From owner-freebsd-hackers@freebsd.org  Tue Aug 20 22:30:13 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 845C4E2ED2;
 Tue, 20 Aug 2019 22:30:13 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com
 [IPv6:2607:f8b0:4864:20::d44])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46Clq92wXSz4BQ8;
 Tue, 20 Aug 2019 22:30:13 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: by mail-io1-xd44.google.com with SMTP id i22so687811ioh.2;
 Tue, 20 Aug 2019 15:30:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=VRIlT7a7YXFktXwjNVDsT761cPKD1N/FXHEcPtQxNUg=;
 b=gRerU0JwoJKJh9mtrHe41yXA+sJCRxoAd6TrDkI7AC15oxTx1f/h8dGnxJB3tfuVgO
 J88ANZH4BBPtBqLZdYoGY3a7Wk5cDulgpfWivX0ddG5CO1IvxlyTmTC4WTbopDsT8X7p
 GHoC/RfVvAtsgxGI/T7L/sGqZAn17Vqto92svKM1gcHekxbBQ+GqwzhFjn0kb1bEqwc/
 VuGBOMUKg0OZs6EYEssfWOnNyE4hB2ZH+oS4rnUcGbj7hcpBvLke+9iA83eJVhZhdOlz
 +OnH0ixkmeL4/fjj8TyklnTs0rfnt+8TUjhBdQq9wUL8jdOgFSbfA90AbH05nybp0m4E
 HKVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
 :references:mime-version:content-disposition:in-reply-to:user-agent;
 bh=VRIlT7a7YXFktXwjNVDsT761cPKD1N/FXHEcPtQxNUg=;
 b=D3M0L2/xyuEqJs9KXOjakL39ovzCz+rqVTijR/HThfWoY8pIz+rCBtpPmJx752XBb8
 sRjtWMYcF4hvtRKuVVaj48jQRrT9pHUcpRWXKCvOXILnn4qWCLF2NIpN68sWPM2uPjkE
 dCrAbsFG+Rz54r72B5HK0QUAmlRiSziUf0gvBta6i3asLhDf/8BCvqOC9IklkkZwHmap
 gRITEfC0LtJ8q8PMsx21KVbbzqLYjAfyPGTgQraMmCC3KLRWZl9fR4mCH8aZa+li07vC
 9VsYOZ/yCMdw5Po4JHnqpvwj1zBVTSmy8gkjlgvedUl3H+pO/lNKdqzQXT5h89o0sQy1
 F4LA==
X-Gm-Message-State: APjAAAVNyjthntmBLst0xgBtUUY/RyMzAQ9vDZn4gPlH5/a5B5HzrhFP
 eyb/YRP7yfEHitqrEXBqyS75o+dwVw8=
X-Google-Smtp-Source: APXvYqxzdjEwZzlZ263SsyHJUJ9je//uUBSkkY7hv+TdLOdX1nhTe4iRjvhG7m6uoxnoXk9UBMOz0g==
X-Received: by 2002:a6b:ee12:: with SMTP id i18mr33845472ioh.172.1566340211972; 
 Tue, 20 Aug 2019 15:30:11 -0700 (PDT)
Received: from raichu (toroon0560w-lp130-04-184-145-252-124.dsl.bell.ca.
 [184.145.252.124])
 by smtp.gmail.com with ESMTPSA id u24sm2615819iot.38.2019.08.20.15.30.10
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 20 Aug 2019 15:30:10 -0700 (PDT)
Sender: Mark Johnston <markjdb@gmail.com>
Date: Tue, 20 Aug 2019 18:30:08 -0400
From: Mark Johnston <markj@freebsd.org>
To: Ian Lepore <ian@freebsd.org>
Cc: Eugene Grosbein <eugen@grosbein.net>, freebsd-security@freebsd.org,
 Freebsd hackers list <freebsd-hackers@freebsd.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19:23.midi
Message-ID: <20190820223008.GC46556@raichu>
References: <20190820201257.7A9D41F8B7@freefall.freebsd.org>
 <f19d3f62-940c-7888-b379-f416dfc45cac@grosbein.net>
 <1909279dfc6002f6c21ff8e92ca2925511dca322.camel@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1909279dfc6002f6c21ff8e92ca2925511dca322.camel@freebsd.org>
User-Agent: Mutt/1.12.1 (2019-06-15)
X-Rspamd-Queue-Id: 46Clq92wXSz4BQ8
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-6.97 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-0.997,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[];
 NEURAL_HAM_SHORT(-0.97)[-0.973,0]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2019 22:30:13 -0000

On Tue, Aug 20, 2019 at 04:01:39PM -0600, Ian Lepore wrote:
> On Wed, 2019-08-21 at 04:55 +0700, Eugene Grosbein wrote:
> > 21.08.2019 3:12, FreeBSD Security Advisories wrote:
> > 
> > [skip]
> > 
> > > IV.  Workaround
> > > 
> > > No workaround is available.  Custom kernels without "device sound"
> > > are not vulnerable.
> > 
> > Is it true that there is no way to disable vulnerable and unneeded
> > device driver
> > built in GENERIC other that through rebuilding the kernel?
> > 
> > I remember that pre-4.x versions of FreeBSD had visual VGA-based pre-
> > boot configurator
> > allowing to disable any compiled-in device driver. Don't
> > device.hints(5) or loader(8) have means to do so?
> > 
> > These days GENERIC have LOTS of drivers and it's convenient but
> > unsafe.
> > 
> 
> "No workaround" just seems to be wrong.  Aside from setting the
> disabled hint to turn off the driver (or using devctl to turn it off on
> a live system), the exploit also requires opening /dev/midistat, so a
> viable workaround is to change its permissions so that users can't open
> it.

Yeah, this was an oversight.  The SA text will be amended.