all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [VULN 0/4] Hurd vulnerability details
@ 2021-11-02 16:31 Sergey Bugaev
  2021-11-02 16:31 ` [VULN 1/4] Fake notifications Sergey Bugaev
                   ` (5 more replies)
  0 siblings, 6 replies; 11+ messages in thread
From: Sergey Bugaev @ 2021-11-02 16:31 UTC (permalink / raw)
  To: bug-hurd
  Cc: squid3, Sergey Bugaev, debian-hurd, samuel.thibault, jlledom,
	guix-devel, rbraun

Hello!

As promised [0], here are the details of the Hurd vulnerabilities I have found
earlier this year [1] [2].

[0]: https://lists.gnu.org/archive/html/bug-hurd/2021-10/msg00006.html
[1]: https://lists.gnu.org/archive/html/bug-hurd/2021-05/msg00079.html
[2]: https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00008.html

(You'll notice that I'm formatting this just like a patch series. I'll even try
to send it out with git send-email; if you're reading this, it has worked!)

These texts are partly based on the mails and write-ups I sent to Samuel at the
time, but most of the text is new, rewritten to incorporate the better
understanding that I now have as the result of exploring the issues and working
with Samuel on fixing them.

I've grouped the information by the four "major" vulnerabilities -- ones that I
have actually written an exploit for. Other related vulnerabilities are briefly
mentioned in the notes sections.

Each text contains a short and a detailed description of the relevant issue,
source code of the exploit I have written for the issue, commentary on how the
exploit works, and a description of how we fixed the issue. While this should
hopefully be an interesting read for everyone, understanding some of the details
requires some familiarity with the Mach and Hurd mechanisms involved. I've tried
to briefly describe the necessary bits (as I understand them myself) in the
"Background" sections throughout the texts -- hopefully this will make it easier
to understand. Please don't hesitate to ask me questions (while I can still
answer them)!

I also hope that all this info should be enough to finally allocate official
CVEs for these vulnerabilities, if anyone is willing to go forward with that in
my absence.

While all of the vulnerabilities described have been fixed, most of the fixes
are not yet in the main Hurd tree for legal reasons: namely, my FSF copyright
assignment process is still unfinished. All the out-of-tree patches with the
fixes can be found in the Debian repo [3].

[3]: https://salsa.debian.org/hurd-team/hurd/-/tree/master/debian/patches

Our work on fixing these vulnerabilities required some large changes and touches
most of the major Hurd components (now I can actually name them: glibc, GNU
Mach, libports, libpager, libfshelp, libshouldbeinlibc, lib*fs, proc server,
exec server, *fs, ...) -- and this was even more true of the previous designs
that we have considered (the final design ended up being the most compact one).
Still, it's kind of amazing _how little_ has changed: we managed to keep most
things working just as they were (with the notable exception of mremap ()). The
Hurd still looks and behaves like the Hurd, despite all the changes.

Finally, I should note that there still are unfixed vulnerabilities in the Hurd.
There's another "major" vulnerability that I have already written an exploit
for, but I can't publish the details since it's still unfixed. I won't be there
to see it fixed (assuming it will take less than a year to fix it -- which I
hope it will), but Samuel should have all the details.

Let me know what you think!

Sergey


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-11-17 10:46 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-02 16:31 [VULN 0/4] Hurd vulnerability details Sergey Bugaev
2021-11-02 16:31 ` [VULN 1/4] Fake notifications Sergey Bugaev
2021-11-02 16:31 ` [VULN 2/4] No read-only mappings Sergey Bugaev
2021-11-02 16:31 ` [VULN 3/4] setuid exec race Sergey Bugaev
2021-11-02 16:31 ` [VULN 4/4] Process auth man-in-the-middle Sergey Bugaev
2021-11-02 16:35 ` [VULN 0/4] Hurd vulnerability details Samuel Thibault
2021-11-02 20:32   ` Vasileios Karaklioumis
2021-11-09 17:19   ` Ludovic Courtès
2021-11-09 17:28     ` Samuel Thibault
2021-11-17 10:45       ` Ludovic Courtès
2021-11-02 21:56 ` Guy-Fleury Iteriteka

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.