OpenBSD Journal

OpenBSD Journal

OpenBSD added initial support for Qualcomm Snapdragon Elite X after 1 day

Contributed by Peter N. M. Hansteen on from the Puffy snaps at dragons dept.

When a new processor is released, how long would you expect it to take before your favorite operating system adds support for it?

In the case of OpenBSD/arm64, the time lag can occasionally be measured in days if not hours.

In a recent message to tech@, Patrick Wildt (patrick@) premiered the patch to add support for the Qualcomm Snapdragon Elite X processor the day after it was officially released.

Patrick's message reads,

List:       openbsd-tech
Subject:    Qualcomm Snapdragon X Elite minimal support
From:       Patrick Wildt <patrick () blueri ! se>
Date:       2024-06-19 20:28:08

Hi there,

the Qualcomm Snapdragon Elite X machines were released yesterday, I got
a Lenovo Yoga Slim 7 today, and it's already booting up with working
NVMe, USB and keyboard.  Wonder if I beat my last record.

Read more…

OpenSSH introduces options to penalize undesirable behavior

Contributed by Peter N. M. Hansteen on from the sshd to carry a big stick dept.

In a recent commit, Damien Miller (djm@) introduced the new sshd(8) configurations options, PerSourcePenalties and PerSourcePenaltyExemptList, to provide a built in facility in sshd(8) itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively.

The commit message reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Damien Miller <djm () cvs ! openbsd ! org>
Date:       2024-06-06 17:15:26

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2024/06/06 11:15:26

Modified files:
	usr.bin/ssh    : misc.c misc.h monitor.c monitor_wrap.c 
	                 servconf.c servconf.h srclimit.c srclimit.h 
	                 sshd-session.c sshd.c sshd_config.5 

Log message:
Add a facility to sshd(8) to penalise particular problematic client
behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.

Read more…

DHCPv6-PD - First steps by florian@

Contributed by Peter N. M. Hansteen on from the fix the prefix dept.

As noted earlier, OpenBSD-current now has IPv6 prefix delegation available via the new dhcp6leased(8) deamon.

Now before he committed the code, Florian Obser (florian@) wrote a blog post on the process of developing the new program in a piece called DHCPv6-PD - First steps.

The prologue leads in,

The single most requested feature missing in OpenBSD base directed at me is DHCPv6-PD. Recently I got a working setup at home using dhcpcd from ports and a donated Fritz!Box 6660 Cable1, 2. Time to hack on this.

He follows up with details on how the ideas and the code developed. Read the whole thing at DHCPv6-PD - First steps.

dhcp6leased(8) imported to -current

Contributed by rueda on from the the-missing-link6 dept.

Florian Obser (florian@) has committed (to -current) dhcp6leased(8), a DHCPv6 client for handling Prefix Delegation (PD):

CVSROOT:	/cvs
Module name:	src
Changes by:	florian@cvs.openbsd.org	2024/06/02 06:28:05

Added files:
	sbin/dhcp6leased: Makefile control.c control.h dhcp6leased.8 
	                  dhcp6leased.c dhcp6leased.conf.5 dhcp6leased.h 
	                  engine.c engine.h frontend.c frontend.h log.c 
	                  log.h parse.y printconf.c 

Log message:
Import dhcp6leased(8)

dhcp6leased is a daemon to manage IPv6 prefix delegations. It requests
a prefix from an upstream DHCPv6 server and configures downstream
network interfaces. rad(8) can be used to advertise available prefixes
to clients.

Read more…

clang option -fret-clean committed

Contributed by rueda on from the well-cleaned-stacks dept.

Theo de Raadt (deraadt@) has committed -fret-clean for clang:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2024/06/02 09:40:43

Modified files:
	gnu/llvm/clang/include/clang/Driver: Options.td 
	gnu/llvm/clang/lib/Driver/ToolChains: Clang.cpp 
	gnu/llvm/llvm/lib/Target/X86: X86.h X86TargetMachine.cpp 
	gnu/usr.bin/clang/libLLVMX86CodeGen: Makefile 
	share/man/man1 : clang-local.1 

Log message:
add -fret-clean option (amd64 and i386 only at first), defaulting to off.
This causes the caller to cleans the return address off the stack after
a callq completes.  The option is best used in low-level libraries (such as
libc), because libc contains low-level system call stubs.  The option
reduces hints (found on the stale parts of the stack) about libc.so's mapping
location, and together with random-relinking, relro got/pic, and xonly
makes some exploit methods more difficult.
ok mortimer, mlarkin, much discussion with kettenis, in snaps for 2 weeks.

See our earlier article for more discussion.

For now, this is only for amd64 and i386.

clang -fret-clean: cleaning return addresses off stack (by deraadt@)

Contributed by Peter N. M. Hansteen on from the Puffy cleans your stack dept.

Future versions of OpenBSD may include core system libraries and binaries built with logic to remove return addresses off the stack. With this in place, whole classes of bugs would be harder to exploit.

In a message to the tech@ mailing list titled clang -fret-clean: cleaning return addresses off stack, Theo de Raadt (deraadt@) explains how this would work and includes code to implement the feature for the X86 architecture only:

List:       openbsd-tech
Subject:    clang -fret-clean: cleaning return addresses off stack
From:       "Theo de Raadt" <deraadt () openbsd ! org>
Date:       2024-05-25 6:18:59

There are many address space mitigations in play now which make standard
control-flow methods and ROP-style methods more difficult than ever before.
None of them are a silver bullet; added up they are a big deal, but noone
is saying they are a comprehensive solution,

One thing I've worried about for a while is that program bugs being
exercised tend to happen in the main program, or in some large library.
But many types of attack methodology require reaching system calls via
libc, in as direct and simple fashion as possible.  ASLR location of
libc has made that a bit harder, boot-time random relinking of libc
makes it even more difficult.  But there's a few things which do hint at
where libc is mapped.

Read more…

Important message for Apple Silicon OpenBSD/arm64 users

Contributed by Peter N. M. Hansteen on from the well armed pufffies dept.

As you may be aware, OpenBSD runs on Apple Silicon M series processors, thanks to the efforts of the OpenBSD/arm64 developers.

For those running our favorite operating system alongside the Apple product, sometimes special measures are needed, though.

Mark Kettenis (kettenis@) sent a message titled Important message for Apple Silicon OpenBSD/arm64 users to the misc@ and arm@ mailing lists, warning about possible firmware issues:

Subject:    Important message for Apple Silicon OpenBSD/arm64 users
From:       Mark Kettenis <mark.kettenis () xs4all ! nl>
Date:       2024-05-21 20:54:21

As indicated here:

  https://social.treehouse.systems/@AsahiLinux/112449204541186432

The system firmware that comes with macOS Sonoma 14.5 triggers a bug
in the m1n1 bootloader that is used to boot OpenBSD on these machines.
The bug will prevent OpenBSD from booting on some machines after the
macOS update has been installed.  The recommended fix is to update the
"stage1" m1n1 by booting into macOS and running:

Read more…

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 7.5

0032024-05-10 RELIABILITY A missing bounds check could lead to a crash in libcrypto.
0022024-04-11 RELIABILITY Install media for alpha architecture was broken due to strip(1) bug.
0012024-04-08 SECURITY Fix multiple heap buffer overread and data leakage in the X11 server Xi extension and use after free in the Render extension. CVE-2024-31080 CVE-2024-31081 CVE-2024-31083

Unofficial RSS feed of OpenBSD errata

OpenBSD 7.4

0162024-04-08 SECURITY Fix multiple heap buffer overread and data leakage in the X11 server Xi extension and use after free in the Render extension. CVE-2024-31080 CVE-2024-31081 CVE-2024-31083
0152024-03-18 SECURITY In libexpat fix billion laughs attack vulnerability CVE-2024-28757.
0142024-02-29 SECURITY vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs.
0132024-02-13 SECURITY DNSSEC protocol vulnerabilities have been discovered that render various DNSSEC validators victims of Denial Of Service while trying to validate specially crafted DNSSEC responses. Fix CVE-2023-50387 and CVE-2023-50868 in unwind(8) and unbound(8).
0122024-01-16 SECURITY Fix multiple xserver heap buffer overflows, out of bounds memory accesses and memory corruption. CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409
0112023-12-18 SECURITY An SSH protocol weakness (the Terrapin Attack) exists that allows an on-path adversary to disable keystroke timing obfuscation.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]