From owner-freebsd-security  Sun May  5 06:56:30 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id GAA17577
          for security-outgoing; Sun, 5 May 1996 06:56:30 -0700 (PDT)
Received: from gw0.telebase.com (root@gw0.telebase.com [192.132.57.100])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id GAA17568
          for <freebsd-security@FreeBSD.ORG>; Sun, 5 May 1996 06:56:27 -0700 (PDT)
Received: from wormhole.telebase.com  by gw0.telebase.com id JAA01792; Sun, 5 May 1996 09:56:16 -0400 (EDT)
Received: from hovercraft.willscreek.com (root@hovercraft.willscreek.com [172.16.11.101]) by wormhole.telebase.com (8.7.1/8.6.9.1) with ESMTP id JAA15349; Sun, 5 May 1996 09:56:12 -0400 (EDT)
Received: (from bmc@localhost) by hovercraft.willscreek.com (8.7.5/8.6.9) id JAA00355; Sun, 5 May 1996 09:55:45 -0400 (EDT)
Date: Sun, 5 May 1996 09:55:45 -0400 (EDT)
Message-Id: <199605051355.JAA00355@hovercraft.willscreek.com>
From: Brian Clapper <bmc@WillsCreek.COM>
To: "John S. Dyson" <toor@dyson.iquest.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Weird system security output
In-Reply-To: <107643434@toto.iv>
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>>>>> "John" == John S Dyson <toor@dyson.iquest.net> writes:

>> I have had this happen and have rationalized it, but I'm not sure if it
>> is a cause. I always thought that it was because of the sup process
>> adding new files and updating current ones. If I'm dead wrong please
>> correct me.
>>
John> There IS a bug in -stable (might have been fixed recently) that modified
John> dates on executables can get modified during paging.  We just found a
John> very subtile bug in pmap.c (it might be in the asm statements or in the
John> register allocation associated with them), that appears to have been
John> fixed when we rewrote the code.  The bug that appears to have been
John> fixed also could have been manifested by changed modify dates.  This
John> is a very very tough one.

FYI, we noticed the same problem on our firewall.  After a small bit of
panic, we tracked it down.  It corresponded exactly to when our system's
time was re-synchronized via NTP.  We were able to reproduce the problem
manually on both FreeBSD (2.1) and BSDI (2.0.1) systems.  John's
explanation is consistent with our experimental observations.
-----
Brian Clapper ....................... bmc@WillsCreek.COM -or- bmc@telebase.com
http://www.netaxs.com/~bmc/ ......... PGP public key available on request
Barth's Distinction:
        There are two types of people: those who divide people into two
        types, and those who don't.