From owner-freebsd-security@freebsd.org Sun Oct 7 22:31:33 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E7A510AA4D5 for ; Sun, 7 Oct 2018 22:31:33 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E33409730E for ; Sun, 7 Oct 2018 22:31:32 +0000 (UTC) (envelope-from des@des.no) Received: from next.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id E9777871E; Sun, 7 Oct 2018 22:31:25 +0000 (UTC) Received: by next.des.no (Postfix, from userid 1001) id 9C88EB6A6; Mon, 8 Oct 2018 00:31:26 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Konstantin Belousov Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf In-Reply-To: <20181006182104.GS5335@kib.kiev.ua> (Konstantin Belousov's message of "Sat, 6 Oct 2018 21:21:04 +0300") References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (berkeley-unix) Date: Mon, 08 Oct 2018 00:31:26 +0200 Message-ID: <86sh1hs81t.fsf@next.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Oct 2018 22:31:33 -0000 Konstantin Belousov writes: > writes: >> Program Headers: >> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align >> PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 >> INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 >> [Requesting program interpreter: /lib/ld-linux.so.2] > As you see, the file delcares that file/memory length of the interpreter > name' segment is 0x11 =3D=3D 16 decimal. But the string does not end on > byte 16, which is not NUL. We tighten the checks and do require that > PT_INTERP string is valid by checking that it is NUL-terminated at the > offset declared by the size. The string isn't just unterminated, though. It's actually longer than the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long, plus NUL makes 19. The section is supposed to be 17 bytes long. I don't mind forgiving a missing NUL, but I'm not comfortable with reading past the end of the section, and it worries me that Linux doesn't care. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Sun Oct 7 22:46:23 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF3E110AAC9A for ; Sun, 7 Oct 2018 22:46:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 24A5297CAE for ; Sun, 7 Oct 2018 22:46:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w97MkBHI033560 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 8 Oct 2018 01:46:14 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w97MkBHI033560 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id w97MkBo8033559; Mon, 8 Oct 2018 01:46:11 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 8 Oct 2018 01:46:11 +0300 From: Konstantin Belousov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf Message-ID: <20181007224611.GI5335@kib.kiev.ua> References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua> <86sh1hs81t.fsf@next.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86sh1hs81t.fsf@next.des.no> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Oct 2018 22:46:23 -0000 On Mon, Oct 08, 2018 at 12:31:26AM +0200, Dag-Erling Smørgrav wrote: > Konstantin Belousov writes: > > writes: > >> Program Headers: > >> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > >> PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 > >> INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 > >> [Requesting program interpreter: /lib/ld-linux.so.2] > > As you see, the file delcares that file/memory length of the interpreter > > name' segment is 0x11 == 16 decimal. But the string does not end on > > byte 16, which is not NUL. We tighten the checks and do require that > > PT_INTERP string is valid by checking that it is NUL-terminated at the > > offset declared by the size. > > The string isn't just unterminated, though. It's actually longer than > the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long, > plus NUL makes 19. The section is supposed to be 17 bytes long. I > don't mind forgiving a missing NUL, but I'm not comfortable with reading > past the end of the section, and it worries me that Linux doesn't care. Apparently it was not Linux. Look at the astro/google-earth/Makefile before r425359. From owner-freebsd-security@freebsd.org Mon Oct 8 09:21:21 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8072410B8F6A for ; Mon, 8 Oct 2018 09:21:21 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1E3D881E75 for ; Mon, 8 Oct 2018 09:21:20 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 6FE3DB2A for ; Mon, 8 Oct 2018 05:21:12 -0400 (EDT) Received: from web6 ([10.202.2.216]) by compute7.internal (MEProxy); Mon, 08 Oct 2018 05:21:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=message-id:from:to:mime-version:content-transfer-encoding :content-type:subject:references:in-reply-to:date; s=fm3; bh=eOB v0Q3aoyQdnxHOgOKdLWj9qB35jCv6/x728A8pw6k=; b=qxMZwLsKKSNrnIzCX5g dgZmzLbJvbQH7vJnytzXiMp/HFIkpFER3ZiEQw9Rdj7+PDvqcjOMuz3IL2aCqAre 1PauIbOzjP7spnTTJtlTbD4nZX9QLDUW9Fj/CDHxNa3tTf/L5uaYtysK/DJ+jms9 I7s/uheSTRo2M0f9oTwKI51NmcqiUlMYplO+70+TgGSr7PJZgtXyI80wXTKddVoE fRGQ29irgCNtK0/6eb1/LSxbBLva5CWqDZb3a99bInxTbmnBQmIClc3W4TOKtab5 tP+XiHx1EDn77CNGhL/keYSv9lCe4y5JdTtu3M1xBvfqCQrOjmhwz12jEJT/EBz8 KlA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=eOBv0Q3aoyQdnxHOgOKdLWj9qB35jCv6/x728A8pw 6k=; b=iCTAdayoXEtd5pOnk5vMSFFGwnbyA9xI9sVWNg7qz6SBdnfkM++cb9n/l YWbt4kTbe/9RoF7gHoOeGoJdmpZ+n72Cf4PxeRm6OGEqK1Gf+F4sN/wbXzvtUNO9 wBl1CCSrYHK712L1UjbLc+outBmJIXnAAxOmxNt62Ab5eeCyGC1Vb1SOYVjBEF0A VDKsKnv5U+pv30xD33wAL7bw3vqdjaxBn27FSrMPp8McESMBew7otzigvBbQx0/F m8J8+0ytIfPpeTG+c0pgEnjNzU0hHM6YWEhDSY9kizaT2no5o5r7Nz5z0/wt6rRh 9uN20Ha6W+8bvo4jfHn7olbAsXoBw== X-ME-Sender: X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 99) id B474442A5; Mon, 8 Oct 2018 05:21:11 -0400 (EDT) Message-Id: <1538990471.3423409.1534301664.7759970E@webmail.messagingengine.com> From: Dave Cottlehuber To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-929b9749 Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-18:08.lazyfpu References: <20180912054340.1267C13295@freefall.freebsd.org> <1536910798.329524.1507804736.2F76C06D@webmail.messagingengine.com> In-Reply-To: <1536910798.329524.1507804736.2F76C06D@webmail.messagingengine.com> Date: Mon, 08 Oct 2018 11:21:11 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2018 09:21:21 -0000 On Fri, 14 Sep 2018, at 09:39, Dave Cottlehuber wrote: > On Wed, 12 Sep 2018, at 07:43, FreeBSD Errata Notices wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > ============================================================================= > > FreeBSD-EN-18:08.lazyfpu Errata Notice > > The FreeBSD Project > > > > Topic: LazyFPU remediation causes potential data corruption > > Data Corruption reads a bit like "Imminent SuperNova in Your Area".. I'm > not really sure what it means for users & sysadmins. Given we've had the > original lazyfpu patches out for 11.x for a few months[1]: > > - what might data corruption entail? > - has this been observed in the wild? > > Many thanks for the efforts into making these patches available. > Dave > > [1]: https://www.freebsd.org/security/advisories/FreeBSD-SA-18:07.lazyfpu.asc Hi secteam, can you shed any light on the above? Thanks Dave From owner-freebsd-security@freebsd.org Mon Oct 8 10:04:31 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DFD710B9D82 for ; Mon, 8 Oct 2018 10:04:31 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C031D833A2 for ; Mon, 8 Oct 2018 10:04:30 +0000 (UTC) (envelope-from des@des.no) Received: from next.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 584A482A9; Mon, 8 Oct 2018 10:04:29 +0000 (UTC) Received: by next.des.no (Postfix, from userid 1001) id A36BFB6B3; Mon, 8 Oct 2018 12:04:29 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Konstantin Belousov Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf In-Reply-To: <20181007224611.GI5335@kib.kiev.ua> (Konstantin Belousov's message of "Mon, 8 Oct 2018 01:46:11 +0300") References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua> <86sh1hs81t.fsf@next.des.no> <20181007224611.GI5335@kib.kiev.ua> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (berkeley-unix) Date: Mon, 08 Oct 2018 12:04:29 +0200 Message-ID: <86pnwkhhzm.fsf@next.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2018 10:04:31 -0000 Konstantin Belousov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > The string isn't just unterminated, though. It's actually longer than > > the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long, > > plus NUL makes 19. The section is supposed to be 17 bytes long. I > > don't mind forgiving a missing NUL, but I'm not comfortable with reading > > past the end of the section, and it worries me that Linux doesn't care. > Apparently it was not Linux. Look at the astro/google-earth/Makefile > before r425359. Ah, I see. The port used sed to edit the file in-place instead of using a tool that understands Elf and would have adjusted the section length. But it doesn't any more, probably because the linux_base ports install ld-lsb.so.3, so what's the issue? And regardless, your patch wouldn't have helped in this case, since it would only have copied the first 17 characters ("/lib/ld-linux.so.", missing the final 2) to the new buffer. So what is the rationale for the patch? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Mon Oct 8 11:20:45 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C8BF10BB6C1 for ; Mon, 8 Oct 2018 11:20:45 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 28287859EF for ; Mon, 8 Oct 2018 11:20:45 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w98BKW6p004643 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 8 Oct 2018 14:20:35 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w98BKW6p004643 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id w98BKWdm004641; Mon, 8 Oct 2018 14:20:32 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 8 Oct 2018 14:20:32 +0300 From: Konstantin Belousov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf Message-ID: <20181008112032.GJ5335@kib.kiev.ua> References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua> <86sh1hs81t.fsf@next.des.no> <20181007224611.GI5335@kib.kiev.ua> <86pnwkhhzm.fsf@next.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86pnwkhhzm.fsf@next.des.no> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2018 11:20:45 -0000 On Mon, Oct 08, 2018 at 12:04:29PM +0200, Dag-Erling Smørgrav wrote: > Konstantin Belousov writes: > > Dag-Erling Smørgrav writes: > > > The string isn't just unterminated, though. It's actually longer than > > > the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long, > > > plus NUL makes 19. The section is supposed to be 17 bytes long. I > > > don't mind forgiving a missing NUL, but I'm not comfortable with reading > > > past the end of the section, and it worries me that Linux doesn't care. > > Apparently it was not Linux. Look at the astro/google-earth/Makefile > > before r425359. > > Ah, I see. The port used sed to edit the file in-place instead of using > a tool that understands Elf and would have adjusted the section length. Really this cannot be done, as well as overriding the interpreter name with the longer string, since other segments are not movable. > But it doesn't any more, probably because the linux_base ports install > ld-lsb.so.3, so what's the issue? And regardless, your patch wouldn't > have helped in this case, since it would only have copied the first 17 > characters ("/lib/ld-linux.so.", missing the final 2) to the new buffer. > So what is the rationale for the patch? The mailed patch was based on some mis-calculations on my part, I did off-by-one twice apparently. Below is the the latest version which I did before I discovered the ports' Makefile hack. After I did, I abandoned the intent to commit it. diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index f4302d46665..1ef6028005e 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -872,9 +872,26 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) interp = __DECONST(char *, imgp->image_header) + phdr[i].p_offset; if (interp[interp_name_len - 1] != '\0') { - uprintf("Invalid PT_INTERP\n"); - error = ENOEXEC; - goto ret; + /* + * ELF specification requires + * that PT_INTERP contained + * NUL-terminated string. If + * it is not, try to find the + * end of line and still + * execute the binary. + */ + for (; interp_name_len <= + PAGE_SIZE - phdr[i].p_offset && + interp[interp_name_len - 1] != '\0'; + interp_name_len++) + ; + if (interp[interp_name_len - 1] != + '\0') { + uprintf("Invalid PT_INTERP: " + "no NUL termination\n"); + error = ENOEXEC; + goto ret; + } } } break; From owner-freebsd-security@freebsd.org Mon Oct 8 13:58:11 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D85F10BFF23 for ; Mon, 8 Oct 2018 13:58:11 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 384978B6D2 for ; Mon, 8 Oct 2018 13:58:11 +0000 (UTC) (envelope-from des@des.no) Received: from next.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id F172086B9; Mon, 8 Oct 2018 13:58:09 +0000 (UTC) Received: by next.des.no (Postfix, from userid 1001) id A11E0B6B8; Mon, 8 Oct 2018 15:58:10 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Konstantin Belousov Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf In-Reply-To: <20181008112032.GJ5335@kib.kiev.ua> (Konstantin Belousov's message of "Mon, 8 Oct 2018 14:20:32 +0300") References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua> <86sh1hs81t.fsf@next.des.no> <20181007224611.GI5335@kib.kiev.ua> <86pnwkhhzm.fsf@next.des.no> <20181008112032.GJ5335@kib.kiev.ua> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (berkeley-unix) Date: Mon, 08 Oct 2018 15:58:10 +0200 Message-ID: <86lg78h765.fsf@next.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Oct 2018 13:58:11 -0000 Konstantin Belousov writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Ah, I see. The port used sed to edit the file in-place instead of using > > a tool that understands Elf and would have adjusted the section length. > Really this cannot be done, as well as overriding the interpreter name > with the longer string, since other segments are not movable. If there is sufficient padding, it could use some of that, and adjust the length so the binary is still valid. But none of this matters, since the linux_base ports provide ld-lsb.so.3 and the sed hack has been removed... DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Oct 9 20:36:53 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06B0710BBAC6 for ; Tue, 9 Oct 2018 20:36:53 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 795577BA3C for ; Tue, 9 Oct 2018 20:36:52 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w99KafEM068259 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 9 Oct 2018 23:36:44 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w99KafEM068259 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id w99KafIC068258; Tue, 9 Oct 2018 23:36:41 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 9 Oct 2018 23:36:41 +0300 From: Konstantin Belousov To: Dave Cottlehuber Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-18:08.lazyfpu Message-ID: <20181009203641.GB5335@kib.kiev.ua> References: <20180912054340.1267C13295@freefall.freebsd.org> <1536910798.329524.1507804736.2F76C06D@webmail.messagingengine.com> <1538990471.3423409.1534301664.7759970E@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1538990471.3423409.1534301664.7759970E@webmail.messagingengine.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Oct 2018 20:36:53 -0000 On Mon, Oct 08, 2018 at 11:21:11AM +0200, Dave Cottlehuber wrote: > On Fri, 14 Sep 2018, at 09:39, Dave Cottlehuber wrote: > > On Wed, 12 Sep 2018, at 07:43, FreeBSD Errata Notices wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA512 > > > > > > ============================================================================= > > > FreeBSD-EN-18:08.lazyfpu Errata Notice > > > The FreeBSD Project > > > > > > Topic: LazyFPU remediation causes potential data corruption > > > > Data Corruption reads a bit like "Imminent SuperNova in Your Area".. I'm > > not really sure what it means for users & sysadmins. Given we've had the > > original lazyfpu patches out for 11.x for a few months[1]: > > > > - what might data corruption entail? The FPU registers can be corrupted. This was observed so far only on the in-kernel FPU consumer, i.e. aesni.ko. > > - has this been observed in the wild? Yes, see above. > > > > Many thanks for the efforts into making these patches available. > > Dave > > > > [1]: https://www.freebsd.org/security/advisories/FreeBSD-SA-18:07.lazyfpu.asc > > Hi secteam, can you shed any light on the above? > > Thanks > Dave > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"