From owner-freebsd-security@freebsd.org Fri Jan 5 15:26:04 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CA18EAF1FC for ; Fri, 5 Jan 2018 15:26:04 +0000 (UTC) (envelope-from repeatable_compression@yahoo.com) Received: from sonic306-21.consmr.mail.ne1.yahoo.com (sonic306-21.consmr.mail.ne1.yahoo.com [66.163.189.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DB2F56DB0E for ; Fri, 5 Jan 2018 15:26:03 +0000 (UTC) (envelope-from repeatable_compression@yahoo.com) X-YMail-OSG: _SddRmcVM1nJxZCtrZgFURVxnQKAGb2iASLhSLJnIiLQbCS6oOI8qaV3dM1hi4w SuR4XEcrNnbotGWzz2cB1RcWpSB1xsID_7tekZTsYHGjwmwhBZUX3Uxfer74oK8ZZpq8DHeO5LEY eeuAb2eFA0_m8B3xyJ0U9s7AytItHsCZ2yzBpQ0SVkTfx.35GjTd0xjGnxD7fy5Qy78qAvRFRsfQ ZNhBUrCcDhnNBIutlsAj5myteoKJ6ntp2NWJeF_A2g2fE84MDuDpIkG3d2Jc_3QRHuWg2.avm5ZM 4da9fZS0GqBoVA8_ekbGtdIOen3sOKRQsarEddWTozNERLkluYwivu3wNG1Gra.4Dbh7zxMjNU5H Ygk40Y9ORP7d7EB11heasRrxS71RutuocaLB4dtCiPv.moiQvwyFRwC8SHS2NcWahwFfIvURAPJt hplC7FHgei1GlSYZHPAvV6Zp7zHb5Rzw8XdNxdkRVR85EoNzCwHRicSwc4O9q4oRvn7_tNhaVrNR FFCBnZyqu3qz5DNmNLgU9Hw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 5 Jan 2018 15:25:57 +0000 Date: Fri, 5 Jan 2018 15:25:34 +0000 (UTC) From: Jules Gilbert To: =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Cc: "Ronald F. Guilmette" , Eric McCorkle , Freebsd Security , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Message-ID: <302406914.1010662.1515165934929@mail.yahoo.com> In-Reply-To: <861sj4tlak.fsf@desk.des.no> References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <861sj4tlak.fsf@desk.des.no> Subject: Re: Intel hardware bug MIME-Version: 1.0 X-Mailer: WebService/1.1.11150 YMailNorrin Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:57.0) Gecko/20100101 Firefox/57.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 15:26:04 -0000 Ah, sorry I'm wrong.=C2=A0 I apologize.=C2=A0 I won't intrude further.=C2= =A0 I spoke up because selectively choosing to read sections of kernel memo= ry is one thing, obtaining useful information from an arbitrary block of ke= rnel memory you don't get to choose is quite another. But their are several people here I respect very much and if they say I'm w= rong about an area they focus on,... me bad. On Friday, January 5, 2018, 9:48:50 AM EST, Dag-Erling Sm=C3=B8rgrav wrote: =20 =20 Jules Gilbert writes: > Sorry guys, you just convinced me that no one, not the NSA, not the > FSB, no one!, has in the past, or will in the future be able to > exploit this to actually do something not nice. The technique has already been proven by multiple independent parties to work quite well, allowing an attacker to read kernel memory at speeds of up to 500 kB/s.=C2=A0 But I guess you know better... DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no =20 From owner-freebsd-security@freebsd.org Fri Jan 5 13:30:32 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 370F1EA923D; Fri, 5 Jan 2018 13:30:32 +0000 (UTC) (envelope-from aduane@juniper.net) Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "thawte SHA256 SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E414668C62; Fri, 5 Jan 2018 13:30:31 +0000 (UTC) (envelope-from aduane@juniper.net) Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id w05DTiQ3014492; Fri, 5 Jan 2018 05:30:28 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=Rq10H2AKnhJa6OQt+JES3iPtcqyMMxVpJ8rjOFIiCR0=; b=nA2Jv9BZbdDRqYZr9CEPdyO298kV445+NaO05/NX7bi6/PeaDmNFl0EehV6xiLVSikff sC3fZdfLmVURWW3wg7TMvLD4uxmOq/iGYHBfrpbOtAmH1GsNGTXmTyYC4iRXoKBzcGTc iU2m2GslE3owIGc7XhMfOAhJdusb6LEYjvd+o5kfPYYL7Foqp7zTUSD1+0S52S0KD+cU Ek5cUnBVym/SOL5l68st5elNoylP+PLqU58dCuSltZJYXpdegI8GUO/yAUb9QdSMg4jE owJv7vz269JIY6iGmL3rUXMzMj5nppzORhwBBjnxWHhw0ZHZhDLOoCZdm/jXsdQjjH7X oA== Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp0022.outbound.protection.outlook.com [216.32.180.22]) by mx0a-00273201.pphosted.com with ESMTP id 2fa9ymr13j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 05 Jan 2018 05:30:27 -0800 Received: from SN1PR0501MB2125.namprd05.prod.outlook.com (10.163.228.152) by SN1PR0501MB1693.namprd05.prod.outlook.com (10.163.130.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.407.1; Fri, 5 Jan 2018 13:30:26 +0000 Received: from SN1PR0501MB2125.namprd05.prod.outlook.com ([10.163.228.152]) by SN1PR0501MB2125.namprd05.prod.outlook.com ([10.163.228.152]) with mapi id 15.20.0407.000; Fri, 5 Jan 2018 13:30:26 +0000 From: Andrew Duane To: Eric McCorkle , Jules Gilbert , "Ronald F. Guilmette" , Freebsd Security , Brett Glass , =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Subject: RE: Intel hardware bug Thread-Topic: Intel hardware bug Thread-Index: AQHThhm6gtRbndOyekeN4M7Qcuy2NqNlOTSAgAAMhiA= Date: Fri, 5 Jan 2018 13:30:26 +0000 Message-ID: References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> In-Reply-To: <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [66.129.241.11] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN1PR0501MB1693; 7:5aYxUZZcdWX6ZDNcffZq8FqMPnCx+mx3MXNLc2/udTNDnhkzQzmumE+DdiNTjTR1BtKeMihQNc15xux2UI0tTjMTONlkHptUb77yHz7uV9DfHPnI7jhfP/C/qZWFuK2aGIWzrBcBrxPI6IO/Y0n79rb1d4L0bk5yqD2P3uv3jyTtd6NxBhe1P2eXDjQZFBmFFiv8sQsPcVC0c1AjVVOUjlfkSxsO6xUheIX4e1FrUWVVZH7KxIlUPyXSdzVR9yrl x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 54d83e8a-b5b8-4844-b342-08d554407afc x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020020)(48565401081)(5600026)(4604075)(3008032)(4534040)(4602075)(4627136)(201703031133081)(201702281549075)(2017052603307)(7153060); SRVR:SN1PR0501MB1693; x-ms-traffictypediagnostic: SN1PR0501MB1693: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(20558992708506)(192374486261705)(138986009662008)(201166117486090); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(8121501046)(5005006)(3231023)(944501075)(3002001)(10201501046)(93006095)(93001095)(6055026)(6041268)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:SN1PR0501MB1693; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:SN1PR0501MB1693; x-forefront-prvs: 05437568AA x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(376002)(396003)(39380400002)(366004)(199004)(189003)(13464003)(24454002)(551544002)(86362001)(68736007)(6246003)(7116003)(229853002)(77096006)(5660300001)(7736002)(3660700001)(33656002)(106356001)(6436002)(6116002)(7416002)(8936002)(3846002)(97736004)(55016002)(2501003)(39060400002)(305945005)(110136005)(316002)(2950100002)(53936002)(81166006)(81156014)(2906002)(53546011)(2900100001)(3280700002)(9686003)(93886005)(8676002)(6506007)(105586002)(99286004)(3480700004)(2521001)(478600001)(74316002)(14454004)(102836004)(59450400001)(25786009)(76176011)(7696005)(66066001)(921003)(1121003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0501MB1693; H:SN1PR0501MB2125.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts) x-microsoft-antispam-message-info: crjRIwDX+1fBxiiPleRIx7Ldfgx6Ycl8CntGyXBX33M43E4qXDlbW9Z1yDgZ4Nh2iTbqKC68AG8ZwWePouqWyA== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-Network-Message-Id: 54d83e8a-b5b8-4844-b342-08d554407afc X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2018 13:30:26.0345 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0501MB1693 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-05_06:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801050191 X-Mailman-Approved-At: Fri, 05 Jan 2018 15:40:23 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 13:30:32 -0000 I wouldn't think Javascript would have the accurate timing required to leve= rage this attack, but I don't really know enough about the language. Regardless, is there someone within FreeBSD that is working on patches for = this set of problems, at least for Intel? Linux already has at least some, = and I believe NetBSD does too. Of course Windows has already pushed out a W= indows10 fix, 7 and 8 are coming. .................................... Andrew L. Duane - Principal Resident Engineer AT&T Advanced Services Technical Lead Juniper Quality Ambassador m=A0=A0=A0+1 603.770.7088 o +1 408.933.6944 (2-6944) skype: andrewlduane aduane@juniper.net -----Original Message----- From: owner-freebsd-hackers@freebsd.org [mailto:owner-freebsd-hackers@freeb= sd.org] On Behalf Of Eric McCorkle Sent: Friday, January 5, 2018 7:43 AM To: Jules Gilbert ; Ronald F. Guilmette <= rfg@tristatelogic.com>; Freebsd Security ; Br= ett Glass ; Dag-Erling Sm=F8rgrav ; Poul-Henn= ing Kamp ; freebsd-arch@freebsd.org; FreeBSD Hackers ; Shawn Webb ; Natha= n Whitehorn Subject: Re: Intel hardware bug On 01/05/2018 05:07, Jules Gilbert wrote: > Sorry guys, you just convinced me that no one, not the NSA, not the=20 > FSB, no one!, has in the past, or will in the future be able to=20 > exploit this to actually do something not nice. Attacks have already been demonstrated, pulling secrets out of kernel space= with meltdown and http headers/passwords out of a browser with spectre. J= avascript PoCs are already in existence, and we can expect them to find the= ir way into adware-based malware within a week or two. Also, I'd be willing to bet you a year's rent that certain three-letter org= anizations have known about and used this for some time. > So what is this, really?, it's a market exploit opportunity for AMD. Don't bet on it. There's reports of AMD vulnerabilities, also for ARM. I doubt any major architecture is going to make it out unscathed. (But if = one does, my money's on Power)