freebsd security - Jul 2017 - The Stack Clash vulnerability

Ed Maste wrote:
> On 21 June 2017 at 20:22, Ed Maste <emaste at freebsd.org> wrote:
>> These changes are expected to be
>> committed to FreeBSD soon, and from there they will be merged to
>> stable branches and into updates for supported releases.
> The changes have now been merged to HEAD in r320317.
> https://svnweb.freebsd.org/changeset/base/320317
> _______________________________________________
>
Been watching for it in 10-STABLE... didn't see it go in... did I miss it?

Regards,

Michelle

FWIW, been testing on various versions... seems that the Qualsys test 
code are 3 examples. 'fgpe' and 'fgpu' seem to work on pre-11
under the
following senario...  ulimit -v is set to unlimited. 'CVE-2017-1085' 
appears not to work, setting ulimit -v to anything but unlimited seems 
to break both 'fgpe' and 'fgpu' (to reasonable values I have
tested so
far).... it also seemed only to work when all virtual memory was 
exhausted (which made sizable processes and considerable allocation/run 
times.)  Follows is around 32G limit on the vm size (which unless it's 
one of my DB servers) is about 16 times more than any process should need.

[michelle at 10amd64 /usr/home/michelle]$ ulimit -Hv 34896609280
[michelle at 10amd64 /usr/home/michelle]$ ulimit -a
socket buffer size       (bytes, -b) unlimited
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) 33554432
file size               (blocks, -f) unlimited
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 294246
pipe size            (512 bytes, -p) 1
stack size              (kbytes, -s) 524288
cpu time               (seconds, -t) unlimited
max user processes              (-u) 14043
virtual memory          (kbytes, -v) 34896609280
swap size               (kbytes, -w) unlimited
[michelle at 10amd64 /usr/home/michelle]$ time ./CVE-2017-1085
died in main: 49

real    45m3.659s
user    3m45.577s
sys    41m14.028s
[michelle at 10amd64 /usr/home/michelle]$ time ./fgpu
Segmentation fault: 11

real    49m1.494s
user    2m38.926s
sys    46m17.542s
[michelle at 10amd64 /usr/home/michelle]$ time ./fgpe
died in alloc: 38

real    46m9.318s
user    2m25.527s
sys    43m38.170s
[michelle at 10amd64 /usr/home/michelle]$

Same system only 'exploited' when 'unlimited' as follows:

[michelle at 10amd64 /usr/home/michelle]$ ./fgpe
char at 0x7ffff4297000: 41; final dist 34998 (198609078)
[michelle at 10amd64 /usr/home/michelle]$ ./fgpu
char at 0x7ffffffde000: 41

Though the 'CVE-2017-1085' only seg faulted...

[michelle at 10amd64 /usr/home/michelle]$ ./CVE-2017-1085
Segmentation fault: 11

All amd64 (haven't gotten around to testing i386 yet)

Know of any other tests... or are these pretty typical/comprehensive? 
(being that setting a system wide hard limit of say 32G would seem to 
work around the issue...)

Thanks in advance..

-- 
Michelle Sullivan
http://www.mhix.org/

On 3 July 2017 at 12:29, Michelle Sullivan <michelle at sorbs.net>
wrote:
>
> Been watching for it in 10-STABLE... didn't see it go in... did I miss
it?
It hasn't yet been merged -- there were a couple of issues with the
initial commit which were fixed shortly after in HEAD. We are now
waiting on the MFC timer for the followup fixes (to provide time to
find any other potential issue).
> Know of any other tests...
I'm not aware of any.