From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 23:32:48 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 321AEB65 for ; Fri, 27 Feb 2015 23:32:48 +0000 (UTC) Received: from mail-la0-x235.google.com (mail-la0-x235.google.com [IPv6:2a00:1450:4010:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AA35FC7A for ; Fri, 27 Feb 2015 23:32:47 +0000 (UTC) Received: by labhs14 with SMTP id hs14so20527965lab.4 for ; Fri, 27 Feb 2015 15:32:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=ylBIsPtYr5qFxG47tBRKqF0bpkcWv1NwjXbboxmn1NM=; b=Zdja9uvmGRTqBxdXvlgjnVk88seTzC+OUcQPYkeCIEjl1MFv8C7A+n0/Wr5mGIHvJO JUwB29jLhYGyCBlo2YHxe6853L3v52UuFkj7un/idvn+YcyZUBCWwp73Z0/ssODjIc00 8D9vNDg+R0XxAQAlr9b8HNzUQyl7KkKIvHiOxWnE36Z+yIAeOtUXoJB3rLsA65ipwWO7 KZ1IBIffWFyxJAW83YPU1SP6/L9ZMTqEmGCFuq2rMCGJq6pimbU/1kgZpfyjedaALqYh 7Ddz8hlLB+/INGg+zSPeISZFYDEh6SeQf6yZmefRiSYsUre5lV559toYRvWLGij4d1KY KPUQ== MIME-Version: 1.0 X-Received: by 10.112.51.114 with SMTP id j18mr14476666lbo.97.1425079965297; Fri, 27 Feb 2015 15:32:45 -0800 (PST) Received: by 10.113.11.165 with HTTP; Fri, 27 Feb 2015 15:32:45 -0800 (PST) Date: Fri, 27 Feb 2015 15:32:45 -0800 Message-ID: Subject: Requesting clarification for FreeBSD-SA-15:04.igmp From: Shawn Hoffman To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2015 23:32:48 -0000 Hi, I would like more clarification to be provided about who/what is affected by this patch. As we can see, amd64 is not affected: ( 9.3-RELEASE, md5 c4605d83b454c7633149a4eb3baa8b83 ) .text:FFFFFFFF80A04AA6 mov r14, [rbp+var_88] .text:FFFFFFFF80A04AAD add cs:igmpstat_0.igps_rcv_v3_queries, 1 .text:FFFFFFFF80A04AB5 movzx ecx, word ptr [r14+0Ah] .text:FFFFFFFF80A04ABA rol cx, 8 .text:FFFFFFFF80A04ABE movzx ebx, cx ; rbx = ((u64)(u16)ntohs(igmp_numsrc)) << 2 .text:FFFFFFFF80A04AC1 shl rbx, 2 ; rdi = (u16)(((u64)(u16)ntohs(igmp_numsrc)) << 2) .text:FFFFFFFF80A04AC5 movzx edi, bx .text:FFFFFFFF80A04AC8 mov ecx, ebx .text:FFFFFFFF80A04ACA cmp rbx, rdi ; u64 compare .text:FFFFFFFF80A04ACD ja fail_igps_rcv_tooshort This is because the result type of ntohs is the same as uint16_t, and the result of sizeof() is size_t. Because of this, 32bit x86 should not be vulnerable either. I can only assume platforms where the int type is <= 16bits may actually be vulnerable. I have no idea if freebsd actually uses such configurations. I think this information should be clarified in the security advisories (which in this case, only give explicit details on how to patch "a RELEASE version of FreeBSD on the i386 or amd64 platforms" - which are not affected afaict). -Shawn