From owner-freebsd-security@freebsd.org  Tue Jan 16 05:20:25 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5E75E76DC6
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 16 Jan 2018 05:20:25 +0000 (UTC)
 (envelope-from gordon@tetlows.org)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com
 [IPv6:2607:f8b0:400c:c08::236])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9104F21A1
 for <freebsd-security@freebsd.org>; Tue, 16 Jan 2018 05:20:25 +0000 (UTC)
 (envelope-from gordon@tetlows.org)
Received: by mail-ua0-x236.google.com with SMTP id z47so10010650uac.0
 for <freebsd-security@freebsd.org>; Mon, 15 Jan 2018 21:20:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=yHsZde9DYavHf/jLpvwvNrurxIZ6Uv8WyX+dpWQwbpo=;
 b=CVKdbS6UoFSRdBq1xNrCUvXwSCj1xcrbCuazkKcy2f4NUjviYdjRS8nlCNkquRg0d/
 hzcyep+KEc2rRVS7lA/2bDWksU4yXw5We9TxexUrXyNY4ld1DgXRgZUh1IhiJYtF0bOL
 JCQ88p7XqVEYJkCd8xbJ8ndYcg4PoO50lhpgM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=yHsZde9DYavHf/jLpvwvNrurxIZ6Uv8WyX+dpWQwbpo=;
 b=gvA2pZSY0TKDf9/3tj3n//YxMerwNPFpij1ltZoCV08ecbv3fopMc61sCpHpetxxS4
 UAHpOUk3gd/MmGzq7cwYZoaX2jAasznXhBCzVCnmr9rbXzHLO+k4QcQKlXI4OHcBLoT2
 nmVWXjFsFcRrt1uwMYNx8Igs3jBdnSb2zw84dN7Uvvo5Ctjyo6kbE2ItE4knY1NAq2Hb
 qa1nfUXLCSTgFax5H3l73JCrjfM4eUt1XxR23f4jr9MnBnETEVoq3pLmtnPlyX+M4uia
 /pjjLFbQsjDtYNb5hUqmVjnO1fKF+S9aqpZBNqaB1hLxkDpfH2wXdSLDigbqUTk6uQx6
 rWxg==
X-Gm-Message-State: AKwxytdXRdvzA9S+vuTJOf/EnHvrqdr2sq3A8+dIfRiDUJZkmOPYYLAe
 shAZuIAa7YvpDlVLqLZZWaNAu/gOJj7HeNPg+Qjjtu4=
X-Google-Smtp-Source: ACJfBot31cGBHPFWMd7oCK+k75xpRXw2em+u43Af0MJDZrteVQSKIePWelmCvO60yOHdXqMyRK74kcJ5oDW1MAI7EQ8=
X-Received: by 10.176.77.230 with SMTP id b38mr27851742uah.113.1516080024593; 
 Mon, 15 Jan 2018 21:20:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.81.102 with HTTP; Mon, 15 Jan 2018 21:20:24 -0800 (PST)
In-Reply-To: <20180113161026.GR1684@kib.kiev.ua>
References: <20180108175751.GH9701@gmail.com>
 <20180113161026.GR1684@kib.kiev.ua>
From: Gordon Tetlow <gordon@tetlows.org>
Date: Mon, 15 Jan 2018 21:20:24 -0800
Message-ID: <CAKghNw0Bnqmb7U8f_94-tLVcvqL26EuUZMtj393uo9eudwgbNQ@mail.gmail.com>
Subject: Re: Response to Meltdown and Spectre
To: Konstantin Belousov <kostikbel@gmail.com>
Cc: freebsd-security <freebsd-security@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 05:20:25 -0000

On Sat, Jan 13, 2018 at 8:10 AM, Konstantin Belousov
<kostikbel@gmail.com> wrote:
> On Mon, Jan 08, 2018 at 09:57:51AM -0800, Gordon Tetlow wrote:
>> Meltdown (CVE-2017-5754)
>> ~~~~~~~~~~~~~~~~~~~~~~~~
>> Initial work can be tracked at https://reviews.freebsd.org/D13797.
>> Please note this is a work in progress and some stuff is likely to be
>> broken.
> I consider this patch as ready for review now.

Awesome! So, what's next? Do we have some testers we can solicit to
beat on this? I believe des@ had a test case to try out? Based on
where we are, what needs to be done to get this into the tree?
Secondarily, what's needed to get this in shape for 10.3/10.4/11.1?

Gordon

From owner-freebsd-security@freebsd.org  Tue Jan 16 09:57:40 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A5AEBEB8D6E
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 16 Jan 2018 09:57:40 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 231AB710EA
 for <freebsd-security@freebsd.org>; Tue, 16 Jan 2018 09:57:39 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from tom.home (kib@localhost [127.0.0.1])
 by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w0G9vUDQ095248
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Tue, 16 Jan 2018 11:57:33 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w0G9vUDQ095248
Received: (from kostik@localhost)
 by tom.home (8.15.2/8.15.2/Submit) id w0G9vUSi095247;
 Tue, 16 Jan 2018 11:57:30 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Tue, 16 Jan 2018 11:57:30 +0200
From: Konstantin Belousov <kostikbel@gmail.com>
To: Gordon Tetlow <gordon@tetlows.org>
Cc: freebsd-security <freebsd-security@freebsd.org>
Subject: Re: Response to Meltdown and Spectre
Message-ID: <20180116095730.GP1684@kib.kiev.ua>
References: <20180108175751.GH9701@gmail.com>
 <20180113161026.GR1684@kib.kiev.ua>
 <CAKghNw0Bnqmb7U8f_94-tLVcvqL26EuUZMtj393uo9eudwgbNQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKghNw0Bnqmb7U8f_94-tLVcvqL26EuUZMtj393uo9eudwgbNQ@mail.gmail.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no
 autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 09:57:40 -0000

On Mon, Jan 15, 2018 at 09:20:24PM -0800, Gordon Tetlow wrote:
> On Sat, Jan 13, 2018 at 8:10 AM, Konstantin Belousov
> <kostikbel@gmail.com> wrote:
> > On Mon, Jan 08, 2018 at 09:57:51AM -0800, Gordon Tetlow wrote:
> >> Meltdown (CVE-2017-5754)
> >> ~~~~~~~~~~~~~~~~~~~~~~~~
> >> Initial work can be tracked at https://reviews.freebsd.org/D13797.
> >> Please note this is a work in progress and some stuff is likely to be
> >> broken.
> > I consider this patch as ready for review now.
> 
> Awesome! So, what's next? Do we have some testers we can solicit to
> beat on this? I believe des@ had a test case to try out? Based on
> where we are, what needs to be done to get this into the tree?
> Secondarily, what's needed to get this in shape for 10.3/10.4/11.1?

As expected, nothing happens WRT review.

Peter tested the patch, it seems to be fine. I put shims to allow i386
to compile. My idea is to flip the default to non-PTI and commit the
patch as is today.

From owner-freebsd-security@freebsd.org  Tue Jan 16 15:31:45 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAADBE75FB8
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 16 Jan 2018 15:31:45 +0000 (UTC)
 (envelope-from gordon@tetlows.org)
Received: from mail-vk0-x22a.google.com (mail-vk0-x22a.google.com
 [IPv6:2607:f8b0:400c:c05::22a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 680EA7E9DE
 for <freebsd-security@freebsd.org>; Tue, 16 Jan 2018 15:31:45 +0000 (UTC)
 (envelope-from gordon@tetlows.org)
Received: by mail-vk0-x22a.google.com with SMTP id w201so3490117vkw.0
 for <freebsd-security@freebsd.org>; Tue, 16 Jan 2018 07:31:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=lBYidnftZskZsOPC8anJsL044njEVyu2q658sTgc0ZQ=;
 b=gYD2pEBF9oFIuHdLDdkqk+EUo9Kwr0YRxxaxMlZZdVAE7hrHMZl1q0unGf4nTs0+ku
 shnh6xdJO4NtFUVQuIMPmxk6UrgI42BB/IdMwRJ8nVJZaiM0rUj0z2W/JikkdPyEDfej
 yB6xolsFS5ZiTkaaVecrNFOL/TOKx/3KCja+s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=lBYidnftZskZsOPC8anJsL044njEVyu2q658sTgc0ZQ=;
 b=FAqQPm2XMEKgTQVkNNzMW0Mc/pGlOk5txckOxzcfp0+KYhhF2m/sX8YCES6eh7JE00
 N0xLCwuRXq7TpUOsCtYL76nUEiK4TnGwxKQnoKoLVZTE/zvh1mC4vf38WXDRPah+PStW
 cIqDtdajong67k5kE8M3iL8u0Tw12NKn6ZlMVnedX/ebkkEnqxrhoxC0xGerXN9VGqKg
 cjgNdrM1Y93hyH4C2OtMNhQTGH7b31T6JClmoS3G1ce5vWcDbbwarC1ERtScENHx+/Dl
 qrYM5YJhFSgOihsSP1pICBG837qp/+Y88uszWG7a3a31vn1BKjvbjs/54gf9rvDCCgp4
 2PCA==
X-Gm-Message-State: AKwxytcvtFqNE9Njus2hyPgb6yazqQSA47xRBDEG+iOs7oezIl8ByT0J
 8hHAFFxBd8ok2NWqAMAfuo8KXAraWGhy5JTJo1/Z
X-Google-Smtp-Source: ACJfBov0NzKsEFSC2SOH0OxQFnClhwJ67ic7otZgub8rKdj57kyoACLs+jrRLdnFr+rZ3rpWtlrEyhlJwxQFAvlXD4Y=
X-Received: by 10.31.220.193 with SMTP id t184mr14501719vkg.103.1516116704321; 
 Tue, 16 Jan 2018 07:31:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.81.102 with HTTP; Tue, 16 Jan 2018 07:31:43 -0800 (PST)
In-Reply-To: <20180116095730.GP1684@kib.kiev.ua>
References: <20180108175751.GH9701@gmail.com>
 <20180113161026.GR1684@kib.kiev.ua>
 <CAKghNw0Bnqmb7U8f_94-tLVcvqL26EuUZMtj393uo9eudwgbNQ@mail.gmail.com>
 <20180116095730.GP1684@kib.kiev.ua>
From: Gordon Tetlow <gordon@tetlows.org>
Date: Tue, 16 Jan 2018 07:31:43 -0800
Message-ID: <CAKghNw20ewR6X0Fhk1mQfz=LfDRzY3tfGwMdNb=gnrWP_wXZAw@mail.gmail.com>
Subject: Re: Response to Meltdown and Spectre
To: Konstantin Belousov <kostikbel@gmail.com>
Cc: freebsd-security <freebsd-security@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 15:31:45 -0000

On Tue, Jan 16, 2018 at 1:57 AM, Konstantin Belousov
<kostikbel@gmail.com> wrote:
> On Mon, Jan 15, 2018 at 09:20:24PM -0800, Gordon Tetlow wrote:
>> On Sat, Jan 13, 2018 at 8:10 AM, Konstantin Belousov
>> <kostikbel@gmail.com> wrote:
>> > On Mon, Jan 08, 2018 at 09:57:51AM -0800, Gordon Tetlow wrote:
>> >> Meltdown (CVE-2017-5754)
>> >> ~~~~~~~~~~~~~~~~~~~~~~~~
>> >> Initial work can be tracked at https://reviews.freebsd.org/D13797.
>> >> Please note this is a work in progress and some stuff is likely to be
>> >> broken.
>> > I consider this patch as ready for review now.
>>
>> Awesome! So, what's next? Do we have some testers we can solicit to
>> beat on this? I believe des@ had a test case to try out? Based on
>> where we are, what needs to be done to get this into the tree?
>> Secondarily, what's needed to get this in shape for 10.3/10.4/11.1?
>
> As expected, nothing happens WRT review.

Who is a good person to review this? alc? (I can't think of any other
VM people out there).

> Peter tested the patch, it seems to be fine. I put shims to allow i386
> to compile. My idea is to flip the default to non-PTI and commit the
> patch as is today.

Is there a reason to leave the PTI off in CURRENT? I'd rather turn it
on and break some stuff to get the testing coverage than to leave it
off.

Gordon

From owner-freebsd-security@freebsd.org  Tue Jan 16 15:54:24 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CFBFE7760E
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 16 Jan 2018 15:54:24 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7A28F7FFD1
 for <freebsd-security@freebsd.org>; Tue, 16 Jan 2018 15:54:23 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from tom.home (kib@localhost [127.0.0.1])
 by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w0GFsA2a075929
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Tue, 16 Jan 2018 17:54:13 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w0GFsA2a075929
Received: (from kostik@localhost)
 by tom.home (8.15.2/8.15.2/Submit) id w0GFsA0o075928;
 Tue, 16 Jan 2018 17:54:10 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Tue, 16 Jan 2018 17:54:10 +0200
From: Konstantin Belousov <kostikbel@gmail.com>
To: Gordon Tetlow <gordon@tetlows.org>
Cc: freebsd-security <freebsd-security@freebsd.org>
Subject: Re: Response to Meltdown and Spectre
Message-ID: <20180116155410.GC55707@kib.kiev.ua>
References: <20180108175751.GH9701@gmail.com>
 <20180113161026.GR1684@kib.kiev.ua>
 <CAKghNw0Bnqmb7U8f_94-tLVcvqL26EuUZMtj393uo9eudwgbNQ@mail.gmail.com>
 <20180116095730.GP1684@kib.kiev.ua>
 <CAKghNw20ewR6X0Fhk1mQfz=LfDRzY3tfGwMdNb=gnrWP_wXZAw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKghNw20ewR6X0Fhk1mQfz=LfDRzY3tfGwMdNb=gnrWP_wXZAw@mail.gmail.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no
 autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 15:54:24 -0000

On Tue, Jan 16, 2018 at 07:31:43AM -0800, Gordon Tetlow wrote:
> On Tue, Jan 16, 2018 at 1:57 AM, Konstantin Belousov
> <kostikbel@gmail.com> wrote:
> > On Mon, Jan 15, 2018 at 09:20:24PM -0800, Gordon Tetlow wrote:
> >> On Sat, Jan 13, 2018 at 8:10 AM, Konstantin Belousov
> >> <kostikbel@gmail.com> wrote:
> >> > On Mon, Jan 08, 2018 at 09:57:51AM -0800, Gordon Tetlow wrote:
> >> >> Meltdown (CVE-2017-5754)
> >> >> ~~~~~~~~~~~~~~~~~~~~~~~~
> >> >> Initial work can be tracked at https://reviews.freebsd.org/D13797.
> >> >> Please note this is a work in progress and some stuff is likely to be
> >> >> broken.
> >> > I consider this patch as ready for review now.
> >>
> >> Awesome! So, what's next? Do we have some testers we can solicit to
> >> beat on this? I believe des@ had a test case to try out? Based on
> >> where we are, what needs to be done to get this into the tree?
> >> Secondarily, what's needed to get this in shape for 10.3/10.4/11.1?
> >
> > As expected, nothing happens WRT review.
> 
> Who is a good person to review this? alc? (I can't think of any other
> VM people out there).
amd64 pmap is only smaller part of the patch, the trampoline code is IMO
both more risky and more complicated.

> 
> > Peter tested the patch, it seems to be fine. I put shims to allow i386
> > to compile. My idea is to flip the default to non-PTI and commit the
> > patch as is today.
> 
> Is there a reason to leave the PTI off in CURRENT? I'd rather turn it
> on and break some stuff to get the testing coverage than to leave it
> off.

Because there is a lot of whine about performance, including
uncertainity about several CPU families, because we still do not have
have a test tool, and because there are some bits broken more than in
non-pti kernel.

From owner-freebsd-security@freebsd.org  Tue Jan 16 17:19:53 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 719E7E7BEF2
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 16 Jan 2018 17:19:53 +0000 (UTC)
 (envelope-from cy.schubert@komquats.com)
Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "Client", Issuer "CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3FDC38399B
 for <freebsd-security@freebsd.org>; Tue, 16 Jan 2018 17:19:52 +0000 (UTC)
 (envelope-from cy.schubert@komquats.com)
Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with ESMTPA
 id bUtkeCYeFS7BpbUtme8YbP; Tue, 16 Jan 2018 10:19:46 -0700
X-Authority-Analysis: v=2.2 cv=NKylwwyg c=1 sm=1 tr=0
 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17
 a=RgaUWeydRksA:10 a=PjuYqXk4AAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8
 a=vJce8p9ejQWfq4NfUNsA:9 a=lrjkCZcvI0hc4X9k:21 a=WkpC1dCZMyy1C9iA:21
 a=pILNOxqGKmIA:10 a=M6LpCEiEi-QA:10 a=H3UEXQhoATeSqmIpcaMA:9
 a=caek9dnBwOzLWiHm:21 a=_W_S_7VecoQA:10 a=Ia-lj3WSrqcvXOmTRaiG:22
 a=IjZwj45LgO3ly-622nXo:22
Received: from [10.168.3.140] (S0106d4ca6d8943b0.gv.shawcable.net
 [70.66.132.207])
 by spqr.komquats.com (Postfix) with ESMTPSA id 0BD75181E;
 Tue, 16 Jan 2018 09:17:44 -0800 (PST)
MIME-Version: 1.0
From: Cy Schubert <Cy.Schubert@komquats.com>
Subject: VMware pulling Intel specter patches
Date: Tue, 16 Jan 2018 09:18:47 -0800
To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Message-Id: <20180116171745.0BD75181E@spqr.komquats.com>
X-CMAE-Envelope: MS4wfGY7lBXFbPI6RcSPK35Cf+dtcs0twPBVwogEXy6D3nR49rf9F2aqN0LyaYI60ZVggYULf1RJZRQmW/CucpCPjKGO2KEpby0e3DO4wHUFxDAYFFYK8lww
 t0t9+8XEUrdZKchK7GgyW3My7xa2e44f5RsHNpUtJBTEDlIL2ZkJMeRcqg2VObfJHd1vF1hvwy8YNw==
X-Mailman-Approved-At: Tue, 16 Jan 2018 17:23:42 +0000
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 17:19:53 -0000

Might we be jumping the gun with updated firmware in devcpu-data?

https://www.reddit.com/r/sysadmin/comments/7qjnfx/vmware_pulled_spectre_pat=
ches_on_friday/

---
Sent using a tiny phone keyboard.
Apologies for any typos and autocorrect.
Also, this old phone only supports top post. Apologies.

Cy Schubert
<Cy.Schubert@cschubert.com> or <cy@freebsd.org>
The need of the many outweighs the greed of the few.
---=

From owner-freebsd-security@freebsd.org  Tue Jan 16 17:50:11 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F8D6E7DB2F
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 16 Jan 2018 17:50:11 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: from mail-wr0-x22d.google.com (mail-wr0-x22d.google.com
 [IPv6:2a00:1450:400c:c0c::22d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B3C0512D6
 for <freebsd-security@freebsd.org>; Tue, 16 Jan 2018 17:50:10 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: by mail-wr0-x22d.google.com with SMTP id g38so12928706wrd.2
 for <freebsd-security@freebsd.org>; Tue, 16 Jan 2018 09:50:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=yvccgUAtjr5Q2LTA8vrD0ACBYfQWH6wyB64Ah/QEDYE=;
 b=NWTyT4/b1GwSGOVk/1C+pO4nLu/Bv7Pb1lb75tEG4p3t6T8k1YCk35/eqB0nUoYtvJ
 WKcrw+kC/Bf12LYghqNgYEp2PchYQJwdpMQ+2GI0h7ahiYkw/wqG1tQbYTMQl5eh545o
 Ayn6/MEsXLUAdIVqUZflfLaCuGKNgYvMMuP8JgFa+MX/zcLD2GlUuxGqrHRRaLT6/9Tu
 vEzN4GiER4K2eeuiwtXlgzqBChFCEI5ARzhwkFkDOtEeneG7Z7hOImTg3xXcfnoWRMfz
 QCrY7k39Y1dY4F71eO//SVjoz7cp/8R07URyMx39b/YxsRduKqrDa1MEPOMfJ6D1oqAP
 gyig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:in-reply-to:user-agent;
 bh=yvccgUAtjr5Q2LTA8vrD0ACBYfQWH6wyB64Ah/QEDYE=;
 b=jO9MuRgWqbpgvB5cYhuM5m7Zomus44v3HOZO66lbFX1yG9kza5J+fQ3Fxm2IhEbJz/
 Ll303IWML4PRm3UJpqIEtY0rwOHv+12lxxCu7zfo69iiGkEsQ0sN0IHlRCTOaZnz3igs
 gdY+MZafNjs/4Gy3QPr/fNnDbMOyj4s53GBrHz0h+in1GxAL1Xe6rUZjVoIf3xu7E/CI
 83DdPoUt1oCch/mWznpvUssdl1MWxLSZ4NcjlLVzMOhlYu9O2+Uy2GnNRWybWN1q7Hew
 KWrhh0C6A9ZTddyH+Lu3XMVee30QMRTq5+/kZlMoR9eiIVObAUUHniUeRggmTrPt/YjW
 2owg==
X-Gm-Message-State: AKwxytckDrE/lbpxl5ILgtaU/N4mMEt3bZFvHpH7JSvCzXIIC9DUK4QY
 F3n6NIWpRlCL+q9YSpdf3/czfr5TaWM=
X-Google-Smtp-Source: ACJfBouyeAel7dRU9cPKzyb1fAAJlwLerSGLhlbJzkL3kKcQPzu0VI43VkJAppCL79IerSeUmKJWZg==
X-Received: by 10.223.176.79 with SMTP id g15mr28871wra.34.1516125009059;
 Tue, 16 Jan 2018 09:50:09 -0800 (PST)
Received: from mutt-hbsd ([216.218.222.12])
 by smtp.gmail.com with ESMTPSA id k35sm2794432wrc.2.2018.01.16.09.50.05
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 16 Jan 2018 09:50:08 -0800 (PST)
Date: Tue, 16 Jan 2018 12:49:52 -0500
From: Shawn Webb <shawn.webb@hardenedbsd.org>
To: Cy Schubert <Cy.Schubert@komquats.com>
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject: Re: VMware pulling Intel specter patches
Message-ID: <20180116174952.n7asjhyw66fnkicu@mutt-hbsd>
References: <20180116171745.0BD75181E@spqr.komquats.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="uslwilkkwq3qkf6z"
Content-Disposition: inline
In-Reply-To: <20180116171745.0BD75181E@spqr.komquats.com>
X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT 
X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE
User-Agent: NeoMutt/20171208
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 17:50:11 -0000


--uslwilkkwq3qkf6z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 16, 2018 at 09:18:47AM -0800, Cy Schubert wrote:
> Might we be jumping the gun with updated firmware in devcpu-data?
>=20
> https://www.reddit.com/r/sysadmin/comments/7qjnfx/vmware_pulled_spectre_p=
atches_on_friday/

=46rom what I understand, the new Intel microcode only makes sense if
retpoline is used. On Skylake and above, retpoline by itself isn't
100% effective against Spectre. On those systems, retpoline requires
the new Intel microcode update along with enabling the new IBRS
feature that comes with it.

Simply updating the microcode on Intel systems doesn't really do much
on its own.

Granted, I could have misread and be completely wrong. Please let me
know if I am.

Thanks,

--=20
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

--uslwilkkwq3qkf6z
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlpeOzwACgkQaoRlj1JF
bu78pQ/+JIEQeIEFms2BQZTlt0AeU3noBicJGnIrHB34RxtOXac2A50d1JVcEMKl
MiFVqpMlQwF3PCgHqSlg9CHKax9c4MRKV36oyVhhSS5qA/f4JOTZ8G7zSDh1/8aN
TTs+dMfK7MFw9oQ1mAacC3/tpMuD+6rDnMlYhaP2mxHxzhIuaCU3zspzpfTIvrJ1
fV67YaSAcE3XCOIlXuQAqVIRZbJ1/zMOvr+AYn07ssvYEoEWjeqDHJORFiIrlkyA
NiTSE808tSQctcSgPa57zHR4M+Yb/85naUvG/c27axXOgMBn4An1XL3stXU6Eh7o
41XYPIIoSx83N5+2t48cVAD1u/EKOJP3BCdCaaZaXj6bAHx6s11yBxnBb6M5e4mG
pbyfoHZ6o+UJzO3g3fUYzjbnwRkQgJNybK0L7QxmN3f3KXn8d9TdC1mMVOjJMo7n
4NKElZR6nBTmITY7F1YpA6q5tXMsaYDOVNS3b3Dvm05huimo6pOswa9lULjaL69Q
9hSo5GmxPKBVCrJ5Ij4+kHr0rvlkV8BtNU2WO0mbaWtXNLBx43g2zn7FKnkq3TiL
S3E76xps6FhUmjfN9N0B5MJnn8ecOj24qzQcwhEbMi9m8CpjbtVWvrcmkM/nRv2y
qGcO+/P6L2oxBLmOt7igNkUJxA1PTfFZazcFZL5y9J/dK5gYvhQ=
=3ChP
-----END PGP SIGNATURE-----

--uslwilkkwq3qkf6z--

From owner-freebsd-security@freebsd.org  Wed Jan 17 14:21:00 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE7B8E73167
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed, 17 Jan 2018 14:21:00 +0000 (UTC)
 (envelope-from brahma.gdb@gmail.com)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com
 [IPv6:2607:f8b0:4001:c06::231])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A0A51714CC
 for <freebsd-security@freebsd.org>; Wed, 17 Jan 2018 14:21:00 +0000 (UTC)
 (envelope-from brahma.gdb@gmail.com)
Received: by mail-io0-x231.google.com with SMTP id 25so21005915ioj.9
 for <freebsd-security@freebsd.org>; Wed, 17 Jan 2018 06:21:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=bMjl26Vtb9+0idX714Jm7NY+W2ML04WB/R2XL5a+uyg=;
 b=uZeW0Mak0tQH9nHnge8SRk3Yg6OC7Ixv1XpECwhyTvE0fJQudaJ3FCkv/8Jfc4noeH
 swfx1rAnMkJvC3Uf2KoHdaNuHsW1z2nmDbFG3DNmUiQaIXV8dm+RpBO50/VSE7OR6QiA
 SLC7w7UgIIyLFg8pN1ptacTUKCMsatRmW4y1VdEEA3ggT0btv8IaOZsp4hJNKtkC4AO6
 Bvc/59KzGx/YWbuC6d+rHnZ8KrwYZbkMnklZ+gU1KOA01R0NDwHZAFmYbHRMxc/Kh4Mi
 Y5PzhZY+9gBVTP8z9rk4/SDHTabURx44Qsy3Znan8k5HW/UOivdril1ILDFpzvIGiu+q
 ct5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=bMjl26Vtb9+0idX714Jm7NY+W2ML04WB/R2XL5a+uyg=;
 b=qbeKjJ3hQoh/BRpHXnDKwHdq0z5tHmeXw3Vd4QmzZ4yiFGpro+MZKvshXVWGpt1gxz
 nDzwPe3ht9IG13VNjqkP1eMyk1QDAPrhI4+//mipB0cf6GhBDv/Dx8M7/ZzaxRIB1ipj
 cx1Qbi56+UehOEg8bb+hm2Dy3jucm0R7Cnxi96ruj9EqdEz1uPS+FcE/f1fYvSw3oFQN
 fAM5WHvSbncK61rNkEzfE7CeLO4g+/yRr/ba25yWEqyqtjA2NxksSOd6iZPsjnkf58mc
 4rz2yKxexMmA+GwONDH74BIzvGO3OqFm9j5b4BTl6rb/aU7gRwK6z0vpfHbzcfuTDZ/Z
 j2gw==
X-Gm-Message-State: AKwxytcsWJa+Gt5J/SFv6pbe/IO0zkGZhx92L11xHTZ1djADHeGUHuuY
 0pFX6Ap6QcUOId5c4HJnGdSRYEHgFnuQybjuJVh/Gw==
X-Google-Smtp-Source: ACJfBovUFIGPJYQBOvgQoaoeLEEt5jEfSR5PMwGw03dRAmZyTNbkXtHpWTcLie4Jf1I8ieD5fGlS1/QsfC6x2RTOjGA=
X-Received: by 10.107.82.15 with SMTP id g15mr11135708iob.157.1516198859935;
 Wed, 17 Jan 2018 06:20:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.46.85 with HTTP; Wed, 17 Jan 2018 06:20:59 -0800 (PST)
In-Reply-To: <20180112074115.GB75633@server.rulingia.com>
References: <CAKsRH7nsVmhSMUT7TNzGfuN55_J9BkLBzO=8dvjLGvOZtri+uQ@mail.gmail.com>
 <CAKsRH7nsUfkkLfoEuJXBcVpH+gnNRpLNb0fjxkJN-xKQnenuQg@mail.gmail.com>
 <44k1wnes1w.fsf@be-well.ilk.org>
 <CAKsRH7=hyRPG6vEUi_tYSUXtSr58WKoegaDhNzG_qSQie=aUpQ@mail.gmail.com>
 <20180112061425.GA75633@server.rulingia.com>
 <CAKsRH7k=daNfKzjVoyqhDeXj5Z1G1C5-Xt4uA2LRs3dUsGZKyw@mail.gmail.com>
 <20180112074115.GB75633@server.rulingia.com>
From: Brahmanand Reddy <brahma.gdb@gmail.com>
Date: Wed, 17 Jan 2018 19:50:59 +0530
Message-ID: <CAKsRH7=QfQkaM-efJraE9vJd0rVNvCtUa+-DLs9eQ8AA7oYTuA@mail.gmail.com>
Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers)
 latest patch
To: Peter Jeremy <peter@rulingia.com>
Cc: freebsd-security@freebsd.org
X-Mailman-Approved-At: Wed, 17 Jan 2018 16:16:55 +0000
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2018 14:21:01 -0000

Hi Peter,

My last question on this ,  recently  "Replaced the kernel RC4(arc4random)
with Chacha20" on 11.0 kernel should we apply on 10.4 kernel ??
 please find the corresponding review and fix
https://reviews.freebsd.org/D10048 and  https://reviews.freebsd.org/rS317015


Thanks in advance,
Brahma

On Fri, Jan 12, 2018 at 1:11 PM, Peter Jeremy <peter@rulingia.com> wrote:

> On 2018-Jan-12 12:33:21 +0530, Brahmanand Reddy <brahma.gdb@gmail.com>
> wrote:
> >TCP uses weak initial sequence numbers
> >https://www.freebsd.org/security/advisories/FreeBSD-
> SA-00%3A52.tcp-iss.asc
>
> As has been pointed out to you several times in this thread, that SA is
> nearly 20 years old and there is no evidence that TCP on any recent FreeBSD
> uses weak ISNs.
>
> >actually "arc4random()"  will take care on  https://github.com/freebsd/
> >freebsd/blob/master/sys/netinet/tcp_subr.c#L2374
>
> Without studying the code in detail, that code appears to correctly use
> arc4random() to initialise the ISN - which is as expected.
>
> > I suspecting 10.4 already having fix... but i didn't found on exactly
> >which this problem from  https://www.freebsd.org/security/patches/
>
> Well, the original patch is
> https://www.freebsd.org/security/patches/SA-00%3A52/ and was committed
> as what is now https://svnweb.freebsd.org/base?view=revision&revision=
> 66433
> Since that patch is integrated into the FreeBSD codebase, there's no need
> to update the contents of https://www.freebsd.org/
> security/patches/SA-00%3A52/
> and it is not relevant to the current codebase.
>
> >  i would like expecting where is the fix in 10,4 kernel.
>
> That code was re-written in r82122, retaining the use of arc4random() for
> ISN initialisation.  As a result, it's no longer possible to point at
> specific code and say "that code fixes weak TCP ISNs".
>
> --
> Peter Jeremy
>

From owner-freebsd-security@freebsd.org  Wed Jan 17 17:24:52 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F3ADE7C3DC
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed, 17 Jan 2018 17:24:52 +0000 (UTC)
 (envelope-from toasty@dragondata.com)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com
 [IPv6:2607:f8b0:4001:c06::22a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id F069F78EEC
 for <FreeBSD-security@freebsd.org>; Wed, 17 Jan 2018 17:24:51 +0000 (UTC)
 (envelope-from toasty@dragondata.com)
Received: by mail-io0-x22a.google.com with SMTP id 25so21680231ioj.9
 for <FreeBSD-security@freebsd.org>; Wed, 17 Jan 2018 09:24:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=dragondata.com; s=google;
 h=mime-version:subject:from:in-reply-to:date:cc
 :content-transfer-encoding:message-id:references:to;
 bh=pbbKIHH1WFALFy3cEiEzfjtr1/8pYEz+s3nU1MJXTvs=;
 b=PVX3cEQXckBwZ4EIrrfrm9IQu9cX6YyF6/h0KtDy5UKIrQ3t5znuPSSi55zPZOb10G
 bxc6BVxfgcZCU9y3KBe2ast5co9tY7RC2OV/fnDm4dzFN0DA4YU1MeynrEbP4Kip+Rcp
 AFj0GF2wA5QsMBewjeiX5pOnjCD6dLWZtxgJk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
 :content-transfer-encoding:message-id:references:to;
 bh=pbbKIHH1WFALFy3cEiEzfjtr1/8pYEz+s3nU1MJXTvs=;
 b=b+5PZb1HbIggoTDj1+cxgAvbRU0B0jLRiUj61UYl5v+E0BpHsa3hRmlbr5l7HOHXFZ
 bAobaQtc7A5qLnLigRM8MjroYc4mITBYTPLjJXiT4z7Gv5K8HzkWQ8Owb7nQSjBucSTk
 YXoodQDIWvmJDPCGWtlYB3+5FiMe6+pgfpw6W6l8IuEE5Y1pyearyBCVxT+xY+H3+yB7
 tLJCPUD9XGKDhomJuWkRi2o4ZqaGLI79OZSlzAkKnAkpKUkrgRCutjM5qHiqi/RjZAxH
 Yg/lRex/sbU2pKBnIin2YRs/Xo5ndBgXZY9psNYxm7ZpA+x3DNjoy4OSSPAc6L9e5gy7
 MOFQ==
X-Gm-Message-State: AKwxytedMHjN//HXgd5EAOby06i7DE4ZB+aLQXQryKiFQNQAgBt9Ubiv
 1rHx0kHLiV2kCmM/6c6m6eHz9RMNJyo=
X-Google-Smtp-Source: ACJfBovE0vIf8ey1/rBPZrcYkB1848vgIGZnIJnnrgy1oc4kRXpZX6sjG8iTEyEnv1P+gWxFptqRig==
X-Received: by 10.107.136.68 with SMTP id k65mr20964636iod.145.1516209891145; 
 Wed, 17 Jan 2018 09:24:51 -0800 (PST)
Received: from unassigned.v6.your.org ([2001:4978:1:45:7d12:36f7:8059:da7b])
 by smtp.gmail.com with ESMTPSA id k75sm2711480iod.27.2018.01.17.09.24.50
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 17 Jan 2018 09:24:50 -0800 (PST)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers)
 latest patch
From: Kevin Day <toasty@dragondata.com>
In-Reply-To: <CAKsRH7kX_61MxjK32h0zYc=MejPTYMX6BxAjAfuuRVUxpGhZwg@mail.gmail.com>
Date: Wed, 17 Jan 2018 11:24:48 -0600
Cc: FreeBSD-security@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <7E7F9FCF-BA42-4B3C-871E-2DDC1229D14D@dragondata.com>
References: <CAKsRH7nsVmhSMUT7TNzGfuN55_J9BkLBzO=8dvjLGvOZtri+uQ@mail.gmail.com>
 <20180111171545.GC68137@fc.opsec.eu>
 <CAKsRH7kX_61MxjK32h0zYc=MejPTYMX6BxAjAfuuRVUxpGhZwg@mail.gmail.com>
To: Brahmanand Reddy <brahma.gdb@gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2018 17:24:52 -0000

I think the confusion here is that your test program below has a bug - =
your RST packet is invalid so it's not closing the socket on the other =
side.

If you look at how a normal RST is generated normally:

17:13:42.626365 IP src.26057 > dst.22: Flags [S], seq 472216885, win =
65535, length 0
17:13:42.626504 IP dst.22 > src.26057: Flags [S.], seq 3592434473, ack =
472216886, win 65535, length 0
17:13:42.626512 IP src.26057 > dst.22: Flags [R], seq 472216886, win 0, =
length 0

Notice that the third packet (the RST packet) uses the sequence number =
that the SYN had plus 1. Your program is using the SYNACK packet's =
sequence number in the RST, which would look like this instead:


17:13:42.626365 IP src.26057 > dst.22: Flags [S], seq 472216885, win =
65535, length 0
17:13:42.626504 IP dst.22 > src.26057: Flags [S.], seq 3592434473, ack =
472216886, win 65535, length 0
17:13:42.626512 IP src.26057 > dst.22: Flags [R], seq 3592434473, win 0, =
length 0

The dst system is treating this as an invalid RST packet because the =
sequence number is incorrect and completely ignoring it, leaving the =
socket still half open. When you send the SYN2 packet with the same =
source and destination port, and the dst system still has the socket =
open, it's going to repeat the same SYNACK back to you.

If you change your program to send a RST with a sequence of the initial =
SYN plus 1, you'll actually reset the connection and see the behavior =
you're looking for. You're seeing the same ISN because your RST isn't =
closing the connection on the other side, so the dst system is still =
trying to open the original socket.



> On Jan 11, 2018, at 7:20 PM, Brahmanand Reddy <brahma.gdb@gmail.com> =
wrote:
>=20
> Hi Kurt,
>=20
> Thanks lot responding my mail,
>=20
> Please explain why you think this should be an issue for FreeBSD 10.2 =
?
>=20
> Currently  i am using 10.2 and 10.4,  i found this =
problem/vulnerability
> still exist using below script
>=20
> #!/usr/local/bin/python
> from scapy.all import *
>=20
> # VARIABLES
> src =3D str(input('IP SRC: '))
> dst =3D str(input('IP DST: '))
>=20
> sport =3D random.randint(1024,65535)
> dport =3D int(input("DST PORT: "))
>=20
>=20
> # SYN
> ip=3DIP(src=3Dsrc,dst=3Ddst)
> =
SYN=3DTCP(sport=3Dsport,dport=3Ddport,flags=3D'S',seq=3Drandom.randint(102=
4,1048576),
> ack=3D0)
> SYNACK=3Dsr1(ip/SYN)
> print('Seq1 Number is :',SYNACK[TCP].seq)             =3D=3D> Seq1
>=20
> # RST
> RST=3DTCP(sport=3Dsport, dport=3Ddport, flags=3D'R', seq=3DSYNACK.ack, =
ack=3D0)
> send(ip/RST)
>=20
> #SYN
> =
SYN2=3DTCP(sport=3Dsport,dport=3Ddport,flags=3D'S',seq=3Drandom.randint(10=
24,1048576),
> ack=3D0)
> SYNACK2=3Dsr1(ip/SYN2)
> print('Seq2 Number is :',SYNACK2[TCP].seq)                           =
=3D=3D>
> same ISN  number  i observed/receiving.
>=20
>  I mean seq1=3Dseq2, TCP ISN reusing.
>=20
> i think  the patch is available on 10.4 on wards,   but i dint found
> exactly/similar patch from https://www.freebsd.org/security/patches/
>=20
>  It could be great to confirm what is the corresponding latest patch =
this
> problem would be solved.    Kindly correct me anything i am missing.
>=20
>=20
> Sincerely,
> Brahma
>=20
>=20
>=20
>=20
> On Thu, Jan 11, 2018 at 10:45 PM, Kurt Jaeger <pi@freebsd.org> wrote:
>=20
>> Hi!
>>=20
>>> Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak =
initial
>>> sequence numbers*) latest patch.
>>>=20
>>> the original problem reported on :
>>> https://www.freebsd.org/security/advisories/FreeBSD-
>> SA-00%3A52.tcp-iss.asc
>>=20
>> That's a security annoucement for FreeBSD 3.x to 5.x.
>>=20
>> Please explain why you think this should be an issue for FreeBSD 10.2 =
?
>>=20
>> And, by the way: FreeBSD 10.2 is a old, no-longer supported version.
>>=20
>> https://www.freebsd.org/releases/
>>=20
>> lists which versions are still supported.
>>=20
>> --
>> pi@FreeBSD.org         +49 171 3101372                2 years to go !
>>=20
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to =
"freebsd-security-unsubscribe@freebsd.org"


From owner-freebsd-security@freebsd.org  Thu Jan 18 08:42:43 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 79B39EBD917
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu, 18 Jan 2018 08:42:43 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 3F4EE808BF
 for <freebsd-security@freebsd.org>; Thu, 18 Jan 2018 08:42:42 +0000 (UTC)
 (envelope-from des@des.no)
Received: from desk.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id 859B510E07;
 Thu, 18 Jan 2018 08:42:40 +0000 (UTC)
Received: by desk.des.no (Postfix, from userid 1001)
 id 5C04060669; Thu, 18 Jan 2018 08:42:40 +0000 (UTC)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Brahmanand Reddy <brahma.gdb@gmail.com>
Cc: Peter Jeremy <peter@rulingia.com>,  freebsd-security@freebsd.org
Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers)
 latest patch
References: <CAKsRH7nsVmhSMUT7TNzGfuN55_J9BkLBzO=8dvjLGvOZtri+uQ@mail.gmail.com>
 <CAKsRH7nsUfkkLfoEuJXBcVpH+gnNRpLNb0fjxkJN-xKQnenuQg@mail.gmail.com>
 <44k1wnes1w.fsf@be-well.ilk.org>
 <CAKsRH7=hyRPG6vEUi_tYSUXtSr58WKoegaDhNzG_qSQie=aUpQ@mail.gmail.com>
 <20180112061425.GA75633@server.rulingia.com>
 <CAKsRH7k=daNfKzjVoyqhDeXj5Z1G1C5-Xt4uA2LRs3dUsGZKyw@mail.gmail.com>
 <20180112074115.GB75633@server.rulingia.com>
 <CAKsRH7=QfQkaM-efJraE9vJd0rVNvCtUa+-DLs9eQ8AA7oYTuA@mail.gmail.com>
Date: Thu, 18 Jan 2018 09:42:40 +0100
In-Reply-To: <CAKsRH7=QfQkaM-efJraE9vJd0rVNvCtUa+-DLs9eQ8AA7oYTuA@mail.gmail.com>
 (Brahmanand Reddy's message of "Wed, 17 Jan 2018 19:50:59 +0530")
Message-ID: <86lggvd0cf.fsf@desk.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2018 08:42:43 -0000

Brahmanand Reddy <brahma.gdb@gmail.com> writes:
> My last question on this ,  recently  "Replaced the kernel RC4(arc4random)
> with Chacha20" on 11.0 kernel should we apply on 10.4 kernel ??

This has not yet been merged to 11 and will not be merged to 10, which
is now in maintenance mode.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no