From owner-freebsd-hackers@FreeBSD.ORG  Fri Jan  7 23:24:39 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 851C816A4CE
	for <freebsd-hackers@freebsd.org>;
	Fri,  7 Jan 2005 23:24:39 +0000 (GMT)
Received: from pd2mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
	[24.71.223.10])	by mx1.FreeBSD.org (Postfix) with ESMTP id D681543D2D
	for <freebsd-hackers@freebsd.org>;
	Fri,  7 Jan 2005 23:24:38 +0000 (GMT)
	(envelope-from colin.percival@wadham.ox.ac.uk)
Received: from pd4mr5so.prod.shaw.ca (pd4mr5so-qfe3.prod.shaw.ca
	[10.0.141.50])2004))freebsd-hackers@freebsd.org;
	Fri, 07 Jan 2005 16:24:38 -0700 (MST)
Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145])
 by pd4mr5so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar
 15 2004)) with ESMTP id <0I9Y00HRYZP22Q90@pd4mr5so.prod.shaw.ca> for
 freebsd-hackers@freebsd.org; Fri, 07 Jan 2005 16:24:38 -0700 (MST)
Received: from [192.168.0.60]
 (S0106006067227a4a.vc.shawcable.net [24.87.233.42])
 by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003))
 with ESMTP id <0I9Y00C7LZP2B9@l-daemon> for freebsd-hackers@freebsd.org; Fri,
 07 Jan 2005 16:24:38 -0700 (MST)
Date: Fri, 07 Jan 2005 15:24:36 -0800
From: Colin Percival <colin.percival@wadham.ox.ac.uk>
In-reply-to: <41DF17C2.9060801@node99.org>
To: Sean Whalen <sean@node99.org>
Message-id: <41DF1A34.9060704@wadham.ox.ac.uk>
MIME-version: 1.0
Content-type: text/plain; format=flowed; charset=ISO-8859-1
Content-transfer-encoding: 7bit
X-Accept-Language: en-us, en
X-Enigmail-Version: 0.86.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
References: <41DF17C2.9060801@node99.org>
User-Agent: Mozilla Thunderbird 0.9 (X11/20041107)
cc: freebsd-hackers@freebsd.org
Subject: Re: Potential user/kernel pointer bugs in FreeBSD 5.3
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2005 23:24:39 -0000

Sean Whalen wrote:
> We recently did work with the Cqual type inference tool to identify 
> potential user/kernel pointer bugs in FreeBSD 5.3.  Our paper is 
> available here: http://www.node99.org/projects/bsduk/
> 
> We identified 5 potential bugs which we are looking to confirm with the 
> community.  Page 10 contains an example of one such candidate.  More 
> true positives may be identified by using a machine with 10 or more gigs 
> of RAM for inter-file analysis of the entire kernel.  If interested, 
> please email me.

Sean,
   Coverity got to that particular bug first -- it was fixed as part of the
FreeBSD-SA-04:17.procfs security advisory.
   Could you send the rest of these to secteam@freebsd.org?  We'd like to
look at them and fix any security issues before they are publicly disclosed.

Thanks,
Colin Percival