From owner-freebsd-security@freebsd.org Tue Aug 20 22:01:45 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F3E1DE2670 for ; Tue, 20 Aug 2019 22:01:44 +0000 (UTC) (envelope-from ian@freebsd.org) Received: from outbound2m.ore.mailhop.org (outbound2m.ore.mailhop.org [54.149.155.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46ClBJ4RnGz48kN for ; Tue, 20 Aug 2019 22:01:44 +0000 (UTC) (envelope-from ian@freebsd.org) ARC-Seal: i=1; a=rsa-sha256; t=1566338503; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=fE2yDXMYl+xNKZsR+MVNchiYpSoqJgJI04DgKeC7zmjU+RQUftxIrI6u4pWhvrQazF2VH9DMIoC1/ vqS4D3u9I/yF22U2z8L9jmEK5pGBKoScOKkV8mjAIBeTsIelzTguTzclmn9QsIB8AGFAckjHkHfDyu RR9cQAGDH65R02Im/UIY4kw8KeSggBvDcmULCinpwL61OMZqTRwQYjnGJEprXtmlhSXago5NIkOx1v 3nxKvv+37zWaJPYq7KHdWP3zobxsTdotDV7m3U7uAGj+pWu9yowI4PXV+mbZ2uzrZPNkQ8WK84TkPg GC2MESFPCqG/SOKnGH56ggRRplnJodA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-transfer-encoding:mime-version:content-type:references:in-reply-to: date:cc:to:from:subject:message-id:dkim-signature:from; bh=ABIqVPr2u8Ujx+vBa+OdbASKAJ00dLkpgYgEHnN3inQ=; b=PL9xdcHGcuLFIUHaboktvuN9vRbqtwxnS+H8wJ62qqAmLfYBpzZLVlG59YtQnKbEbGph6Jansctr6 UFvOBLawmLLML0KRNGrE+4BkVe2np6TJ1KtH/EjqVTxUJETuu94iOT0F/M7uF7vD8aiXDkIaLYuDQ5 t077uIPFIhneSK719mReOV5OAF6l7WQ/94oCOqGGLTxwajEIj2tjcYFs5kacMjzaYXnHivUOl+1ACm iyJcNAD0kxcR7nRJA2+h3T93wCPqnLO7JFYleGFEWhDbTDGToCCwF3ivtRmBi1aOCSl3B0FgELm+Oy DxzEdHNWTLveiromGCT91nG6AhJTsTg== ARC-Authentication-Results: i=1; outbound4.ore.mailhop.org; spf=softfail smtp.mailfrom=freebsd.org smtp.remote-ip=67.177.211.60; dmarc=none header.from=freebsd.org; arc=none header.oldest-pass=0; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-transfer-encoding:mime-version:content-type:references:in-reply-to: date:cc:to:from:subject:message-id:from; bh=ABIqVPr2u8Ujx+vBa+OdbASKAJ00dLkpgYgEHnN3inQ=; b=iLK4IRv+Lq/iZtcE6ozi0mvBT8fLmneU3zxqQXLMvpuzQXYGTakdJNafH/nEEkVoeUrJ7VMNp8kyp qc+5M4CJXNC41nGrD7XT48WE7qZp802l8q9LLdW3qpgX9Sh6qaJiMOaYNvHhCC2TI2UheqqPv7r+ZC i8yXtPFKv955kirl0Rs+2seKss9W0Dl6h+zMLc1s70Gg4lrjLCrT+/sGfHe+SmF1P7NGeE8OT68uYS zhwzhuasD0XdNm9EhO1Xee+WsBW6Dl2r3iMhK/PShF6cYbUARdqVkIislhDcFGZrZHwimrrw3JRnbB MrLh2qmTVBBpbALhS9Rc1dDzWPdnlTA== X-MHO-RoutePath: aGlwcGll X-MHO-User: 1602e52c-c396-11e9-85ec-13b9aae3a1d2 X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information X-Originating-IP: 67.177.211.60 X-Mail-Handler: DuoCircle Outbound SMTP Received: from ilsoft.org (unknown [67.177.211.60]) by outbound4.ore.mailhop.org (Halon) with ESMTPSA id 1602e52c-c396-11e9-85ec-13b9aae3a1d2; Tue, 20 Aug 2019 22:01:42 +0000 (UTC) Received: from rev (rev [172.22.42.240]) by ilsoft.org (8.15.2/8.15.2) with ESMTP id x7KM1dgZ081449; Tue, 20 Aug 2019 16:01:39 -0600 (MDT) (envelope-from ian@freebsd.org) Message-ID: <1909279dfc6002f6c21ff8e92ca2925511dca322.camel@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19:23.midi From: Ian Lepore To: Eugene Grosbein , freebsd-security@freebsd.org Cc: Freebsd hackers list In-Reply-To: References: <20190820201257.7A9D41F8B7@freefall.freebsd.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5 FreeBSD GNOME Team Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46ClBJ4RnGz48kN X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.98)[-0.983,0]; ASN(0.00)[asn:16509, ipnet:54.148.0.0/15, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-Mailman-Approved-At: Sat, 12 Oct 2019 23:27:58 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 20 Aug 2019 22:01:45 -0000 X-Original-Date: Tue, 20 Aug 2019 16:01:39 -0600 X-List-Received-Date: Tue, 20 Aug 2019 22:01:45 -0000 On Wed, 2019-08-21 at 04:55 +0700, Eugene Grosbein wrote: > 21.08.2019 3:12, FreeBSD Security Advisories wrote: > > [skip] > > > IV. Workaround > > > > No workaround is available. Custom kernels without "device sound" > > are not vulnerable. > > Is it true that there is no way to disable vulnerable and unneeded > device driver > built in GENERIC other that through rebuilding the kernel? > > I remember that pre-4.x versions of FreeBSD had visual VGA-based pre- > boot configurator > allowing to disable any compiled-in device driver. Don't > device.hints(5) or loader(8) have means to do so? > > These days GENERIC have LOTS of drivers and it's convenient but > unsafe. > "No workaround" just seems to be wrong. Aside from setting the disabled hint to turn off the driver (or using devctl to turn it off on a live system), the exploit also requires opening /dev/midistat, so a viable workaround is to change its permissions so that users can't open it. -- Ian