTTP; Fri, 12 Jan 2018 18:59:10 -0800 (PST) In-Reply-To: References: From: Ed Maste Date: Fri, 12 Jan 2018 21:59:10 -0500 X-Google-Sender-Auth: CcVjtb_RxEK4jygDFlF3db0ybr4 Message-ID: Subject: Re: Response to Meltdown and Spectre To: "Zahrir, Abderrahmane" Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2018 02:59:32 -0000 On 12 January 2018 at 05:36, Zahrir, Abderrahmane wrote: > Hi Gordon, > > Is it possible to include me in your distribution list so that I can get notified when the FreeBSD patch is available. The best way ensure you'll be notified when the changes are available as a patch or SA for releases is by subscribing to freebsd-security-notifications, which you can do at https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications From owner-freebsd-security@freebsd.org Sat Jan 13 16:10:37 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28F21E709D0 for ; Sat, 13 Jan 2018 16:10:37 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AD28A6B039 for ; Sat, 13 Jan 2018 16:10:36 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w0DGARhb003196 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 13 Jan 2018 18:10:30 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w0DGARhb003196 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id w0DGAQW6003192; Sat, 13 Jan 2018 18:10:26 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 13 Jan 2018 18:10:26 +0200 From: Konstantin Belousov To: Gordon Tetlow Cc: freebsd-security@freebsd.org Subject: Re: Response to Meltdown and Spectre Message-ID: <20180113161026.GR1684@kib.kiev.ua> References: <20180108175751.GH9701@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180108175751.GH9701@gmail.com> User-Agent: Mutt/1.9.2 (2017-12-15) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2018 16:10:37 -0000 On Mon, Jan 08, 2018 at 09:57:51AM -0800, Gordon Tetlow wrote: > Meltdown (CVE-2017-5754) > ~~~~~~~~~~~~~~~~~~~~~~~~ > Initial work can be tracked at https://reviews.freebsd.org/D13797. > Please note this is a work in progress and some stuff is likely to be > broken. I consider this patch as ready for review now.