OpenBSD Journal

OpenBSD Journal

clang -fret-clean: cleaning return addresses off stack (by deraadt@)

Contributed by Peter N. M. Hansteen on from the Puffy cleans your stack dept.

Future versions of OpenBSD may include core system libraries and binaries built with logic to remove return addresses off the stack. With this in place, whole classes of bugs would be harder to exploit.

In a message to the tech@ mailing list titled clang -fret-clean: cleaning return addresses off stack, Theo de Raadt (deraadt@) explains how this would work and includes code to implement the feature for the X86 architecture only:

List:       openbsd-tech
Subject:    clang -fret-clean: cleaning return addresses off stack
From:       "Theo de Raadt" <deraadt () openbsd ! org>
Date:       2024-05-25 6:18:59

There are many address space mitigations in play now which make standard
control-flow methods and ROP-style methods more difficult than ever before.
None of them are a silver bullet; added up they are a big deal, but noone
is saying they are a comprehensive solution,

One thing I've worried about for a while is that program bugs being
exercised tend to happen in the main program, or in some large library.
But many types of attack methodology require reaching system calls via
libc, in as direct and simple fashion as possible.  ASLR location of
libc has made that a bit harder, boot-time random relinking of libc
makes it even more difficult.  But there's a few things which do hint at
where libc is mapped.

Read more…

Important message for Apple Silicon OpenBSD/arm64 users

Contributed by Peter N. M. Hansteen on from the well armed pufffies dept.

As you may be aware, OpenBSD runs on Apple Silicon M series processors, thanks to the efforts of the OpenBSD/arm64 developers.

For those running our favorite operating system alongside the Apple product, sometimes special measures are needed, though.

Mark Kettenis (kettenis@) sent a message titled Important message for Apple Silicon OpenBSD/arm64 users to the misc@ and arm@ mailing lists, warning about possible firmware issues:

Subject:    Important message for Apple Silicon OpenBSD/arm64 users
From:       Mark Kettenis <mark.kettenis () xs4all ! nl>
Date:       2024-05-21 20:54:21

As indicated here:

  https://social.treehouse.systems/@AsahiLinux/112449204541186432

The system firmware that comes with macOS Sonoma 14.5 triggers a bug
in the m1n1 bootloader that is used to boot OpenBSD on these machines.
The bug will prevent OpenBSD from booting on some machines after the
macOS update has been installed.  The recommended fix is to update the
"stage1" m1n1 by booting into macOS and running:

Read more…

KDE 6 landed in OpenBSD-current

Contributed by Peter N. M. Hansteen on from the plasmatic puffy dept.

YES! KDE6 landed in OpenBSD -current

Rafael Sadowski (rsadowski@) writes in his most recent blog entry on KDE6 on OpenBSD, and goes on to say

We are currently in an excellent phase ahead of the upcoming OpenBSD release 7.6, which gives us plenty time to thoroughly test KDE Plasma 6. My goal is to make sure it works well and is stable for everyone.

Also worth noting is some still in progress work,

Stay tuned for more updates as we progress towards the integration of KDE Plasma 6 into OpenBSD 7.6.

But don't just take our word for it, read the whole thing, KDE6 on OpenBSD over at Rafael's blog. There you will find detailed descriptions of how to perform the upgrade, and a video of the important points.

sshd(8) split into multiple binaries

Contributed by rueda on from the puffy-does-the-splits dept.

With the following commit, Damien Miller (djm@) commenced the process of splitting sshd(8) into multiple binaries:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2024/05/16 18:30:24

Modified files:
	usr.bin/ssh    : Makefile Makefile.inc auth-rhosts.c auth.c 
	                 auth.h auth2-gss.c auth2-hostbased.c 
	                 auth2-kbdint.c auth2-none.c auth2-passwd.c 
	                 auth2-pubkey.c auth2.c channels.c kex.c kex.h 
	                 kexgexs.c misc.c misc.h monitor.c monitor.h 
	                 monitor_wrap.c monitor_wrap.h msg.c packet.c 
	                 packet.h pathnames.h servconf.c servconf.h 
	                 serverloop.c session.c ssh_api.c sshd.c 
	usr.bin/ssh/sshd: Makefile 
Added files:
	usr.bin/ssh    : sshd-session.c 
	usr.bin/ssh/sshd-session: Makefile 

Log message:
Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

Read more…

Demise of Nagle's algorithm (RFC 896 - Congestion Control) predicted via sysctl

Contributed by Peter N. M. Hansteen on from the hammering the Nagle dept.

Is the classical TCP congestion control mechanism known as Nagle's algorithm (RFC 896 - Congestion Control) headed for the scrap heap of history?

A recent post on tech@ titled Add sysctl to disable Nagle's algorithm (RFC 896 - Congestion Control) from Job Snijders (job@) with a patch to implement the disabling sysctl indicates that some at least think that deprecation is in order.

The message leads in,

List:       openbsd-tech
Subject:    Add sysctl to disable Nagle's algorithm (RFC 896 - Congestion Control)
From:       Job Snijders <job () openbsd ! org>
Date:       2024-05-13 18:41:55

Dear all,

Back in the early 1980s, a suggestion was put forward how to improve TCP
congestion control, also known as "Nagle's algorithm". See RFC 896.

Nagle's algorithm can cause consecutive small packets from userland
applications to be coalesced into a single TCP packet. This happens at
the cost of an increase in latency: the sender is locally queuing up
data until it either receives an acknowledgement from the remote side or
sufficient additional data piled up to send a full-sized segment.

Read more…

LibreSSL version 3.9.2 released

Contributed by rueda on from the splat dept.

The LibreSSL project has announced the release of [bugfix] version 3.9.2 of the software:

We have released LibreSSL 3.9.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

It includes the following change from LibreSSL 3.9.1:

 * Bugfixes
   - OpenBSD 7.5 errata 003. A missing bounds check could lead to a crash
     due to dereferencing a zero-sized allocation.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

Game of Trees 0.99 released

Contributed by rueda on from the again-and-again-and dept.

Version 0.99 of Game of Trees has been released (and the port updated).

* got 0.99; 2024-05-05
  see git repository history for per-change authorship information
- make 'got fetch' work with URLs which refer to $HOME via a tilde: ~user
- replace strftime %G-%m-%d with %F to prevent 2024-12-30 -> 2025-12-30
- fix spurious errors from got-fetch-http when server has no more data to send
- prevent gotd notification process from exiting due to EPIPE
- fix I/O hangs with TLS in got-notify-http
- document http and https protocol support in got.conf(5), too
- fix an fd leak in gotd's notify process causing endless CPU spin
- back out got stage -R option addition; deemed too inconvenient in practice
- fix got-fetch-http GET request URL; add leading slash and avoid double slashes
- allow custom GOT_TEST_HTTP_PORT when running regression tests
- gotwebd: add magic ".git" handling; try foo.git if repository foo is not found
- expose authenticated gotd user account in HTTP notifications
- gotd.conf(5) HTTP/JSON documentation fixes
- fix endless loop upon Ctrl-D (EOF) input during got stage/unstage/revert -p
- make gotd notifications work when 'git push' is used instead of 'got send'
- make got stage -p behave the same way in interactive and -F modes for 'q'
- fix lingering gotd processes from clients closing connections early
- regress: prevent spurious failure of gotd test_clone_basic_access_denied
- fix an issue where 'git fetch' would error or hang against gotd
- use polling read in got_pkt_readn() to avoid endless hangs in gotsh

And we, too, are curious what the next version number will be :)

OpenSMTPD table protocol changes, now with the backstory

Contributed by Peter N. M. Hansteen on from the tables, we deliver dept.

Regular readers will be aware that OpenBSD ships with its own mail server implementation, OpenSMTPD, in its base system.

In a recent message to the tech@ mailing list, Omar Polo (op@) asked for comments or oks for a patches implementing a change of table protocols. A little later, Gilles Chehade (gilles@) posted to the misc@opensmtpd.org mailing list with the backstory for this change.

The message follows in full below (apparently the otherwise fine marc.info archive site no longer archives the list):

Date: Fri, 03 May 2024 08:22:03 +0000
From: gilles@poolp.org
To: misc@opensmtpd.org
Subject: smtpd: change the table protocol

Hello,

This is a copy of a mail I sent to OpenBSD hackers a few days ago so you are aware of work
being done on OpenSMTPD by Omar Polo.

~~~

TL;DR: proposal to change table backends wire protocol to one that's closer to filters, it
       has proven to work for years now, comes with many benefits and it is a very trivial
       change that we can pull in a handful of hours:
       https://tmp.omarpolo.com/smtpd-tables.7.html

Read more…

Passphrase timeout for disk decryption at boot added (potential battery lifesaver)

Contributed by Peter N. M. Hansteen on from the bag heater no more dept.

Have you had your laptop accidentally un-hibernate while you weren't looking, leaving you with a totally drained battery?

Now OpenBSD-current has a fix for that, thanks to this commit by Klemens Nanni (kn@). The commit message reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Klemens Nanni <kn () cvs ! openbsd ! org>
Date:       2024-04-25 18:31:49

CVSROOT:	/cvs
Module name:	src
Changes by:	kn@cvs.openbsd.org	2024/04/25 12:31:49

Modified files:
	sys/lib/libsa  : softraid.c 
	sys/arch/amd64/stand/boot: boot.8 
	sys/arch/amd64/stand/efiboot: Makefile.common cmd_i386.c conf.c 
	                              efiboot.c efiboot.h 

Log message:
Add boot.conf(8) 'mach idle [secs]' to halt at idle passphrase prompts

Read more…

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 7.5

0032024-05-10 RELIABILITY A missing bounds check could lead to a crash in libcrypto.
0022024-04-11 RELIABILITY Install media for alpha architecture was broken due to strip(1) bug.
0012024-04-08 SECURITY Fix multiple heap buffer overread and data leakage in the X11 server Xi extension and use after free in the Render extension. CVE-2024-31080 CVE-2024-31081 CVE-2024-31083

Unofficial RSS feed of OpenBSD errata

OpenBSD 7.4

0162024-04-08 SECURITY Fix multiple heap buffer overread and data leakage in the X11 server Xi extension and use after free in the Render extension. CVE-2024-31080 CVE-2024-31081 CVE-2024-31083
0152024-03-18 SECURITY In libexpat fix billion laughs attack vulnerability CVE-2024-28757.
0142024-02-29 SECURITY vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs.
0132024-02-13 SECURITY DNSSEC protocol vulnerabilities have been discovered that render various DNSSEC validators victims of Denial Of Service while trying to validate specially crafted DNSSEC responses. Fix CVE-2023-50387 and CVE-2023-50868 in unwind(8) and unbound(8).
0122024-01-16 SECURITY Fix multiple xserver heap buffer overflows, out of bounds memory accesses and memory corruption. CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409
0112023-12-18 SECURITY An SSH protocol weakness (the Terrapin Attack) exists that allows an on-path adversary to disable keystroke timing obfuscation.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]