From owner-freebsd-security@freebsd.org Wed Jul 5 01:56:29 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 286D8D9F61C for ; Wed, 5 Jul 2017 01:56:29 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A84896AD10 for ; Wed, 5 Jul 2017 01:56:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wm0-x235.google.com with SMTP id i127so151974409wma.0 for ; Tue, 04 Jul 2017 18:56:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=mHI4RZy/gRtHApc1BHmxWDWFbpwNoOO3ociLY96argg=; b=RlQhLce2FVoiRNgBxomsbXVUmEcDkmyOgIvpwUweSg0R1vN92+5G5wwGQOmG6lFwb6 WviHx4YoTt0QwK0dNpwhdiL7MvZVlG2fxBGeLcRaYdkifJHY9vrJh5/oJGrT5p8N8JUC MA6+5pjtaVCHA+PpJuVMVCvpEamuf5q2Reja0mkO1iEhBzMqw/cMJuk08+zKA3Oyoqb/ J0mwqo9UYELful6xoGERH1Z/AVJkGbXOcEVqZKFuIBbHujJxhGVzD/9Y3g9NzljbLLOs Tjw59A0pkM46x+u62DJl4JWUqHkr8YUhFBVZQ8tNIcoC/7NcNx17oh01GnZjSKDwX540 BpNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=mHI4RZy/gRtHApc1BHmxWDWFbpwNoOO3ociLY96argg=; b=r++emvZMQQ/7WPpSZjKTZ481RVE8Sv+lWG2Fi2E3Egm6cMK/DEMpMfMKOuXIIkyEc9 5iFvOqEd+RI0ZHq35pwa6o+BN6TkFAqhBBoYpXHV4ZbiX9p0R+B56Grua56eJhPm393T LEBuJEdT2NhKTnFxEZW0rJDNjw5wTGlFfqP+Kysa0+q934LWRG3oMkVoHZge+ibb/qd3 VuKgRXTKIdIVkkyWJgmL2lUztykzMBj7j4fHsRIR9VPxasT9AY3bQZl+Hx7gQ03NfmUA s8vzsS4zz9FYumJmIuyfGok9fAQV46CC6uAfovN0tzYyIXC4/uHDINv8YEHiB6u0CA6W EaOA== X-Gm-Message-State: AKS2vOwyzqKv/sAlD0Ga2u4O1AmqbqQl+RD9DmGsdcp6aduzVrFVrIMX 8xWQgj/QAJbz/kh0 X-Received: by 10.80.170.74 with SMTP id p10mr20427145edc.33.1499219786246; Tue, 04 Jul 2017 18:56:26 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-230-154.bltmmd.fios.verizon.net. [100.16.230.154]) by smtp.gmail.com with ESMTPSA id t17sm9310060edd.69.2017.07.04.18.56.24 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 04 Jul 2017 18:56:25 -0700 (PDT) Date: Tue, 4 Jul 2017 21:56:21 -0400 From: Shawn Webb To: Ed Maste Cc: Michelle Sullivan , "freebsd-security@freebsd.org" Subject: Re: The Stack Clash vulnerability Message-ID: <20170705015621.6bvp75vwdjeyo4vo@mutt-hbsd> References: <3bca2dbd-dc2f-ca7a-e0ce-eb7d6cf0b3e5@sorbs.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4uulp2m5ruzart6f" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170609 (1.8.3) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2017 01:56:29 -0000 --4uulp2m5ruzart6f Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 04, 2017 at 09:32:37PM -0400, Ed Maste wrote: > On 3 July 2017 at 12:29, Michelle Sullivan wrote: > > > > Been watching for it in 10-STABLE... didn't see it go in... did I miss = it? >=20 > It hasn't yet been merged -- there were a couple of issues with the > initial commit which were fixed shortly after in HEAD. We are now > waiting on the MFC timer for the followup fixes (to provide time to > find any other potential issue). >=20 > > Know of any other tests... >=20 > I'm not aware of any. I've publicly reported at least one issue: https://lists.freebsd.org/pipermail/freebsd-current/2017-July/066468.html It also seems that setting stack_guard_page to any positive integer value greater than 1 causes issues. For example, lang/rust will fail to build and some GUI applications will fail to start. I've also noticed a regression with mysql56-server when stack_guard_page is set to a positive integer value greater than 1. All my testing so far has only been on amd64. I have arm64 devices running the same code, but they don't do nearly as intensive work as my amd64 systems. It seems the MAP_GUARD work needs more exhaustive testing on 12-CURRENT. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --4uulp2m5ruzart6f Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAllcR0MACgkQaoRlj1JF bu67lA/7BeCw+jqqKambWT7JB9cBHQ9iJUJg3TgbiVCnwslxZWUql7fzHQDrzfkF d8JRRyIghd+r5bPfwbCIAAzzzB4SvwLZXDuZDCCailW7WFxWB7LisX06Bn4dm0Yw i7hIc9fYewxbffSOAvg+6PFw6Pp55KKd9NBuTRNufO48JDMK8jaJuATbHCj3y17k cXpQYrrABZ3mhFPm9HrmIC4BKKOOi6FpFi8bmwK7sU7etGl/S7k3itI1HMdk5qo4 O2EjBwhlWCp5UcmBhNZY5N0IV8US6wxTNqTB5ympvd6ysBKH70zAyESG5cmHuoMA YVsZz9/pns9ivPLgReSBQ9Bex+ZbIgeO/XM4ZfDH3J2uTTxshXtaYbZGYpxPL/PG uPesvtOFa/SKXRvjwodRX5NkI+/4zVVCjhu7rEuT4+2MJUfPrg5kGXiMwA+cZdmQ UOZXobpGmgWTHa/M1J/QMnGpoVgmpLNLEuZVVIzjSqbwR3afbEsGA0/ek/8PRa3i VRH7F0zetmv92dpEm8BROpOhh99UC9j/jWqCdVDKIf9r5xab6as74QIgKeC3zgs1 q1Zw0othKwwca5FHegjakGo7sj1d41E5jDo1OhesVDfDabv96oSCDFXW3A73uBPr 5NxG84Zip3wbSZXus47hxmo/FnHIElLT89ypigb9gYHaJSwAUfU= =BNL9 -----END PGP SIGNATURE----- --4uulp2m5ruzart6f--