From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 8L7XN2dpgWEv3AAAgWs5BA (envelope-from ) for ; Tue, 02 Nov 2021 17:37:59 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id QOhiM2dpgWHocwAAbx9fmQ (envelope-from ) for ; Tue, 02 Nov 2021 16:37:59 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8AD98151A9 for ; Tue, 2 Nov 2021 17:37:59 +0100 (CET) Received: from localhost ([::1]:56518 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhwnO-0000fK-No for larch@yhetil.org; Tue, 02 Nov 2021 12:37:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33134) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhwhX-0006Nv-8g; Tue, 02 Nov 2021 12:31:55 -0400 Received: from mail-lj1-x22f.google.com ([2a00:1450:4864:20::22f]:35763) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mhwhQ-00043M-Hi; Tue, 02 Nov 2021 12:31:51 -0400 Received: by mail-lj1-x22f.google.com with SMTP id 1so29985764ljv.2; Tue, 02 Nov 2021 09:31:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4YUTBUWe4FmtYGnMgSC1Vgwi5n3jZ17uqWcZYRpIyCg=; b=C5yferttXH9HiTPvEoK7rjVLTZTlhHu2U08IpD4YuQMxDHd8ZyP2eNF88M7s8hZG7k MeO4NejivJ5ladKmO9FtEEtZwGauJPbQn5lmd/A+pzMYcxZlV4d5vEq5oz59pBL4Ht3U kyO8etpLZCn4JRQw6sQ5uOpnDIEXMBgf0kofVPHQVVC6ED7sA8G5RU6EY/zBN3FUP3nW 47cAkhAVtnIwvx4j/Tr9+rS+Pr/akVdb1Z5dNRhQMZ44eWaj3wx2ksdvZtFRLFMJucn2 D1ZSaMQAs/wptzYHwEWkWtBQkhQAQvR2fPipnHuN17e6utPxHVdwxWScUs6zgGJY6MVV wpJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4YUTBUWe4FmtYGnMgSC1Vgwi5n3jZ17uqWcZYRpIyCg=; b=BGKZ7LUfjwfogPGLZxSwkk3njqKhRFaEUJWNKlNOw3DvsDfFMclJM8GA64Gl56MCsq fyhBr5zX0fv5t1DQnJ4PXRalKLp93V6wChCT1wRGxZ4gzjQdNZRY16pwVxw4qTc3PugN L/j43Ug5eiwiWrWDI/+HweusIs7BD0UHzVIijRJo38OzzfrhKOb0Ff4jt0D1APCUHCCk +5Xu+VxVyy2/Jng4JC5Vic3Kn/d/Tz2WhqXJ85GlCgS0meMQhKchbzaimBJhChyabuuG YXetfddtbqQJhEaXDPEX+zTC06OGJnrWD31elrmgbdpNaYZVCDYoYYnCZfiNkp5qAcAS 4WjA== X-Gm-Message-State: AOAM532uGaHRlOcZ/RkUEBq6bm/z/JOB5WR862R5iBjZSrZetTndsjFV HFYUA97bbW+V6JerIue7bM+T/hoMVCBI/Vpri0s= X-Google-Smtp-Source: ABdhPJw69yvjb8S8fbGgFUcpMPoZlhw/Y2zmoXJhhLMHejdYTfAcFh+vtRkw9GWyUB3G+QHbJ5dnzw== X-Received: by 2002:a2e:b744:: with SMTP id k4mr40128042ljo.31.1635870702941; Tue, 02 Nov 2021 09:31:42 -0700 (PDT) Received: from badwolf.office.smartdec.ru ([81.23.5.115]) by smtp.googlemail.com with ESMTPSA id w15sm844111ljo.123.2021.11.02.09.31.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Nov 2021 09:31:42 -0700 (PDT) From: Sergey Bugaev To: bug-hurd@gnu.org Subject: [VULN 0/4] Hurd vulnerability details Date: Tue, 2 Nov 2021 19:31:17 +0300 Message-Id: <20211102163121.415934-1-bugaevc@gmail.com> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::22f; envelope-from=bugaevc@gmail.com; helo=mail-lj1-x22f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: squid3@treenet.co.nz, Sergey Bugaev , debian-hurd@lists.debian.org, samuel.thibault@gnu.org, jlledom@mailfence.com, guix-devel@gnu.org, rbraun@sceen.net Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635871079; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=4YUTBUWe4FmtYGnMgSC1Vgwi5n3jZ17uqWcZYRpIyCg=; b=FLoY+l/JeptMQf3YKQDW4iV249ppigA1NtV+r9zfX2iUWEEZ0dmujoBuECQzCI2c2j9srq MFNnH5U8PKlOafBszL5E6KxQuGn3/APna1rs/SpU+5NRlW51XPGsNR98QP/cqRCqGcn5qK RfgNrMuPoIXXgw6YHugTOHE0yWTfEYaTHJPoDxb25m3tt6YNgTfi67Q7sxUIPZQSwt4lt0 bAqdaR3UhRV6xD+FKQgBu+KrBOsKWkXY/8YhL6Qb/OOvUrdoKcCIA+UPUiNFpR+lxTgxtG 2QzfXBhEL/Dqi76zlMhSCHPZrrB1U13y/LpY1v6KqzjZskznSvibxjC1NDpPOg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635871079; a=rsa-sha256; cv=none; b=PFQoTyJB4W+2UytIz9aJD14PNpWZI/ZfhEA6Pd8rR523CigpWbPMzUDwSzPQNM93g7kiKM KIXJzPLBnAZbBeDFlTOBZEIGlROYdDQyME+fqhxvOg381xRprkB/aSO+pYOreqkh/Zxq+X D5LDGkKRdJb9tx2xZr5W13+CDaM+cCTxCnlJQQCGD/9rfllLzdQl31Jb4E8eeKPNs6kMww VOXup0/fD0d2ZwUUUxRqkz+72gEM3vWaFl75Ux3dfKR4VjuvyGZv2EDxWNOtsFntF+tpvR J4t6l/asEApcFrxk1WRWEkmM/weqsVLTDM37QVPYGYn5XUWxfepMTxbpFNVPcA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=C5yfertt; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: 3.68 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=C5yfertt; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 8AD98151A9 X-Spam-Score: 3.68 X-Migadu-Scanner: scn0.migadu.com X-TUID: qywcm99+9NZ4 Hello! As promised [0], here are the details of the Hurd vulnerabilities I have found earlier this year [1] [2]. [0]: https://lists.gnu.org/archive/html/bug-hurd/2021-10/msg00006.html [1]: https://lists.gnu.org/archive/html/bug-hurd/2021-05/msg00079.html [2]: https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00008.html (You'll notice that I'm formatting this just like a patch series. I'll even try to send it out with git send-email; if you're reading this, it has worked!) These texts are partly based on the mails and write-ups I sent to Samuel at the time, but most of the text is new, rewritten to incorporate the better understanding that I now have as the result of exploring the issues and working with Samuel on fixing them. I've grouped the information by the four "major" vulnerabilities -- ones that I have actually written an exploit for. Other related vulnerabilities are briefly mentioned in the notes sections. Each text contains a short and a detailed description of the relevant issue, source code of the exploit I have written for the issue, commentary on how the exploit works, and a description of how we fixed the issue. While this should hopefully be an interesting read for everyone, understanding some of the details requires some familiarity with the Mach and Hurd mechanisms involved. I've tried to briefly describe the necessary bits (as I understand them myself) in the "Background" sections throughout the texts -- hopefully this will make it easier to understand. Please don't hesitate to ask me questions (while I can still answer them)! I also hope that all this info should be enough to finally allocate official CVEs for these vulnerabilities, if anyone is willing to go forward with that in my absence. While all of the vulnerabilities described have been fixed, most of the fixes are not yet in the main Hurd tree for legal reasons: namely, my FSF copyright assignment process is still unfinished. All the out-of-tree patches with the fixes can be found in the Debian repo [3]. [3]: https://salsa.debian.org/hurd-team/hurd/-/tree/master/debian/patches Our work on fixing these vulnerabilities required some large changes and touches most of the major Hurd components (now I can actually name them: glibc, GNU Mach, libports, libpager, libfshelp, libshouldbeinlibc, lib*fs, proc server, exec server, *fs, ...) -- and this was even more true of the previous designs that we have considered (the final design ended up being the most compact one). Still, it's kind of amazing _how little_ has changed: we managed to keep most things working just as they were (with the notable exception of mremap ()). The Hurd still looks and behaves like the Hurd, despite all the changes. Finally, I should note that there still are unfixed vulnerabilities in the Hurd. There's another "major" vulnerability that I have already written an exploit for, but I can't publish the details since it's still unfixed. I won't be there to see it fixed (assuming it will take less than a year to fix it -- which I hope it will), but Samuel should have all the details. Let me know what you think! Sergey