From owner-freebsd-current@freebsd.org Sat Jul 1 17:28:53 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3FAC6D8ED66 for ; Sat, 1 Jul 2017 17:28:53 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C1F416851E for ; Sat, 1 Jul 2017 17:28:52 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wr0-x22f.google.com with SMTP id 77so216938802wrb.1 for ; Sat, 01 Jul 2017 10:28:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=FkR2n4FswP87Q25uIfx3NkjtiCkhC8WnvreWmUxlqVs=; b=NU1CdJaGtNy1y8cs3s3r1QfGIG/MH6Ec/2REFoPK0anzXm1Z2VZ5Qv5VMVJg9bLxd8 y81er1lQjCJqAuzf8gS4oWDOiXcpuqAbGHiNx/KPSJndvwJOaAa4pJFTWgk0P0RRIeS0 +R9Mv0A2UCEpsr0IvuiB49CnO7FemAKYSJp6qPfN1coj6e5Iil1EUuGBEJB+UhvqDq2u oABSGcEkXbEY/tEUWB2Yq7V7tpoU8yQsHJ8aZwcvRmjR+iq00zj2W+vQW+kCLKsjRPSd SoKwzwuQwNLawRC2r/IHVqSQYvt/Gq9sZxb2merUG41WYdGdNarxyCXn9GILuhl5XwrA ixew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=FkR2n4FswP87Q25uIfx3NkjtiCkhC8WnvreWmUxlqVs=; b=qjMZhXFJe0PKfRhz+6K4rh3BkmRSnfG8PFru88kCJ7+RhAGRoKZh86Zf1Jyf6fz5zn o0eraP61Qkjl7+Yp+ee7OKYb3YmPvxqOjrs26nIVhv4yEzz90ivf9gM0BYd+gXHajvHO 45ruYTOF2HXgPnpJmTnzfGqQSBW+XYU16PjSJmomEpY2Pj0Tb1KOAyG65ue8MGhyTLqV 2rL2NFHC6d1srn8WzCxXc1uIYBCYX7h0nZGaJfqN41VLrTHCjRNUAvU4vdT1T9zoUQi4 99L6ZJU8Opn0vsr19vDEuV92FfEgRkPc90C3Ch4AOy9v9s+q2ZRYfQGzED2pneLBXf69 e+zg== X-Gm-Message-State: AKS2vOzgyqPFnLGa5KvxL3sJAH44Kb7pazr8YBO7Sm8RnpVX0oSshIRY HpXHVC5EXPJkX3NWPiBk43WT2KbQN/6RBBAOdoyd6srVxa9XrmtqtPHgNciMoXtRIHfDD2nFOhT 64zDLHrxPd7IzR8I1L+QovMqKVvsNA+qUp9RRNUaLumMRFU5rco77jJy+oO+6HPgoBcXqJTffvQ == X-Received: by 10.223.135.68 with SMTP id 4mr20610283wrz.141.1498930130915; Sat, 01 Jul 2017 10:28:50 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-230-154.bltmmd.fios.verizon.net. [100.16.230.154]) by smtp.gmail.com with ESMTPSA id l12sm13464600wrc.46.2017.07.01.10.28.49 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 01 Jul 2017 10:28:49 -0700 (PDT) Date: Sat, 1 Jul 2017 13:28:47 -0400 From: Shawn Webb To: freebsd-current@freebsd.org Cc: kib@freebsd.org Subject: Reproducible panic with MAP_GUARD and security.bsd.stack_guard_page > 1 Message-ID: <20170701172847.v5hwzn6vhbrbiz2i@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="spfppu4bdjrbsx3k" Content-Disposition: inline X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170609 (1.8.3) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jul 2017 17:28:53 -0000 --spfppu4bdjrbsx3k Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable When running my Stack Clash PoC on a vanilla FreeBSD 12-CURRENT/amd64 VM and security.bsd.stack_guard_page is > 1: https://goo.gl/photos/vZQY4B9jKJRLrNwP7 The PoC doesn't need to be run as root on vanilla FreeBSD with a default configuration. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --spfppu4bdjrbsx3k Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAllX280ACgkQaoRlj1JF bu6zdBAAv9fOXMaGZWCl2nv9cC1UhloKBmAkih0LrNI3ESFqFkU25YG1sp4sEH2n Xg53eyZ04F4iSFIduRVD9+X8SlHcCMyX7eFuGWM/7vXXzcYxebknbqN6hF4XvhYL /Vg78mT720H3WgeYdG6ivQDDijyHkxs5C8dw/mEEPOW8nS5EjSaYSmRIRC9mhin2 dkaNG7uekcZTzjVK0VsogVw6GeHi2BtVAao3Zn4HzjI+/Qaza0rtJ7JtPjLreEj0 CLRJw+5osEElPPcZeQbGTc9J0iPYm8WJQXArDx1iKQwxUS0VBSz/qLkib0sr8yxD tXB1KCYKEO1aFwzlqze2hA5FXTPnmWF57xLZK6dATmbSjY1zyFPGx8t+CpQmWTeO pqkn3RWB+WGf0uFG3g/wCalivZsPu7kKtZdiKgCp2rXlTbfDJ9lEo/WncoTK4Zd1 3AyQZr6YXkIP6lbcqxuLTRtgmv4zPOYgGDo9cXV6o5Ncl824b3sMuG8RYnSyQO/K DO9IhyQZ5keQFmP+Mo1q1uqLRnux2xuIOpCEtChgg76kDxADwfOxKd943RU/V8Nb Lst0PULynPKMOytP4NkWXMwpwk4RZ6BAW71b/xkBe4cJy+jb3yZKda/zWKggPnUs BDbpKj93LFl2LCv3HTJ1+lbcDXE+BcJKp50kg7g1lgVSNV7Ioi0= =oqbe -----END PGP SIGNATURE----- --spfppu4bdjrbsx3k--