unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Guy-Fleury Iteriteka <gfleury@disroot.org>
To: bug-hurd@gnu.org, Sergey Bugaev <bugaevc@gmail.com>
Cc: squid3@treenet.co.nz, debian-hurd@lists.debian.org, ludo@gnu.org,
	samuel.thibault@gnu.org, jlledom@mailfence.com,
	guix-devel@gnu.org, jbranso@dismail.de, rbraun@sceen.net
Subject: Re: [VULN 0/4] Hurd vulnerability details
Date: Tue, 02 Nov 2021 23:56:04 +0200	[thread overview]
Message-ID: <4BEDD82C-9A37-4EA4-9B9A-B498AFE1F2A7@disroot.org> (raw)
In-Reply-To: <20211102163121.415934-1-bugaevc@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3442 bytes --]

Thank you very much!
I now understand things that I desperately want to know about hurd internal.

On November 2, 2021 6:31:17 PM GMT+02:00, Sergey Bugaev <bugaevc@gmail.com> wrote:
>Hello!
>
>As promised [0], here are the details of the Hurd vulnerabilities I have found
>earlier this year [1] [2].
>
>[0]: https://lists.gnu.org/archive/html/bug-hurd/2021-10/msg00006.html
>[1]: https://lists.gnu.org/archive/html/bug-hurd/2021-05/msg00079.html
>[2]: https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00008.html
>
>(You'll notice that I'm formatting this just like a patch series. I'll even try
>to send it out with git send-email; if you're reading this, it has worked!)
>
>These texts are partly based on the mails and write-ups I sent to Samuel at the
>time, but most of the text is new, rewritten to incorporate the better
>understanding that I now have as the result of exploring the issues and working
>with Samuel on fixing them.
>
>I've grouped the information by the four "major" vulnerabilities -- ones that I
>have actually written an exploit for. Other related vulnerabilities are briefly
>mentioned in the notes sections.
>
>Each text contains a short and a detailed description of the relevant issue,
>source code of the exploit I have written for the issue, commentary on how the
>exploit works, and a description of how we fixed the issue. While this should
>hopefully be an interesting read for everyone, understanding some of the details
>requires some familiarity with the Mach and Hurd mechanisms involved. I've tried
>to briefly describe the necessary bits (as I understand them myself) in the
>"Background" sections throughout the texts -- hopefully this will make it easier
>to understand. Please don't hesitate to ask me questions (while I can still
>answer them)!
>
>I also hope that all this info should be enough to finally allocate official
>CVEs for these vulnerabilities, if anyone is willing to go forward with that in
>my absence.
>
>While all of the vulnerabilities described have been fixed, most of the fixes
>are not yet in the main Hurd tree for legal reasons: namely, my FSF copyright
>assignment process is still unfinished. All the out-of-tree patches with the
>fixes can be found in the Debian repo [3].
>
>[3]: https://salsa.debian.org/hurd-team/hurd/-/tree/master/debian/patches
>
>Our work on fixing these vulnerabilities required some large changes and touches
>most of the major Hurd components (now I can actually name them: glibc, GNU
>Mach, libports, libpager, libfshelp, libshouldbeinlibc, lib*fs, proc server,
>exec server, *fs, ...) -- and this was even more true of the previous designs
>that we have considered (the final design ended up being the most compact one).
>Still, it's kind of amazing _how little_ has changed: we managed to keep most
>things working just as they were (with the notable exception of mremap ()). The
>Hurd still looks and behaves like the Hurd, despite all the changes.
>
>Finally, I should note that there still are unfixed vulnerabilities in the Hurd.
>There's another "major" vulnerability that I have already written an exploit
>for, but I can't publish the details since it's still unfixed. I won't be there
>to see it fixed (assuming it will take less than a year to fix it -- which I
>hope it will), but Samuel should have all the details.
>
>Let me know what you think!
>
>Sergey
>

[-- Attachment #2: Type: text/html, Size: 4087 bytes --]

      parent reply	other threads:[~2021-11-02 21:56 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-02 16:31 [VULN 0/4] Hurd vulnerability details Sergey Bugaev
2021-11-02 16:31 ` [VULN 1/4] Fake notifications Sergey Bugaev
2021-11-02 16:31 ` [VULN 2/4] No read-only mappings Sergey Bugaev
2021-11-02 16:31 ` [VULN 3/4] setuid exec race Sergey Bugaev
2021-11-02 16:31 ` [VULN 4/4] Process auth man-in-the-middle Sergey Bugaev
2021-11-02 16:35 ` [VULN 0/4] Hurd vulnerability details Samuel Thibault
2021-11-02 20:32   ` Vasileios Karaklioumis
2021-11-09 17:19   ` Ludovic Courtès
2021-11-09 17:28     ` Samuel Thibault
2021-11-17 10:45       ` Ludovic Courtès
2021-11-02 21:56 ` Guy-Fleury Iteriteka [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4BEDD82C-9A37-4EA4-9B9A-B498AFE1F2A7@disroot.org \
    --to=gfleury@disroot.org \
    --cc=bug-hurd@gnu.org \
    --cc=bugaevc@gmail.com \
    --cc=debian-hurd@lists.debian.org \
    --cc=guix-devel@gnu.org \
    --cc=jbranso@dismail.de \
    --cc=jlledom@mailfence.com \
    --cc=ludo@gnu.org \
    --cc=rbraun@sceen.net \
    --cc=samuel.thibault@gnu.org \
    --cc=squid3@treenet.co.nz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).