From owner-freebsd-security@freebsd.org Wed Oct 31 10:47:49 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C3EC10D2B24 for ; Wed, 31 Oct 2018 10:47:49 +0000 (UTC) (envelope-from 0xsyed@gmail.com) Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 22A8B6F1BD for ; Wed, 31 Oct 2018 10:47:49 +0000 (UTC) (envelope-from 0xsyed@gmail.com) Received: by mail-ed1-x533.google.com with SMTP id d6-v6so5099498edi.2 for ; Wed, 31 Oct 2018 03:47:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=VDo2OLjmEzs+T5iCJ0im/aK05snbWBcc/rQx0pV/2NM=; b=JJSLm6tI+1EojEdyjfzv+kVJEh8EChSS/7Xu5hEjAGBmk8UpGIlC/OZqNc1uQn2suu fKo/zoFhZg75+GuqUdFIP1tdXGtCFWp2yTnvTESE8jBgP2Zf78mNjEIoNUPq/xcsX2m8 jNr/Q4yjSluqWeV8YYpKDUhfbi5uqkoL4Ip9gHkOF6zbHAjH6/NKRm7hMaDvyoOCGvNY PGtjrGy1JHq8jJu+vEOEjbz7aEajoXVsligCNK8D0OuECFTSH9HkqwG6ffu8oBxwBp8W tyXVYcxsEgLZcBo1okDIGF5qwrZgOog4A7OXrwh52x2oaQ/8ijAoE9LAo164Yclx1Kxj K3Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=VDo2OLjmEzs+T5iCJ0im/aK05snbWBcc/rQx0pV/2NM=; b=QzoRvJwpdRN8bqTQdXJIvnwdOBvE9PmuuQgh6CHJze0Y1HcDXfYNIydOnXmiYcfLjm of8uy06f6UcA5FWO0qDUQ9RlrCurOKufFkDE54IYrH/YbCok1c07TCfI1MdSEXjRZtrj p3I3uoSf3V8pmgud7YGgSjk6SP9XmMhKEMy0DCIhL4zcALHM8fNs3nW4oRki+5ymxAJJ a8Z4tCRIIJ+k17Art9ws1u4TXOIdAGK2+AQ7+7jT5Y0Ly3F6dekSal1Yq/Vu79Wv7307 yQo9LexKs8ddmRVovTq7kXGwQTmUuvKn65xb7nZBQFMn3yEcQSd+BRSdV4nJOK4pyupw lm5A== X-Gm-Message-State: AGRZ1gLeT7mB/Itcr8ZQe8JdU9+mzr10zapphDHznG1TME2lEdQ/T6lx wLMrO/dnLw2uhXjE5p7gstY2Oq1Hwu0EX7UXL53iYx3o X-Google-Smtp-Source: AJdET5dV+lUW9L8hEe3AXamr2+SrQvk9hQIRZ/2ACw1Q4doIy8zu9cvtjCU/J4WxpU4K4XpC1K2K3r15E0VH6kVIj/E= X-Received: by 2002:a50:fe12:: with SMTP id f18-v6mr1517066edt.116.1540982867387; Wed, 31 Oct 2018 03:47:47 -0700 (PDT) MIME-Version: 1.0 From: syed khalid <0xsyed@gmail.com> Date: Wed, 31 Oct 2018 16:17:36 +0530 Message-ID: Subject: Regarding CVE-2018-4407 To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2018 10:47:49 -0000 Hello All, There is kernel RCE caused by a buffer overflow in Apple ICMP's packet-handling code. The PoC is not available but the bug details are mentioned here in https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407. Will this vulnerability affects FreeBSD? Please let me know your thoughts -- *Thanks & Regards* *Syed Khalid M* From owner-freebsd-security@freebsd.org Thu Nov 1 18:03:48 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7EA7110FA40F for ; Thu, 1 Nov 2018 18:03:48 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 15C4883596 for ; Thu, 1 Nov 2018 18:03:48 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-yb1-xb2d.google.com with SMTP id t13-v6so2346746ybb.8 for ; Thu, 01 Nov 2018 11:03:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Wr3q3mJ9NA5zAgtbHBRymwWYKv0ev5QyFIhDlEiYA1A=; b=S4pnZnZmDnOvl99ky15alWboB4C2mrqLqE4cbuaZC2ObuAWyTNuPG8XE0jfJfv2C9O eVEgXaK7jszatlnrBshqiY5Xcby2MPzI6LnYJgv5tn4IohD0R8XTlICuOOrxR+PGsQZ0 kyKXJKlcVxB/eHEm/N9FhuqDCfOWOQkeK1OKk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Wr3q3mJ9NA5zAgtbHBRymwWYKv0ev5QyFIhDlEiYA1A=; b=UP4HV7fT2TPqEIWAfzRzuL5qCFQrVud9NO10HtHMSn2LTZS0BkJCFBuC9JLIM6qd4B Kq6Sn+4mn3r3+zgipe5uuDRf5zc2FA+ppPXB0/POIE6p5t28TS36TARozBJeVLhri+v9 ITElXe8xujMiVywqOMJ1+uoHjWj/rvSixc8/OJErfLyIlO7NHWMUwgSAF7DFEJBGDUs+ 0jLfsl/76zNH/8+A6/79TRsQ08IxZqnqscuSv7I159QJe4WeDc6y0wfOUmsuEez1MtSL kJ7/d0hSUHJ7Pj1ag23X3y2bFrfeODPVfN8u7EBopCrcYnSxWC+N8jAmxz0iHl3m1gP+ 3xCg== X-Gm-Message-State: AGRZ1gKL9RchImazORfmr6sKyVhUHfaEYZQLpQL+E/6EsyAuCmIHCXfm zRTAcrARUvZV4SF+Zj2BHRvS X-Google-Smtp-Source: AJdET5eKMh7oHyeCP6sTQhO7zGKtwfa333jTEtjSTGZZa8BStnE5Zns/ak1WF4T9SJn+e2IAoc7ZHg== X-Received: by 2002:a25:9185:: with SMTP id w5-v6mr9032974ybl.138.1541095427455; Thu, 01 Nov 2018 11:03:47 -0700 (PDT) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id r13-v6sm6304124ywc.52.2018.11.01.11.03.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Nov 2018 11:03:46 -0700 (PDT) Date: Thu, 1 Nov 2018 11:03:44 -0700 From: Gordon Tetlow To: syed khalid <0xsyed@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: Regarding CVE-2018-4407 Message-ID: <20181101180344.GO6768@gmail.com> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="QnBU6tTI9sljzm9u" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Nov 2018 18:03:48 -0000 --QnBU6tTI9sljzm9u Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 31, 2018 at 04:17:36PM +0530, syed khalid wrote: > Hello All, >=20 > There is kernel RCE caused by a buffer overflow in Apple ICMP's > packet-handling code. The PoC is not available but the bug details are > mentioned here in https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-440= 7. > Will this vulnerability affects FreeBSD? Please let me know your thoughts I've exchanged a couple of emails with the researchers and they have confirmed the PoC they wrote for MacOS doesn't work on FreeBSD. Further code analysis looks like we have some bounds checking in place that probably didn't exist in the MacOS code. All that said, I've asked a couple of networking stack folks to take a look at it further. I'll report if anything changes with that assessment. Regards, Gordon Tetlow FreeBSD Security Officer --QnBU6tTI9sljzm9u Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAlvbQABfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJC MjhENDBCMzYwRUVFOTM2QUVEMTU2RkU1RjdCQ0NCQTNCRERERjgACgkQ5fe8y6O9 3fjVEggAkUnAZ5wooB075cZrbcoyMO9kfUlVZ+t1LhBifkQ2S64R5vd/VojKdAqd +bd9TEvwssC77qmI9IBMSlG+J3IpI+j5Pdr9ePfBtIWZpOxS+EM6PmiWU+NjBM9c Leu9Lxu6kHr41GF0MB0KX+SY+QI8bRyZAsHh5c+/koxE+G4wspj7lz9nVjIeBZRL N9NAOwHSaoZTw5j10b8HVUb7la3bDO1j8IKjUqdbsH8TpNwR1PwdC/dqmwUIaNIi UHcdTTj5WcbVFM76rQotnzlBGP/iL8V7ksWsgDTsAjsj76/kqexJsxirrfxcG1R5 DFQzFDEH8UQruX0Hwrmp1GdRelyGbw== =oYOI -----END PGP SIGNATURE----- --QnBU6tTI9sljzm9u-- From owner-freebsd-security@freebsd.org Thu Nov 1 19:00:19 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D57010FBD8B; Thu, 1 Nov 2018 19:00:19 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mail.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4984785D9E; Thu, 1 Nov 2018 19:00:19 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro-2.local (ralph.baldwin.cx [66.234.199.215]) by mail.baldwin.cx (Postfix) with ESMTPSA id C443910B476; Thu, 1 Nov 2018 15:00:17 -0400 (EDT) Subject: =?UTF-8?Q?Re:_cryptodev_/_softcrypto_=e2=80=94_are_here_any_plans_t?= =?UTF-8?Q?o_cleanup_it=3f?= To: lev@FreeBSD.org, freebsd-hackers@FreeBSD.org, freebsd-security@freebsd.org References: From: John Baldwin Message-ID: Date: Thu, 1 Nov 2018 12:00:16 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (mail.baldwin.cx); Thu, 01 Nov 2018 15:00:18 -0400 (EDT) X-Virus-Scanned: clamav-milter 0.99.2 at mail.baldwin.cx X-Virus-Status: Clean X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Nov 2018 19:00:19 -0000 On 10/16/18 11:59 AM, Lev Serebryakov wrote: > > To be honest, I'm surprised by inconsistency of our kernel crypto > infrastructure. > > "struct enc_xform" contains context size, but "struct auth_hash" doesn't. > > Memory management is different for auth algorithms and encryption > algorithms. > > There is Setkey for auth algorithms, but it is mostly unused. > > There is no way to re-key encryption without re-allocating context > ("key" or "schedule", even naming is not consistent). Ouch. > > As I could see by commits, there was some simplifications , but, > maybe, here is project to cleanup this subsystem? I have some WIP to rework the interface between OCF and backend drivers including cryptosoft. However, it doesn't really address any of the issues you raised. I would actually prefer it if we removed rekeying from OCF sessions (requiring new sessions for new keys). geli(4) is the only OCF consumer that changes keys on existing sessions. It would make some of the framework simpler (and would make the code that tries to migrate existing ops to a new session less fragile) if we bound keys to sessions and required keys during session creation. You can see my WIP here: https://github.com/freebsd/freebsd/compare/master...bsdjhb:ocf_rework -- John Baldwin