From owner-freebsd-arch Fri Jun 21 22:29:28 2002 Delivered-To: freebsd-arch@freebsd.org Received: from patrocles.silby.com (d73.as13.nwbl0.wi.voyager.net [169.207.135.201]) by hub.freebsd.org (Postfix) with ESMTP id BD09437B493 for ; Fri, 21 Jun 2002 22:28:11 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.4/8.12.4) with ESMTP id g5M5Tqcv041583 for ; Sat, 22 Jun 2002 00:29:52 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.4/8.12.4/Submit) with ESMTP id g5M5Tnxw041580 for ; Sat, 22 Jun 2002 00:29:51 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Sat, 22 Jun 2002 00:29:49 -0500 (CDT) From: Mike Silbersack To: arch@freebsd.org Subject: Possibly change to bcopy.S to thwart (a very few) future exploits? Message-ID: <20020622002329.G36900-200000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-748845592-1024723586=:36900" Content-ID: <20020622002639.Y36900@patrocles.silby.com> Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-748845592-1024723586=:36900 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20020622002639.L36900@patrocles.silby.com> Important Note: I have not actually tested this code on my machine; I'm too much of a wuss to risk messing up libc until someone else has doublechecked the code, or I can figure out how to statically link a binary with a non-default libc. That being said, the above is a quick change so that memcpy doesn't reload the length field from the stack during the middle of a copy. In theory, this should stop the OpenBSD exploit (which I'm sure will appear in a FreeBSD version shortly) from working. Granted, there's probably some other vector which could be used to exploit the bug, but this might make it just a bit harder. Can anyone see any downsides to this change? It appears that performance should be unchanged, as we're removing one mem->reg copy and replacing it with two reg->reg copies. Any thoughts? If this were some complex workaround, I wouldn't mention it. However, it's so simple that it seems worth the effort. Mike "Silby" Silbersack --0-748845592-1024723586=:36900 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="bcopy.S.patch" Content-Transfer-Encoding: BASE64 Content-ID: <20020622002626.U36900@patrocles.silby.com> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="bcopy.S.patch" LS0tIGJjb3B5LlMub2xkCVNhdCBKdW4gMjIgMDA6MTU6NDEgMjAwMg0KKysr IGJjb3B5LlMJU2F0IEp1biAyMiAwMDoxNzoxMyAyMDAyDQpAQCAtNjksMTAg KzY5LDExIEBADQogCWNtcGwJJWVjeCwlZWF4CS8qIG92ZXJsYXBwaW5nPyAq Lw0KIAlqYgkxZg0KIAljbGQJCQkvKiBub3BlLCBjb3B5IGZvcndhcmRzLiAq Lw0KKwltb3ZsCSVlY3gsICVlYXgNCiAJc2hybAkkMiwlZWN4CQkvKiBjb3B5 IGJ5IHdvcmRzICovDQogCXJlcA0KIAltb3ZzbA0KLQltb3ZsCTIwKCVlc3Ap LCVlY3gNCisJbW92bAklZWF4LCAlZWN4DQogCWFuZGwJJDMsJWVjeAkJLyog YW55IGJ5dGVzIGxlZnQ/ICovDQogCXJlcA0KIAltb3ZzYg0KQEAgLTg2LDEy ICs4NywxMyBAQA0KIAlhZGRsCSVlY3gsJWVkaQkvKiBjb3B5IGJhY2t3YXJk cy4gKi8NCiAJYWRkbAklZWN4LCVlc2kNCiAJc3RkDQorCW1vdmwJJWVjeCwg JWVheA0KIAlhbmRsCSQzLCVlY3gJCS8qIGFueSBmcmFjdGlvbmFsIGJ5dGVz PyAqLw0KIAlkZWNsCSVlZGkNCiAJZGVjbAklZXNpDQogCXJlcA0KIAltb3Zz Yg0KLQltb3ZsCTIwKCVlc3ApLCVlY3gJLyogY29weSByZW1haW5kZXIgYnkg d29yZHMgKi8NCisJbW92bAklZWF4LCAlZWN4DQogCXNocmwJJDIsJWVjeA0K IAlzdWJsCSQzLCVlc2kNCiAJc3VibAkkMywlZWRpDQo= --0-748845592-1024723586=:36900-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message