From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id GEg+ORK0gWFbEAAAgWs5BA (envelope-from ) for ; Tue, 02 Nov 2021 22:56:34 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id QF7wNBK0gWE2HwAAB5/wlQ (envelope-from ) for ; Tue, 02 Nov 2021 21:56:34 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9172A252A7 for ; Tue, 2 Nov 2021 22:56:34 +0100 (CET) Received: from localhost ([::1]:53538 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mi1lh-00085R-Pb for larch@yhetil.org; Tue, 02 Nov 2021 17:56:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33686) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mi1lV-00082b-4y; Tue, 02 Nov 2021 17:56:21 -0400 Received: from knopi.disroot.org ([178.21.23.139]:53034) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mi1lS-0006Z9-DF; Tue, 02 Nov 2021 17:56:20 -0400 Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 32C0B6E489; Tue, 2 Nov 2021 22:56:14 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9564glFhhW1r; Tue, 2 Nov 2021 22:56:12 +0100 (CET) Date: Tue, 02 Nov 2021 23:56:04 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1635890172; bh=Uk7mK0qC6idfjk2zqhzQUNyENgLcoTyq0jH2RnzvnGE=; h=Date:From:To:CC:Subject:In-Reply-To:References; b=OYAyDcQcGp5D2mv/IrtoIdrJVDFiHorsJWUswzOonb6/8yfsoVpXTMjWtVE7RAZ1v k3aX2WualFBacNtylZ//kP2L7H/fYjLDhvOcUcRIbz+Z8XqaLcPXxvUwrNPZMquJdB btlLj+iJl9xsJV5mHa8fub3tV+jQF1ra/o2HxDS+UFUfIqNuIOJI36H7WvoEBzZ6tp QBDNGwVVQ7fH4Xp2wzxVFS5hw/4hSbhpL+XoChggsXnV6gL+kjo7HxCbpmGcduux8e ZHSAJJFpNx85kEd2IvhctM00cRu7dhGE1bSgi8ugv4tVzG/Ejyz93UpayP8XSeQMZH 74jsd0xPUAy1g== From: Guy-Fleury Iteriteka To: bug-hurd@gnu.org, Sergey Bugaev CC: squid3@treenet.co.nz, debian-hurd@lists.debian.org, ludo@gnu.org, samuel.thibault@gnu.org, jlledom@mailfence.com, guix-devel@gnu.org, jbranso@dismail.de, rbraun@sceen.net Subject: Re: [VULN 0/4] Hurd vulnerability details In-Reply-To: <20211102163121.415934-1-bugaevc@gmail.com> References: <20211102163121.415934-1-bugaevc@gmail.com> Message-ID: <4BEDD82C-9A37-4EA4-9B9A-B498AFE1F2A7@disroot.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=----6XEK2VIZF4P5VQ4PYGX077CFFPZWGQ Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=178.21.23.139; envelope-from=gfleury@disroot.org; helo=knopi.disroot.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635890194; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=Uk7mK0qC6idfjk2zqhzQUNyENgLcoTyq0jH2RnzvnGE=; b=sGIMBVNLKiBCXTk4SDN6++VH7/pEzbVcf5NKxRiKwprFOwvqdYR1J5pA6f+yH2orKwEZLy lxYyeRI/JACqXAUXyRyPKx/tBwWV4ntYD9kOQoFVuxcW29QafeMso+ZkglfoTtlyi6Hx82 WuAqshiTOI1FM0KbAYWLGYSoaRWM0rk/12O4XrVVTcGAcOIDIyjy7RW5ECGStmfVtz2t/C 6AA5oqZGDZGGigbECC82VKDAIaKD8Up2jfUqfWA+Xaom9qBmEDeEcK2SV4jubAbLizPL49 McLFUXldGs3JX6GosFrsdCpw1rRz52Hk4mJGXFHYBzs+ZOzUZm3eGpRDD1ouew== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635890194; a=rsa-sha256; cv=none; b=CPpkclxzbAIloP015/inNtJPGvVRDdP5URTeqKv5lh+35d0RTViyhfX0pLol8XmzUeQ30v FTY5LGppbC92DjmrvvrZXORVV/tjJ26+IXujh0Qmcm+fdSQFZAsR+Q0zH9Z8J1sLl44r2+ 83QAwwABVxvDvs6Qi/gIKmbBhJr6/UppMIcuOWt74LkA90xYc6CNCbg5uNkUqBJkszcdtJ 2Sf/QwjqmMwW0ePdhtSNGw0J3UBnQ/ePpbPfZ0+07Yn2Hq4s9cKEF6pR44Vy5LUEClJi3l vAVgfETd6eVmvlSMdKI6T6Zbfy44Z3RIpdZfSWzjLigS4TDD+zMW/OKfykkNOg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=disroot.org header.s=mail header.b=OYAyDcQc; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.62 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=disroot.org header.s=mail header.b=OYAyDcQc; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 9172A252A7 X-Spam-Score: -2.62 X-Migadu-Scanner: scn0.migadu.com X-TUID: 5siPuIxLV4l8 ------6XEK2VIZF4P5VQ4PYGX077CFFPZWGQ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Thank you very much! I now understand things that I desperately want to know about hurd interna= l=2E On November 2, 2021 6:31:17 PM GMT+02:00, Sergey Bugaev wrote: >Hello! > >As promised [0], here are the details of the Hurd vulnerabilities I have = found >earlier this year [1] [2]=2E > >[0]: https://lists=2Egnu=2Eorg/archive/html/bug-hurd/2021-10/msg00006=2Eh= tml >[1]: https://lists=2Egnu=2Eorg/archive/html/bug-hurd/2021-05/msg00079=2Eh= tml >[2]: https://lists=2Egnu=2Eorg/archive/html/bug-hurd/2021-08/msg00008=2Eh= tml > >(You'll notice that I'm formatting this just like a patch series=2E I'll = even try >to send it out with git send-email; if you're reading this, it has worked= !) > >These texts are partly based on the mails and write-ups I sent to Samuel = at the >time, but most of the text is new, rewritten to incorporate the better >understanding that I now have as the result of exploring the issues and w= orking >with Samuel on fixing them=2E > >I've grouped the information by the four "major" vulnerabilities -- ones = that I >have actually written an exploit for=2E Other related vulnerabilities are= briefly >mentioned in the notes sections=2E > >Each text contains a short and a detailed description of the relevant iss= ue, >source code of the exploit I have written for the issue, commentary on ho= w the >exploit works, and a description of how we fixed the issue=2E While this = should >hopefully be an interesting read for everyone, understanding some of the = details >requires some familiarity with the Mach and Hurd mechanisms involved=2E I= 've tried >to briefly describe the necessary bits (as I understand them myself) in t= he >"Background" sections throughout the texts -- hopefully this will make it= easier >to understand=2E Please don't hesitate to ask me questions (while I can s= till >answer them)! > >I also hope that all this info should be enough to finally allocate offic= ial >CVEs for these vulnerabilities, if anyone is willing to go forward with t= hat in >my absence=2E > >While all of the vulnerabilities described have been fixed, most of the f= ixes >are not yet in the main Hurd tree for legal reasons: namely, my FSF copyr= ight >assignment process is still unfinished=2E All the out-of-tree patches wit= h the >fixes can be found in the Debian repo [3]=2E > >[3]: https://salsa=2Edebian=2Eorg/hurd-team/hurd/-/tree/master/debian/pat= ches > >Our work on fixing these vulnerabilities required some large changes and = touches >most of the major Hurd components (now I can actually name them: glibc, G= NU >Mach, libports, libpager, libfshelp, libshouldbeinlibc, lib*fs, proc serv= er, >exec server, *fs, =2E=2E=2E) -- and this was even more true of the previo= us designs >that we have considered (the final design ended up being the most compact= one)=2E >Still, it's kind of amazing _how little_ has changed: we managed to keep = most >things working just as they were (with the notable exception of mremap ()= )=2E The >Hurd still looks and behaves like the Hurd, despite all the changes=2E > >Finally, I should note that there still are unfixed vulnerabilities in th= e Hurd=2E >There's another "major" vulnerability that I have already written an expl= oit >for, but I can't publish the details since it's still unfixed=2E I won't = be there >to see it fixed (assuming it will take less than a year to fix it -- whic= h I >hope it will), but Samuel should have all the details=2E > >Let me know what you think! > >Sergey > ------6XEK2VIZF4P5VQ4PYGX077CFFPZWGQ Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Thank you very much!
I now understand things th= at I desperately want to know about hurd internal=2E

On November 2, 2021 6:31:17 PM GMT+02:00, Sergey Bugaev <bug= aevc@gmail=2Ecom> wrote:
Hello!

As promised [0], here are=
 the details of the Hurd vulnerabilities I have found
earlier this year =
[1] [2]=2E

[0]: https://lists=2Egnu=2Eorg/archive/html/bug-=
hurd/2021-10/msg00006=2Ehtml
[1]: https://lists=2Egnu=2Eorg=
/archive/html/bug-hurd/2021-05/msg00079=2Ehtml
[2]: https:/=
/lists=2Egnu=2Eorg/archive/html/bug-hurd/2021-08/msg00008=2Ehtml
(You'll notice that I'm formatting this just like a patch series=2E I'll e=
ven try
to send it out with git send-email; if you're reading this, it h=
as worked!)

These texts are partly based on the mails and write-ups =
I sent to Samuel at the
time, but most of the text is new, rewritten to =
incorporate the better
understanding that I now have as the result of ex=
ploring the issues and working
with Samuel on fixing them=2E

I've=
 grouped the information by the four "major" vulnerabilities -- ones that I=

have actually written an exploit for=2E Other related vulnerabilities a=
re briefly
mentioned in the notes sections=2E

Each text contains =
a short and a detailed description of the relevant issue,
source code of=
 the exploit I have written for the issue, commentary on how the
exploit=
 works, and a description of how we fixed the issue=2E While this shouldhopefully be an interesting read for everyone, understanding some of the d=
etails
requires some familiarity with the Mach and Hurd mechanisms invol=
ved=2E I've tried
to briefly describe the necessary bits (as I understan=
d them myself) in the
"Background" sections throughout the texts -- hope=
fully this will make it easier
to understand=2E Please don't hesitate to=
 ask me questions (while I can still
answer them)!

I also hope th=
at all this info should be enough to finally allocate official
CVEs for =
these vulnerabilities, if anyone is willing to go forward with that in
m=
y absence=2E

While all of the vulnerabilities described have been fi=
xed, most of the fixes
are not yet in the main Hurd tree for legal reaso=
ns: namely, my FSF copyright
assignment process is still unfinished=2E A=
ll the out-of-tree patches with the
fixes can be found in the Debian rep=
o [3]=2E

[3]: https://salsa=2Edebian=2Eorg/hurd-team/hurd/=
-/tree/master/debian/patches

Our work on fixing these vulnerabil=
ities required some large changes and touches
most of the major Hurd com=
ponents (now I can actually name them: glibc, GNU
Mach, libports, libpag=
er, libfshelp, libshouldbeinlibc, lib*fs, proc server,
exec server, *fs,=
 =2E=2E=2E) -- and this was even more true of the previous designs
that =
we have considered (the final design ended up being the most compact one)=
=2E
Still, it's kind of amazing _how little_ has changed: we managed to =
keep most
things working just as they were (with the notable exception o=
f mremap ())=2E The
Hurd still looks and behaves like the Hurd, despite =
all the changes=2E

Finally, I should note that there still are unfix=
ed vulnerabilities in the Hurd=2E
There's another "major" vulnerability =
that I have already written an exploit
for, but I can't publish the deta=
ils since it's still unfixed=2E I won't be there
to see it fixed (assumi=
ng it will take less than a year to fix it -- which I
hope it will), but=
 Samuel should have all the details=2E

Let me know what you think!
Sergey

------6XEK2VIZF4P5VQ4PYGX077CFFPZWGQ--