From owner-freebsd-security@FreeBSD.ORG Mon Oct 1 10:31:20 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC0451065675 for ; Mon, 1 Oct 2012 10:31:20 +0000 (UTC) (envelope-from erik@cederstrand.dk) Received: from csmtp2.one.com (csmtp2.one.com [91.198.169.22]) by mx1.freebsd.org (Postfix) with ESMTP id 7E7F28FC16 for ; Mon, 1 Oct 2012 10:31:20 +0000 (UTC) Received: from [192.168.1.18] (unknown [217.157.7.221]) by csmtp2.one.com (Postfix) with ESMTPA id 2C6C43018816 for ; Mon, 1 Oct 2012 10:31:13 +0000 (UTC) From: Erik Cederstrand Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> Date: Mon, 1 Oct 2012 12:31:21 +0200 To: "freebsd-security@freebsd.org" Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) X-Mailer: Apple Mail (2.1486) Subject: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 10:31:20 -0000 I'm looking through the clang analyzer reports and found this one: = http://scan.freebsd.your.org/freebsd-head/sbin.ping/2012-09-30-amd64/repor= t-R9ZgC6.html#EndPath It's complaining that, if setuid() fails for some reason, the process = will continue with root privileges because the process is suid root. At first glance, it seems unnecessary to check the return value of = "setuid(getuid())" since the user should always be able to drop = privileges to itself. So I filed this bug with LLVM: = http://llvm.org/bugs/show_bug.cgi?id=3D13979 It turns out that setuid() *may* fail if the user hits its process = limit. Apparently FreeBSD doesn't check the limit in the specific = setuid(getuid()) case (I can't find the code anywhere right now) so this = is not an issue, but Linux does. However, if FreeBSD decides to change = the setuid() implementation at some point, the issue may surface again. A simple fix would be something like: Index: /freebsd/repos/head_scratch/src/sbin/ping/ping.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- /freebsd/repos/head_scratch/src/sbin/ping/ping.c (revision = 240960) +++ /freebsd/repos/head_scratch/src/sbin/ping/ping.c (working copy) @@ -255,7 +255,8 @@ s =3D socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); sockerrno =3D errno; =20 - setuid(getuid()); + if (setuid(getuid()) !=3D 0) + err(EX_NOPERM, "setuid() failed"); uid =3D getuid(); =20 alarmtimeout =3D df =3D preload =3D tos =3D 0; There's an alternative approach for NetBSD with a patch to kern_exec.c = here: = http://mail-index.netbsd.org/tech-security/2008/01/12/msg000026.html but = I have no idea if this applies to FreeBSD. I'd like an opinion on which way to go before filing PRs because we have = around 200 of these warnings in the FreeBSD repo. Thanks, Erik= From owner-freebsd-security@FreeBSD.ORG Mon Oct 1 10:49:17 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B086C106566B for ; Mon, 1 Oct 2012 10:49:17 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 449548FC0C for ; Mon, 1 Oct 2012 10:49:16 +0000 (UTC) Received: from skuns.kiev.zoral.com.ua (localhost [127.0.0.1]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id q91AnE2W024214; Mon, 1 Oct 2012 13:49:14 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.5/8.14.5) with ESMTP id q91An1uD016572; Mon, 1 Oct 2012 13:49:01 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.5/8.14.5/Submit) id q91An1Hm016571; Mon, 1 Oct 2012 13:49:01 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 1 Oct 2012 13:49:01 +0300 From: Konstantin Belousov To: Erik Cederstrand Message-ID: <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a0kvDU9Y5772Ejco" Content-Disposition: inline In-Reply-To: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-4.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 10:49:17 -0000 --a0kvDU9Y5772Ejco Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 01, 2012 at 12:31:21PM +0200, Erik Cederstrand wrote: > I'm looking through the clang analyzer reports and found this one: http:/= /scan.freebsd.your.org/freebsd-head/sbin.ping/2012-09-30-amd64/report-R9ZgC= 6.html#EndPath >=20 > It's complaining that, if setuid() fails for some reason, the process wil= l continue with root privileges because the process is suid root. >=20 > At first glance, it seems unnecessary to check the return value of "setui= d(getuid())" since the user should always be able to drop privileges to its= elf. So I filed this bug with LLVM: http://llvm.org/bugs/show_bug.cgi?id=3D= 13979 >=20 > It turns out that setuid() *may* fail if the user hits its process limit.= Apparently FreeBSD doesn't check the limit in the specific setuid(getuid()= ) case (I can't find the code anywhere right now) so this is not an issue, = but Linux does. However, if FreeBSD decides to change the setuid() implemen= tation at some point, the issue may surface again. >=20 > A simple fix would be something like: >=20 > Index: /freebsd/repos/head_scratch/src/sbin/ping/ping.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- /freebsd/repos/head_scratch/src/sbin/ping/ping.c (revision 240960) > +++ /freebsd/repos/head_scratch/src/sbin/ping/ping.c (working copy) > @@ -255,7 +255,8 @@ > s =3D socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); > sockerrno =3D errno; > =20 > - setuid(getuid()); > + if (setuid(getuid()) !=3D 0) > + err(EX_NOPERM, "setuid() failed"); > uid =3D getuid(); > =20 > alarmtimeout =3D df =3D preload =3D tos =3D 0; >=20 >=20 > There's an alternative approach for NetBSD with a patch to kern_exec.c he= re: http://mail-index.netbsd.org/tech-security/2008/01/12/msg000026.html bu= t I have no idea if this applies to FreeBSD. >=20 > I'd like an opinion on which way to go before filing PRs because we have = around 200 of these warnings in the FreeBSD repo. >=20 > Thanks, > Erik_______________________________________________ setuid() might also fail for other reasons, e.g. due to custom MAC module. In case of ping, does the failure of dropping the suid bit is important ? --a0kvDU9Y5772Ejco Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iEYEARECAAYFAlBpdR0ACgkQC3+MBN1Mb4ggdgCgsSvcMGGhjl+hLr2f4R7jfQNs jnwAn2E+gAplg2dhGGUcWqMIpmQf+/l7 =68KI -----END PGP SIGNATURE----- --a0kvDU9Y5772Ejco-- From owner-freebsd-security@FreeBSD.ORG Mon Oct 1 10:58:40 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1B039106566C for ; Mon, 1 Oct 2012 10:58:40 +0000 (UTC) (envelope-from erik@cederstrand.dk) Received: from csmtp3.one.com (csmtp3.one.com [91.198.169.23]) by mx1.freebsd.org (Postfix) with ESMTP id D002D8FC0C for ; Mon, 1 Oct 2012 10:58:39 +0000 (UTC) Received: from [192.168.1.18] (unknown [217.157.7.221]) by csmtp3.one.com (Postfix) with ESMTPA id 4CD2D24062B8; Mon, 1 Oct 2012 10:58:33 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Erik Cederstrand In-Reply-To: <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> Date: Mon, 1 Oct 2012 12:58:41 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> To: Konstantin Belousov X-Mailer: Apple Mail (2.1486) Cc: "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 10:58:40 -0000 Den 01/10/2012 kl. 12.49 skrev Konstantin Belousov = : > setuid() might also fail for other reasons, e.g. due to custom MAC = module. >=20 > In case of ping, does the failure of dropping the suid bit is = important ? I believe it is. If 'setuid()' fails then 'uid' becomes 0 and it's = possible e.g. to do a "Flood ping". Erik= From owner-freebsd-security@FreeBSD.ORG Mon Oct 1 11:07:40 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4A191065674 for ; Mon, 1 Oct 2012 11:07:40 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) by mx1.freebsd.org (Postfix) with ESMTP id A4FCA8FC1C for ; Mon, 1 Oct 2012 11:07:40 +0000 (UTC) Received: from Xins-MacBook-Pro.local (c-67-188-85-47.hsd1.ca.comcast.net [67.188.85.47]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 0A66020540; Mon, 1 Oct 2012 04:07:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1349089654; bh=wa4UcpTPMYWJJT5uolUce/N1hyPPtYUncw8hCr+2KJ8=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=I6cq9IBeWWLfC+qhDQaB/SQs0LtoJH0N3QpUM24Ga4PVO4qHJj2THlAAt+HMIJlc5 0TxBiRNO3B3IDXg+IgQ617YR3GZSmui7CKp2ZjzZ/uTQD82NwAfO6xogH6sUmBZ0AG mvgA6liYp4UzfB1u9Nd2zl7r94jfr/FiKjqRHUDo= Message-ID: <50697975.4070609@delphij.net> Date: Mon, 01 Oct 2012 04:07:33 -0700 From: Xin Li Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: Erik Cederstrand References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> In-Reply-To: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 11:07:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/1/12 3:31 AM, Erik Cederstrand wrote: > I'm looking through the clang analyzer reports and found this one: > http://scan.freebsd.your.org/freebsd-head/sbin.ping/2012-09-30-amd64/report-R9ZgC6.html#EndPath > > > It's complaining that, if setuid() fails for some reason, the > process will continue with root privileges because the process is > suid root. > > At first glance, it seems unnecessary to check the return value of > "setuid(getuid())" since the user should always be able to drop > privileges to itself. So I filed this bug with LLVM: > http://llvm.org/bugs/show_bug.cgi?id=13979 > > It turns out that setuid() *may* fail if the user hits its process > limit. Apparently FreeBSD doesn't check the limit in the specific > setuid(getuid()) case (I can't find the code anywhere right now) > so this is not an issue, but Linux does. However, if FreeBSD > decides to change the setuid() implementation at some point, the > issue may surface again. I didn't follow the idea -- In Linux's kernel/sys.c: SYSCALL_DEFINE1(setuid, uid_t, uid) { (...) kuid = make_kuid(ns, uid); (...) if (nsown_capable(CAP_SETUID)) { new->suid = new->uid = kuid; if (!uid_eq(kuid, old->uid)) { // <-- 1 retval = set_user(new); // <-- check done here if (retval < 0) goto error; } How can the check be even reached in setuid(getuid()) case? It's also conflict with intuition by the way -- we are not changing ownership of the process, thus the process number should not change... Cheers, -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iQEcBAEBCAAGBQJQaXl0AAoJEG80Jeu8UPuz22AIAIBhAdEscXjcsQR06qzFntn4 lVVLzlPH+KdgUezbE5uMWbtNj0Az7ny66QQ2ocgh5KK8bc5i1486T9+32k6X7Cft gxE7tpPGkrb6uT62TV4Z5TkJ3NLfqQ6pABiYFONUS72Zy2zPE9stq5X4XrySXlTh Oft6hpLK5qtxucD7RUKrj8Ofw6kugKm7+KDXqQUU2CuEkCZZUiY1KarJK1fyPHF7 9APaaWyWZt6yMj3qn/2btmR4GZoZMQdfUqe8EIhpxGdKseB81FIdHfDo2bzDGRcx jUUIbrFxLTypjXws2IPneHYaKpLfs5RWT6yKPRkdKIkfQYTeJMb0MjlD6q7acWo= =hknO -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Oct 1 11:08:13 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D0ED10657A9 for ; Mon, 1 Oct 2012 11:08:13 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id DBDE08FC23 for ; Mon, 1 Oct 2012 11:08:12 +0000 (UTC) Received: from skuns.kiev.zoral.com.ua (localhost [127.0.0.1]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id q91B8HJu026343; Mon, 1 Oct 2012 14:08:17 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.5/8.14.5) with ESMTP id q91B8504016705; Mon, 1 Oct 2012 14:08:05 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.5/8.14.5/Submit) id q91B85lY016704; Mon, 1 Oct 2012 14:08:05 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 1 Oct 2012 14:08:05 +0300 From: Konstantin Belousov To: Erik Cederstrand Message-ID: <20121001110805.GL35915@deviant.kiev.zoral.com.ua> References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QV9egoCq9O4JbpTr" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-4.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 11:08:13 -0000 --QV9egoCq9O4JbpTr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 01, 2012 at 12:58:41PM +0200, Erik Cederstrand wrote: > Den 01/10/2012 kl. 12.49 skrev Konstantin Belousov : >=20 > > setuid() might also fail for other reasons, e.g. due to custom MAC modu= le. > >=20 > > In case of ping, does the failure of dropping the suid bit is important= ? >=20 > I believe it is. If 'setuid()' fails then 'uid' becomes 0 and it's possib= le e.g. to do a "Flood ping". I do not believe in the dreadful 'flood ping' security breach. Is a local escalation possible with non-dropped root ? --QV9egoCq9O4JbpTr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iEYEARECAAYFAlBpeZUACgkQC3+MBN1Mb4hVSQCgu6dNZmRa5xxou9vCCW70YSAd aKkAn1ACh2+aeVhYCWrK+epJyFeOQ/GA =9om6 -----END PGP SIGNATURE----- --QV9egoCq9O4JbpTr-- From owner-freebsd-security@FreeBSD.ORG Mon Oct 1 11:39:27 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0017B1065673 for ; Mon, 1 Oct 2012 11:39:26 +0000 (UTC) (envelope-from erik@cederstrand.dk) Received: from csmtp2.one.com (csmtp2.one.com [91.198.169.22]) by mx1.freebsd.org (Postfix) with ESMTP id B1E4A8FC08 for ; Mon, 1 Oct 2012 11:39:26 +0000 (UTC) Received: from [192.168.1.18] (unknown [217.157.7.221]) by csmtp2.one.com (Postfix) with ESMTPA id 221193043E31; Mon, 1 Oct 2012 11:39:25 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Erik Cederstrand In-Reply-To: <20121001110805.GL35915@deviant.kiev.zoral.com.ua> Date: Mon, 1 Oct 2012 13:39:33 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <2E17A82C-16D8-4DCD-86F0-93C28C5C4257@cederstrand.dk> References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> <20121001110805.GL35915@deviant.kiev.zoral.com.ua> To: Konstantin Belousov X-Mailer: Apple Mail (2.1486) Cc: "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 11:39:27 -0000 Den 01/10/2012 kl. 13.08 skrev Konstantin Belousov = : >=20 > I do not believe in the dreadful 'flood ping' security breach. Is a > local escalation possible with non-dropped root ? No idea. Reading the code, I see some functionality the author decided = should only be accessible to root users. There's 600 lines of code left = in main() and I'm not skilled enough to see if there are any potential = exploits left. If it's not a security breach then I'm on the wrong list, but I guess it = still leads to unintended behavior if setuid() fails? Erik= From owner-freebsd-security@FreeBSD.ORG Mon Oct 1 11:56:00 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B664A1065672 for ; Mon, 1 Oct 2012 11:56:00 +0000 (UTC) (envelope-from lists@eitanadler.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7F89B8FC12 for ; Mon, 1 Oct 2012 11:55:59 +0000 (UTC) Received: by pbbrp8 with SMTP id rp8so8739067pbb.13 for ; Mon, 01 Oct 2012 04:55:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=E1Pp68vcNXJbN8n0aWtplTD16OmfOnEtqInzAt89AVo=; b=KAJ+Tqzym99hQ4eCz7DYxU/xPreR8MXiX3F3Pa9h/FRTV3yOdYUJO6p4rObN+Ie0Zd 5wzWBVRlcGafRUmL0ybkyOVmR/1jwmwWcFoAK6KwjWLs5MeSTtBmtxaYCSQ4CEkCvYpY FqnbwIQG6C4WCAZEoNAr934MXcR+8T5SbzhsI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=E1Pp68vcNXJbN8n0aWtplTD16OmfOnEtqInzAt89AVo=; b=HTzDRoabc1cKXLEusRdKrj1MP4xEH8rTHOaAo1JPA2HMqr1YKed7NkEp6gSXrohKob zjoNkzXHmahfDLrNOCaW7BWncdQ5O52bfHUkvsKVS36b32xLK3azPXUjUeV9qD2WfLoY ZCr0S9YktNPRfkgxasbonDZN/xzJODFY5FP6lNNd5KthHHuYSfWk1asaB3sUlr6vex3b hGEcdLKC4CkFRoFE6TFn1/pbM2PiBcB2CUV54zXWhIGOF0XUgILpnztzaSjRGba+HKMB Ay2okIn7Rz97gBzbiY7RILLCeAs+kQHDdEIWbCvXqfohW4FYZrdK9ZzaedKA/KkY7Jfo vYpg== Received: by 10.66.81.103 with SMTP id z7mr9773458pax.57.1349092559606; Mon, 01 Oct 2012 04:55:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.66.190.164 with HTTP; Mon, 1 Oct 2012 04:55:29 -0700 (PDT) In-Reply-To: <20121001110805.GL35915@deviant.kiev.zoral.com.ua> References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> <20121001110805.GL35915@deviant.kiev.zoral.com.ua> From: Eitan Adler Date: Mon, 1 Oct 2012 07:55:29 -0400 Message-ID: To: Konstantin Belousov Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQkU/ld9En7lDwgmcECwREIuv0dvpPnmkQlEaml9cw/iqzlKzDWoAm2BvJeqChEtspHjf3Nt Cc: "freebsd-security@freebsd.org" , Erik Cederstrand Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 11:56:00 -0000 On 1 October 2012 07:08, Konstantin Belousov wrote: > I do not believe in the dreadful 'flood ping' security breach. Is a > local escalation possible with non-dropped root ? It is clearly a local escalation: a non-root user can do something which was intended only for root. It is a different question how serious the breach is. -- Eitan Adler From owner-freebsd-security@FreeBSD.ORG Tue Oct 2 12:38:22 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49367106564A for ; Tue, 2 Oct 2012 12:38:22 +0000 (UTC) (envelope-from erik@cederstrand.dk) Received: from csmtp3.one.com (csmtp3.one.com [91.198.169.23]) by mx1.freebsd.org (Postfix) with ESMTP id 05BD68FC0A for ; Tue, 2 Oct 2012 12:38:21 +0000 (UTC) Received: from [192.168.1.18] (unknown [217.157.7.221]) by csmtp3.one.com (Postfix) with ESMTPA id E673024004A8; Tue, 2 Oct 2012 12:38:14 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Erik Cederstrand In-Reply-To: Date: Tue, 2 Oct 2012 14:38:17 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> <20121001110805.GL35915@deviant.kiev.zoral.com.ua> To: Eitan Adler X-Mailer: Apple Mail (2.1486) Cc: Konstantin Belousov , "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2012 12:38:22 -0000 Den 01/10/2012 kl. 13.55 skrev Eitan Adler : > On 1 October 2012 07:08, Konstantin Belousov = wrote: >> I do not believe in the dreadful 'flood ping' security breach. Is a >> local escalation possible with non-dropped root ? >=20 > It is clearly a local escalation: a non-root user can do something > which was intended only for root. It is a different question how > serious the breach is. Are there any objections to the path I attached in my first post? To the = approach in general? If not, I'll send a PR so it doesn't get lost. Thanks, Erik= From owner-freebsd-security@FreeBSD.ORG Tue Oct 2 13:14:18 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B930106564A; Tue, 2 Oct 2012 13:14:18 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E6F3B8FC14; Tue, 2 Oct 2012 13:14:17 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 38CEA6B16; Tue, 2 Oct 2012 15:07:05 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id D6BF9818F; Tue, 2 Oct 2012 15:07:04 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ben Laurie References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> Date: Tue, 02 Oct 2012 15:07:03 +0200 In-Reply-To: <86r4pqqwnm.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?= =?utf-8?Q?rav=22's?= message of "Tue, 25 Sep 2012 11:28:13 +0200") Message-ID: <86ipat6n0o.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jonathan Anderson , Pawel Jakub Dawidek , John Baldwin , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2012 13:14:18 -0000 Dag-Erling Sm=C3=B8rgrav writes: > If you give me a couple of days, I'll try to come up with a patch that > collects and stores attach times during boot so we can gather and > analyse real data. Here's the data: http://people.freebsd.org/~des/attachtimes-text.txz The tarball contains one directory for each machine I collected data from. Inside each directory is a separate text file for each device in the system. Each text file contains the attachtime deltas for that device, one sample per line. I also included the kernel patch and the source code of the program used to extract the data. The total number of experiments is 6250 elitebook 7228 epia1 6803 epia2 4034 thinkpad 13261 virtualbox 37576 total with a total of 2485193 samples. Please ignore atkbd0 and atkbdc0, at least for epia1 and epia2, as they only appear when a keyboard is connected. I also uploaded a tarball with the raw data: http://people.freebsd.org/~des/attachtimes-bin.txz DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Oct 2 14:46:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F68D106564A for ; Tue, 2 Oct 2012 14:46:06 +0000 (UTC) (envelope-from lists@eitanadler.com) Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) by mx1.freebsd.org (Postfix) with ESMTP id DAF3A8FC14 for ; Tue, 2 Oct 2012 14:46:05 +0000 (UTC) Received: by padbi1 with SMTP id bi1so6023671pad.13 for ; Tue, 02 Oct 2012 07:46:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=A6NAYWOmFHSakYnvzzXMnBuckQtbfuiZY1HgPeiEiMc=; b=UGvYLY62BeZwT56qIAyUik7/WALkB8e4CtbMqhoz+aCs1e04Bk+wyxsqzjbL9tayQF 2woqRqvfEdF/tZXn3y57gJ2GHOIj0PocjE/VS5m5FfOHkxlAYpaGJ2oTMOuFoiuCy3Qr Xg0S0Lyqi4MmqSLJrzg2NqDW1gWuRF8TD8DnU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=A6NAYWOmFHSakYnvzzXMnBuckQtbfuiZY1HgPeiEiMc=; b=I2vhP4aqwgnsZrrjNfCn9Uj62yx1jqtpWVCobhKL87m3zLYsRGHxAzF85ZyMHmR28o HqDoAXWLtx5ZxPrv416+jAmvVHSnrwkG+G+XfwBe4keJ6AbK58ZXl6BaIC2nfDKQnO1K 9cEC1xlczpnn7BiiCI1YciBN8f8MoVUzHbGNsi0ic7sGT/ZIQOd6x4tFjJCPzZLnkqoB HZ0GD/wU6ZV/jJcAemzHxljhTCH9fTBEs5ZuGET+ZYnyi+FCYsmAxAO1D46YbsnND8OX b45rGovXTj7cREjAQix24bs6DC3fBoLPlXIsDpyxfb4jsrnQxhZGpoe0t5wgnF7pTEBp SS9g== Received: by 10.68.200.231 with SMTP id jv7mr4747025pbc.140.1349189164690; Tue, 02 Oct 2012 07:46:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.66.190.164 with HTTP; Tue, 2 Oct 2012 07:45:34 -0700 (PDT) In-Reply-To: References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> <20121001110805.GL35915@deviant.kiev.zoral.com.ua> From: Eitan Adler Date: Tue, 2 Oct 2012 10:45:34 -0400 Message-ID: To: Erik Cederstrand Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQlcSjnY49HEw34w+9ZXAc6dLUZtiaLIHVWpmS8bCNvP7gLv6Oz1E2SqMnJnXzPg7lj3myQL Cc: Konstantin Belousov , "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2012 14:46:06 -0000 On 2 October 2012 08:38, Erik Cederstrand wrote: > Den 01/10/2012 kl. 13.55 skrev Eitan Adler : > >> On 1 October 2012 07:08, Konstantin Belousov wrote: >>> I do not believe in the dreadful 'flood ping' security breach. Is a >>> local escalation possible with non-dropped root ? >> >> It is clearly a local escalation: a non-root user can do something >> which was intended only for root. It is a different question how >> serious the breach is. > > Are there any objections to the path I attached in my first post? To the approach in general? If not, I'll send a PR so it doesn't get lost. Not by me. Please cc me on the PR as I'll commit if no one else objects. -- Eitan Adler From owner-freebsd-security@FreeBSD.ORG Tue Oct 2 17:22:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 69E7E106566C; Tue, 2 Oct 2012 17:22:43 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 203998FC0C; Tue, 2 Oct 2012 17:22:42 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id B3A8C6BD8; Tue, 2 Oct 2012 19:22:41 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 5E77481B8; Tue, 2 Oct 2012 19:22:41 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ben Laurie References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <86ipat6n0o.fsf@ds4.des.no> Date: Tue, 02 Oct 2012 19:22:40 +0200 In-Reply-To: <86ipat6n0o.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?= =?utf-8?Q?rav=22's?= message of "Tue, 02 Oct 2012 15:07:03 +0200") Message-ID: <86y5joiyan.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jonathan Anderson , Pawel Jakub Dawidek , John Baldwin , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2012 17:22:43 -0000 Dag-Erling Sm=C3=B8rgrav writes: > http://people.freebsd.org/~des/attachtimes-text.txz 1) There is a bug in the program - I made a couple of changes which I didn't like but didn't fully revert. The (argc !=3D 0) in main() should actually be (argc =3D=3D 0). 2) I modified the program to create a histogram of the lower bits and looked at that in gnuplot. It was immediately obvious that the distribution is extremely non-uniform. I suspect that this is - at least in part - due to the weird way get_cyclecount() computes the value it returns. We should either rewrite it to return something sensible or nuke it and use binuptime() instead. I uploaded a new tarball with the improved program and the histogram: http://people.freebsd.org/~des/attachtimes-total.txz DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Oct 2 17:31:50 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8DEAA106566B for ; Tue, 2 Oct 2012 17:31:50 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4D53D8FC1B for ; Tue, 2 Oct 2012 17:31:50 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 744BC6BE3; Tue, 2 Oct 2012 19:31:49 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 39A1081BA; Tue, 2 Oct 2012 19:31:49 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: d@delphij.net References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <50697975.4070609@delphij.net> Date: Tue, 02 Oct 2012 19:31:48 +0200 In-Reply-To: <50697975.4070609@delphij.net> (Xin Li's message of "Mon, 01 Oct 2012 04:07:33 -0700") Message-ID: <86obkkixvf.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-security@freebsd.org" , Erik Cederstrand Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2012 17:31:50 -0000 Xin Li writes: > How can the check be even reached in setuid(getuid()) case? It's also > conflict with intuition by the way -- we are not changing ownership of > the process, thus the process number should not change... See http://lxr.linux.no/linux+v3.6/kernel/sys.c#L646 DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Oct 2 21:44:05 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 021A01065673 for ; Tue, 2 Oct 2012 21:44:05 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id D0BF38FC15 for ; Tue, 2 Oct 2012 21:44:04 +0000 (UTC) Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 96B75C72A; Tue, 2 Oct 2012 14:44:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1349214244; bh=fslg2GiaCbts2ygcpsmMkrR9O0kBM9DKbn0klr4YUKw=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=N+M2GQGqy3WLGNFZQ7wvI/rV+zSWf1s+WIkX3haoIXYTEBRzW1oyZvaH9iQpSDWYp YQn4itvTn4v95c5Qa3zaRgWZ936ng3TPGEayJGPbjks+ldNHbT1Pq5oilsd8U7g6/P Mehg0PL0c42vaDMgDwMoxC+wXXJlEchGZt+7M0fg= Message-ID: <506B6024.8050908@delphij.net> Date: Tue, 02 Oct 2012 14:44:04 -0700 From: Xin Li Organization: The freeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.7) Gecko/20120830 Thunderbird/10.0.7 MIME-Version: 1.0 To: Eitan Adler References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> <20121001110805.GL35915@deviant.kiev.zoral.com.ua> In-Reply-To: X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Konstantin Belousov , "freebsd-security@freebsd.org" , Erik Cederstrand Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2012 21:44:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/02/12 07:45, Eitan Adler wrote: > On 2 October 2012 08:38, Erik Cederstrand > wrote: >> Den 01/10/2012 kl. 13.55 skrev Eitan Adler >> : >> >>> On 1 October 2012 07:08, Konstantin Belousov >>> wrote: >>>> I do not believe in the dreadful 'flood ping' security >>>> breach. Is a local escalation possible with non-dropped root >>>> ? >>> >>> It is clearly a local escalation: a non-root user can do >>> something which was intended only for root. It is a different >>> question how serious the breach is. >> >> Are there any objections to the path I attached in my first post? >> To the approach in general? If not, I'll send a PR so it doesn't >> get lost. > Not by me. Please cc me on the PR as I'll commit if no one else > objects. It doesn't seem hurt in general but if you are going to commit it please also change the other instances in the base system. I personally don't think this is useful either -- the case does not apply to FreeBSD and it seems that the Linux implementation is actually a POSIX violation as setuid() is not permitted to return ENOMEM. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQa2AkAAoJEG80Jeu8UPuzgYEIAJ3C6ktqB/Pbc7oMiKv0+WJQ NJ5RHWqXp98mDDWrkVhwiCoYjACgvnrRmHujk4Rc/uo5+fVNAGGsagvuBn04ZXOk ANDG+dpsYN1uuQQtabheoO/EoZRVd+0q84mM9gNC6qcHPzXgqJLc+pRQpfG2tTxk wqYqG4d4FTSGveOiGqJV8jvvAyLIxhEXvaoLNEPYyKKC7tKVEOZDH355Zi0C0KIh otZrlKna7WECSd3vCZArnd/qTO+s9WorgUGXPJdN57a1r4QIZM1/Hrja5R2wMtvU dLeo+MVnDjmP6Lpp22dQFg/sj3LQnnVTTC/uZSYanfqf6f6xFjm8hp+EkhJJdjA= =12ki -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Oct 2 21:46:08 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 493321065670 for ; Tue, 2 Oct 2012 21:46:08 +0000 (UTC) (envelope-from erik@cederstrand.dk) Received: from csmtp2.one.com (csmtp2.one.com [91.198.169.22]) by mx1.freebsd.org (Postfix) with ESMTP id F3A708FC1A for ; Tue, 2 Oct 2012 21:46:07 +0000 (UTC) Received: from [192.168.1.47] (unknown [176.222.238.90]) by csmtp2.one.com (Postfix) with ESMTPA id 3739D3017619; Tue, 2 Oct 2012 21:46:07 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Erik Cederstrand In-Reply-To: Date: Tue, 2 Oct 2012 23:46:11 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> <20121001110805.GL35915@deviant.kiev.zoral.com.ua> To: Eitan Adler X-Mailer: Apple Mail (2.1486) Cc: freebsd-security@freebsd.org Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2012 21:46:08 -0000 Den 02/10/2012 kl. 16.45 skrev Eitan Adler : >> Are there any objections to the path I attached in my first post? To = the approach in general? If not, I'll send a PR so it doesn't get lost. > Not by me. Please cc me on the PR as I'll commit if no one else = objects. I submitted by web, but here it is: = http://www.freebsd.org/cgi/query-pr.cgi?pr=3D172289 Erik= From owner-freebsd-security@FreeBSD.ORG Tue Oct 2 21:56:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C18B2106566B for ; Tue, 2 Oct 2012 21:56:43 +0000 (UTC) (envelope-from erik@cederstrand.dk) Received: from csmtp2.one.com (csmtp2.one.com [91.198.169.22]) by mx1.freebsd.org (Postfix) with ESMTP id 79EFC8FC16 for ; Tue, 2 Oct 2012 21:56:43 +0000 (UTC) Received: from [192.168.1.47] (unknown [176.222.238.90]) by csmtp2.one.com (Postfix) with ESMTPA id 8884A307C016; Tue, 2 Oct 2012 21:56:42 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Erik Cederstrand In-Reply-To: <506B6024.8050908@delphij.net> Date: Tue, 2 Oct 2012 23:56:46 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <87FA4CBA-001F-4C92-8B92-D650A9678864@cederstrand.dk> References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> <20121001110805.GL35915@deviant.kiev.zoral.com.ua> <506B6024.8050908@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.1486) Cc: Konstantin Belousov , Eitan Adler , "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2012 21:56:43 -0000 Den 02/10/2012 kl. 23.44 skrev Xin Li : > On 10/02/12 07:45, Eitan Adler wrote: >> On 2 October 2012 08:38, Erik Cederstrand >> wrote: >>> Den 01/10/2012 kl. 13.55 skrev Eitan Adler >>> : >>>=20 >>>> On 1 October 2012 07:08, Konstantin Belousov >>>> wrote: >>>>> I do not believe in the dreadful 'flood ping' security >>>>> breach. Is a local escalation possible with non-dropped root >>>>> ? >>>>=20 >>>> It is clearly a local escalation: a non-root user can do >>>> something which was intended only for root. It is a different >>>> question how serious the breach is. >>>=20 >>> Are there any objections to the path I attached in my first post? >>> To the approach in general? If not, I'll send a PR so it doesn't >>> get lost. >> Not by me. Please cc me on the PR as I'll commit if no one else >> objects. >=20 > It doesn't seem hurt in general but if you are going to commit it > please also change the other instances in the base system. I'll do my best. There are around 200 of these in base, but some are the = result of macro expansion so it may not be too bad. Erik= From owner-freebsd-security@FreeBSD.ORG Tue Oct 2 22:00:59 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92DF2106566B for ; Tue, 2 Oct 2012 22:00:59 +0000 (UTC) (envelope-from lists@eitanadler.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 571768FC16 for ; Tue, 2 Oct 2012 22:00:58 +0000 (UTC) Received: by pbbrp8 with SMTP id rp8so10631615pbb.13 for ; Tue, 02 Oct 2012 15:00:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=GLjOWKPJZYsTSNVLikkt2y4cXpyKj5/Ydlw1SXMNivU=; b=V87kTcSoPZf2mK2+rox9rpx1NKMUENm5R7EdqVnuUH39M+wr2fz3wtjTz4ZSRwzc79 loQPXpTHv0ahmLgf2GWBoAVzRo8pWfKRGalGBsKxdRHOSVeiMShd/NqPesSJpR3+jW0P SokC/tbCyU9xk0TYn9MrTd9QBZVxkmc/qtfbY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=GLjOWKPJZYsTSNVLikkt2y4cXpyKj5/Ydlw1SXMNivU=; b=jehL+aARcAe+ERlUx1drmtmEhf80z6lMicKQh7iPUh6Gm52lp5ROHoovd9C13MTsus 0sQ1Qav3SLBPVq7W2pPBDnhmv681z1CYIWXLb0OoAWYJHbD12bK6YM819JrhikmReuL0 1EkJAURltuI+zhPjNnnBtvPub+5TstYlAFB3fJO3utptKZg9TokXmqDF7E9DwqxF8VZu rAhgeKLNHwBTt9nl08SnimvybyLoLLGpC2iyatrRNC9CrcRB10glvnpz3I7XexfkE1Sb L9helRpus3QlhYeWe4XSWzM3dFP82CAqRHBO7oYtfMqo6UaSFjr30W1ZYNJYTARmmPQ5 xq3g== Received: by 10.68.242.231 with SMTP id wt7mr7667517pbc.99.1349215258735; Tue, 02 Oct 2012 15:00:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.66.190.164 with HTTP; Tue, 2 Oct 2012 15:00:28 -0700 (PDT) In-Reply-To: <87FA4CBA-001F-4C92-8B92-D650A9678864@cederstrand.dk> References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> <20121001110805.GL35915@deviant.kiev.zoral.com.ua> <506B6024.8050908@delphij.net> <87FA4CBA-001F-4C92-8B92-D650A9678864@cederstrand.dk> From: Eitan Adler Date: Tue, 2 Oct 2012 18:00:28 -0400 Message-ID: To: Erik Cederstrand Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQlM8cxcQFkmnNYr0onJyKLEudDbh9q/zDEuoAFTa8GKu2KMtr9gSlbKYiUYc8ydlR6Ey1PD Cc: Konstantin Belousov , "freebsd-security@freebsd.org" , d@delphij.net Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2012 22:00:59 -0000 On 2 October 2012 17:56, Erik Cederstrand wrote: >> It doesn't seem hurt in general but if you are going to commit it >> please also change the other instances in the base system. I shall do so. I will probably do them in spurts > I'll do my best. There are around 200 of these in base, but some are the result of macro expansion so it may not be too bad. Please cc me on the PRs you send. I will take them all and commit them in bunches. Thanks! -- Eitan Adler From owner-freebsd-security@FreeBSD.ORG Wed Oct 3 00:17:24 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4093106566B; Wed, 3 Oct 2012 00:17:24 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by mx1.freebsd.org (Postfix) with ESMTP id DB8DE8FC0A; Wed, 3 Oct 2012 00:17:23 +0000 (UTC) Received: by wibhr7 with SMTP id hr7so1297626wib.13 for ; Tue, 02 Oct 2012 17:17:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=E0e9RIjzYVogtSL3L+3nMFaINKpfZdIryw7xj/lhi24=; b=v5ysyOEbd3zhFVDxjJWaVVjHT/dOR+u+uRv3q2Vo7RlWXso7SMZmwCgt9UqOD/pnYM R7cYYUUaU+E7q2hff+ZMeVSzO1tMQndql0wu/Fmh2FYsFCLdxzFgxnDjCwLvPk0E6JnG MqShgkP+VA5ZuyYCBH8rxAdqK+k5QlviQErxz+eRDXUDXg5alcSL9AkrNDANrPYwKs2x RV+z/8yeIxrDqRcPRbp8YMO76XquVWEoDjJ7nYWF6tb11U6jUk1qdSWxW0S+Zu2UqPz8 EmpPfqtGP+euYHDcmelhnZXUreV7tCTOI5Z2lq/t2rk2cCZWX4cV/zuVtHOYXcvGs5Zc Rf6w== Received: by 10.180.89.7 with SMTP id bk7mr956146wib.0.1349223442667; Tue, 02 Oct 2012 17:17:22 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id cl8sm24064236wib.10.2012.10.02.17.17.20 (version=SSLv3 cipher=OTHER); Tue, 02 Oct 2012 17:17:21 -0700 (PDT) Date: Wed, 3 Oct 2012 01:16:07 +0100 From: RW To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= Message-ID: <20121003011607.5553fe48@gumby.homeunix.com> In-Reply-To: <86y5joiyan.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <86ipat6n0o.fsf@ds4.des.no> <86y5joiyan.fsf@ds4.des.no> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Anderson , Pawel Jakub Dawidek , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, Mariusz Gromada , Jonathan Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2012 00:17:25 -0000 On Tue, 02 Oct 2012 19:22:40 +0200 Dag-Erling Sm=F8rgrav wrote: > 2) I modified the program to create a histogram of the lower bits and > looked at that in gnuplot. It was immediately obvious that the > distribution is extremely non-uniform. I suspect that this is - at > least in part - due to the weird way get_cyclecount() computes the > value it returns. =20 It doesn't compute it in a weird way for amd64 and most i386 systems. Where possible, get_cyclecount is just a wrapper for rdtsc, which I think it will be for all the systems you quoted (with the possible exception of virtualbox). I don't think one should necessarily expect the bits to get progressively more random going from high to low order. If you think in terms of simple variable analogue delays it seems reasonable, but a physical device may have its own internal timing granulation.=20 > We should either rewrite it to return something > sensible or nuke it and use binuptime() instead. As I pointed-out before if you use binuptime() you cant use entropy estimation based on bit-shifting time differences. From owner-freebsd-security@FreeBSD.ORG Wed Oct 3 09:32:47 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0DC07106564A; Wed, 3 Oct 2012 09:32:47 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id B86748FC0C; Wed, 3 Oct 2012 09:32:46 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id C554D6E3E; Wed, 3 Oct 2012 11:32:45 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 8784B8127; Wed, 3 Oct 2012 11:32:45 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: RW References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <86ipat6n0o.fsf@ds4.des.no> <86y5joiyan.fsf@ds4.des.no> <20121003011607.5553fe48@gumby.homeunix.com> Date: Wed, 03 Oct 2012 11:32:45 +0200 In-Reply-To: <20121003011607.5553fe48@gumby.homeunix.com> (RW's message of "Wed, 3 Oct 2012 01:16:07 +0100") Message-ID: <86626raojm.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jonathan Anderson , Pawel Jakub Dawidek , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2012 09:32:47 -0000 RW writes: > It doesn't compute it in a weird way for amd64 and most i386 systems. > Where possible, get_cyclecount is just a wrapper for rdtsc, which I > think it will be for all the systems you quoted (with the possible > exception of virtualbox). No. All the machines I tested it on had TSCs, but not all i386 machines we support do, so get_cyclecount() is always a function call on i386. Look at the code, or heck, disassemble my kernel if you don't believe me. (did you even look at my numbers?) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Oct 3 11:42:09 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0F002106566B; Wed, 3 Oct 2012 11:42:09 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id B86488FC08; Wed, 3 Oct 2012 11:42:05 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id C3CD16E82; Wed, 3 Oct 2012 13:42:04 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 76C8D8140; Wed, 3 Oct 2012 13:42:04 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: RW References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <86ipat6n0o.fsf@ds4.des.no> <86y5joiyan.fsf@ds4.des.no> <20121003011607.5553fe48@gumby.homeunix.com> Date: Wed, 03 Oct 2012 13:42:03 +0200 In-Reply-To: <20121003011607.5553fe48@gumby.homeunix.com> (RW's message of "Wed, 3 Oct 2012 01:16:07 +0100") Message-ID: <86txub93zo.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Anderson , Pawel Jakub Dawidek , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, Mariusz Gromada , Jonathan@FreeBSD.ORG Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2012 11:42:09 -0000 RW writes: > As I pointed-out before if you use binuptime() you cant use entropy > estimation based on bit-shifting time differences. Forgot to answer this: yes you can. The last time I raised the issue, I also provided sample code for reimplementing get_cyclecount() in terms of binuptime(). Basically, you discard the top N bits of the integer portion and the bottom 64 - N bits of the fractional portion, and you're left with a monotonically increasing 64-bit value that will wrap around at a point that depends on N. BTW, get_cyclecount() is documented to work the way I suggest that it should, not the way it actually does. Also, the man page is incomplete. For instance, it suggests, but does not state outright, that the value may wrap around. It also states categorically that TSCs are per-CPU in SMP systems, whereas in fact all modern amd64 systems (and many P4-era systems, contingent on motherboard support) have synchronized TSCs. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Oct 3 13:51:23 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1680106564A; Wed, 3 Oct 2012 13:51:23 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 8DB468FC14; Wed, 3 Oct 2012 13:51:19 +0000 (UTC) Received: by bkcjf20 with SMTP id jf20so5193472bkc.13 for ; Wed, 03 Oct 2012 06:51:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=vc/set44TbujU5+4tt2GD67U+LzMnAW2yEb0Sz0bbXc=; b=tMmknU3D191Z6fYqpemVQo6uQcxv9Y+7QeBSaWoADPve9d92E4NQAhE2CYACNedQEp WWNU8S8T1YqEfeq4WCl+JGBp78CVtG4oo5NnpVmb4WDsehGCCw/gpsb7nrcvVWxFTtXs GBIvBIXgfJ/8D83YoZCAThX8lkwu5ezsav9IGutq4zUT2e1LvRqc5rawMD0zADjyWXQo l76fFqvpt0vxgcNioMgiD4lYEivopIZnc7HFI2P8cSUk+u/eV4pB2Lj+Pxn0VIdromsb WRHaasiA/YH9N6YcjHBCWMcodYldSkkLYWYPsyhuzfo7/9gXzWFdt0jJQvOfLL/1kak9 Nocg== Received: by 10.204.3.214 with SMTP id 22mr512002bko.108.1349272273330; Wed, 03 Oct 2012 06:51:13 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id e3sm3613392bks.7.2012.10.03.06.51.09 (version=SSLv3 cipher=OTHER); Wed, 03 Oct 2012 06:51:11 -0700 (PDT) Date: Wed, 3 Oct 2012 14:51:07 +0100 From: RW To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= Message-ID: <20121003145107.264e3174@gumby.homeunix.com> In-Reply-To: <86txub93zo.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <86ipat6n0o.fsf@ds4.des.no> <86y5joiyan.fsf@ds4.des.no> <20121003011607.5553fe48@gumby.homeunix.com> <86txub93zo.fsf@ds4.des.no> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Anderson , Ben, John Baldwin , Laurie , freebsd-security@freebsd.org, Mariusz Gromada , Pawel Jakub Dawidek , Jonathan@FreeBSD.ORG Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2012 13:51:24 -0000 On Wed, 03 Oct 2012 13:42:03 +0200 Dag-Erling Sm=F8rgrav wrote: > RW writes: > > As I pointed-out before if you use binuptime() you cant use entropy > > estimation based on bit-shifting time differences. >=20 > Forgot to answer this: yes you can. The last time I raised the > issue, I also provided sample code for reimplementing > get_cyclecount() in terms of binuptime(). Basically, you discard the > top N bits of the integer portion and the bottom 64 - N bits of the > fractional portion, and you're left with a monotonically increasing > 64-bit value that will wrap around at a point that depends on N. >=20 Yes, getting a monotonically increasing value from binuptime() is simple, but the xor issue is secondary to the problem I was referring to when I quoted the arm code for get_cyclecount(). When the time difference comes from the TSC, Pavels code computes an amount of entropy that scales reasonably well with TSC frequency. When when you use binuptime() you've thrown away all counter frequency information. The entropy calculation will produce a completely bogus figure. From owner-freebsd-security@FreeBSD.ORG Wed Oct 3 15:34:34 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBCF0106566B for ; Wed, 3 Oct 2012 15:34:33 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6A0B98FC08 for ; Wed, 3 Oct 2012 15:34:33 +0000 (UTC) Received: by eekc50 with SMTP id c50so4435234eek.13 for ; Wed, 03 Oct 2012 08:34:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=bD63GbDbHuui9hBvGT+2Gl8Buz94lznIdxbF9dT3ysQ=; b=y23Q7n05+sxcP6Znqn8EsxeslaL1Iakra/dIaBvZk+cV5JK4pEP4aoZDdnG3yJpt0C wwRdMZCmUtSFgCuP/vMye7pqfZ4psGHANQGqJlBUb8wdfAhfIW5ISKyvXpccatk8yiqG vomb8z9QK6AIW2PNinVY/i0qWjZHVadi7G1wWGInsZfcLXt/En0VZ291pwWUj86rKR2G BUVGMxt+AIqYxEpZhehh5M41u7wNaCQmo7VEHnc/6xcBfJuv/naj7EyoJ9vPNd8V7uPP vPdyD8mRteFs9gx6krOqqaWla8fXrhnzuLyRxIT1XwePGmC6Ab8qnJZvm8awuugzVlmh yeOQ== Received: by 10.14.203.73 with SMTP id e49mr3264962eeo.27.1349278472259; Wed, 03 Oct 2012 08:34:32 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id n45sm10313771eeo.14.2012.10.03.08.34.29 (version=SSLv3 cipher=OTHER); Wed, 03 Oct 2012 08:34:31 -0700 (PDT) Date: Wed, 3 Oct 2012 16:34:27 +0100 From: RW To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= Message-ID: <20121003163427.2acff4e6@gumby.homeunix.com> In-Reply-To: <86626raojm.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <86ipat6n0o.fsf@ds4.des.no> <86y5joiyan.fsf@ds4.des.no> <20121003011607.5553fe48@gumby.homeunix.com> <86626raojm.fsf@ds4.des.no> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2012 15:34:34 -0000 On Wed, 03 Oct 2012 11:32:45 +0200 Dag-Erling Sm=F8rgrav wrote: > RW writes: > > It doesn't compute it in a weird way for amd64 and most i386 > > systems. Where possible, get_cyclecount is just a wrapper for > > rdtsc, which I think it will be for all the systems you quoted > > (with the possible exception of virtualbox). >=20 > No. All the machines I tested it on had TSCs, but not all i386 > machines we support do, so get_cyclecount() is always a function call > on i386. Look at the code, or heck, disassemble my kernel if you > don't believe me. It appears that it changed in April (Revision 220347), so if they were all running 9.1, 9-stable or head then you're quite right.=20 I was looking at my local source where it's still conditional on "tsc_present". From owner-freebsd-security@FreeBSD.ORG Wed Oct 3 17:11:15 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 61A7F106566C; Wed, 3 Oct 2012 17:11:15 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 14AC78FC17; Wed, 3 Oct 2012 17:11:11 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 4419B6073; Wed, 3 Oct 2012 19:11:11 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id E26D0818A; Wed, 3 Oct 2012 19:11:10 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: RW References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <86ipat6n0o.fsf@ds4.des.no> <86y5joiyan.fsf@ds4.des.no> <20121003011607.5553fe48@gumby.homeunix.com> <86txub93zo.fsf@ds4.des.no> <20121003145107.264e3174@gumby.homeunix.com> Date: Wed, 03 Oct 2012 19:11:10 +0200 In-Reply-To: <20121003145107.264e3174@gumby.homeunix.com> (RW's message of "Wed, 3 Oct 2012 14:51:07 +0100") Message-ID: <86iparmqfl.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Anderson , Pawel Jakub Dawidek , John Baldwin , Laurie , Ben@FreeBSD.ORG, freebsd-security@freebsd.org, Mariusz Gromada , Jonathan@FreeBSD.ORG Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2012 17:11:15 -0000 RW writes: > Yes, getting a monotonically increasing value from binuptime() is > simple, but the xor issue is secondary to the problem I was referring > to when I quoted the arm code for get_cyclecount(). BTW, I just checked - the code you quoted does not exist / no longer exists anywhere in the tree. The arm implementation of get_cyclecount() uses the algorithm I suggested, with N =3D 56. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Oct 4 11:01:50 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E0B22106566C for ; Thu, 4 Oct 2012 11:01:49 +0000 (UTC) (envelope-from andrey@zonov.org) Received: from mail-la0-f54.google.com (mail-la0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 53BDA8FC08 for ; Thu, 4 Oct 2012 11:01:48 +0000 (UTC) Received: by mail-la0-f54.google.com with SMTP id e12so164874lag.13 for ; Thu, 04 Oct 2012 04:01:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :x-gm-message-state; bh=Fc1L9LwQ328oIOXGkZSsXnihtthHiF5KyS+0wAAF+cw=; b=exMuAFvSTxRqTlyMhR5A4vZ8+dolm16H7Xi0YJ0aOlj3tyeet5cPZps5/9sRCNMk4m sf+boW5Q4dzn3qcpE7sRcl9siUV+Y5F5Z9IE3MGz37XSAZ7YvAtQZChQWJlCtBlIBOzS sa0WNETVPtOt0CJLkDt4JnSBl3HEjA9vbmdgt5gNHjN064atvVVp9Cqc/TX4+8JM+AWq hOa9RZiiui+yeCVmhFBLaa9FyJF5jz7sOMJCbezcAulHTl9TYKxLdfKdZriUcDuMIude 41kM+52bhlPWr8MSVIsHYE9/tlrIuukHdr1vKwqFXlXBEL4xT4IJFq2ELctmEemTQugt iPCQ== Received: by 10.112.38.163 with SMTP id h3mr2599326lbk.130.1349348508024; Thu, 04 Oct 2012 04:01:48 -0700 (PDT) Received: from dhcp170-82-red.yandex.net ([2a02:6b8:0:401:9d1e:ceb1:926d:3e20]) by mx.google.com with ESMTPS id d1sm2181666lbh.7.2012.10.04.04.01.46 (version=SSLv3 cipher=OTHER); Thu, 04 Oct 2012 04:01:46 -0700 (PDT) Sender: Andrey Zonov Message-ID: <506D6C96.7050408@FreeBSD.org> Date: Thu, 04 Oct 2012 15:01:42 +0400 From: Andrey Zonov User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: "Simon L. B. Nielsen" References: <50619E5D.3010503@FreeBSD.org> <5065A51B.6010905@FreeBSD.org> In-Reply-To: <5065A51B.6010905@FreeBSD.org> X-Enigmail-Version: 1.4.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1006662FCC9A90D3E8FF85E7" X-Gm-Message-State: ALoCoQlV105lA4Km+H3/qvjHlk4a/f/TWdKqJLkjqsDvfhhCifINB1h+oNVEemv9l0AeLwViROo3 Cc: freebsd-security@freebsd.org Subject: Re: [patch] unprivileged mlock(2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2012 11:01:50 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1006662FCC9A90D3E8FF85E7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 9/28/12 5:24 PM, Andrey Zonov wrote: > On 9/27/12 7:25 PM, Simon L. B. Nielsen wrote: >> On Tue, Sep 25, 2012 at 1:06 PM, Andrey Zonov wrote= : >>> Hi, >>> >>> Please review this patch [1] which allows unprivileged users call >>> mlock()/munlock() and mlockall()/munlockall(). >>> >>> AFAIK, these calls were not allowed for every-one because accounting = for >>> mlockall(MCL_FUTURE) was not implemented. >> >> I can't comment on the implementation details (don't know much about >> VM system), but do you have tests to show that the new code actually >> works in preventing users from mlocking more than 8MB by default? >> >=20 > Sure, test is attached. >=20 Hi Simon, Have you got a chance to look at that? --=20 Andrey Zonov --------------enig1006662FCC9A90D3E8FF85E7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQbWyZAAoJEBWLemxX/CvTV1cH/izvL+mEhRdtJPyk/diGngl9 j6wancGIRKfQxKjrmBLrUsZiPKbpb6R/bIghJd/1U0NJuF4ZGgDX4DfoZW4H4wGQ K34v8F7GEaA9V42x7zKSdv6gfdcbGZzTDWCqRjiaLVHHYh3OHvlguD5/gHIUTDmm tYihcSTtAIvj05Og1ZarZQSezYU5LKbGo920JgZH0AC3EnM9GcH6UmJXQ/g0nLNf GjECDASPnrYB87me/loToQxzOz+NfoY4pbZ0JTpd2zWsu/hRA2A1NthbMrD27hMR slB8saA3Ybhx0QkLnr4ixx1rInmx27dWua4vqZVtfUrOp73huBINMxGQPmZXP9o= =p1Qk -----END PGP SIGNATURE----- --------------enig1006662FCC9A90D3E8FF85E7--