OpenBSD Journal

Patch 008: semctl and semop

Contributed by jose on from the more-invalid-arguments dept.

Patch 008 has been released for OpenBSD 3.4 which addresses a local denial of service issue. As described on the OpenBSD website, "An improper bounds check makes it possible for a local user to cause a crash by passing the semctl(2) and semop(2) functions certain arguments." This source code patch should be applied and your kernel rebuilt.

For OpenBSD 3.3, Patch 013 addresses this issue.

UPDATE: Read on for the security-announce mail.


Date: Sat, 22 Nov 2003 15:36:16 -0700
From: Todd C. Miller

To: security-announce@OpenBSD.org
Subject: two localhost panics

Two localhost panics were recently fixed in the OpenBSD source tree.
We do not believe these can be used to escalate privileges but they
can be used to crash a machine given local access.

The first bug involves an unsigned integer wraparound in uvm_vslock()
and uvm_vsunlock() that can be triggered by passing the sysctl()
function certain arguments.

Fixes have been committed to the 3.3 and 3.4 -stable cvs branches,
and patches are also available at:
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/007_uvm.patch
and
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/012_uvm.patch

The second bug was due to an incorrect bounds check in the semop()
and semctl() functions that can be triggered by passing certain
arguments to these functions when the kern.seminfo.semmni sysctl
value is less than the value of kern.seminfo.semmsl (this is the
case for the default settings).

Fixes have been committed to the 3.3 and 3.4 -stable cvs branches,
and patches are also available at:
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/008_sem.patch
and
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/013_sem.patch

Alternately, a workaround is to set kern.seminfo.semmni equal to
kern.seminfo.semmsl, e.g.
    sysctl -w kern.seminfo.semmni=`sysctl -n kern.seminfo.semmsl`

(Comments are closed)


Comments
  1. By Dunceor () on

    ok, who is first in line to claim they have owned thousands of OpenBSD boxes with this?

    Comments
    1. By Anonymous Coward () on

      That's nothing. I rooted thousands of Micro BSD boxes with this five years ago :)

      Comments
      1. By Anonymous Coward () on

        Darn! You beat me to the de rigueur uBSD posting!

  2. By Wouter () on

    Hmm, It's going extremely fast this time with patches :(

    Comments
    1. By SH () on

      Better fast than slow.

    2. By Anonymous Coward () on

      A lot of patches can just mean there's a lot of developer activity, that they're going over the code again, hunting bugs.

      There's no relationship between the number of bugs found in a period of time, and the quality of the code. Or at least not always ;)

      Comments
      1. By Anonymous Coward () on

        hah, but it this case, it just means developer stupidity. they were just fixing code in this function a couple weeks ago...they didn't fix it right. you assume the code is clean and secure...on what do you base this opinion? what you're told? this constant flow of patches is a counter-proof. These bugs were not found by your genius developers. Your genius developers are the ones running like ants trying to fix the bugs!

        Comments
        1. By SH () on

          And they would be very pleased if you actually managed to find some new bugs for them as well.

          Comments
          1. By Anonymous Coward () on

            yes, I'm sure Theo is so thrilled. So thrilled, maybe he'll tell us:

            AND YOU WANT ME TO TREAT YOU SPECIAL??????


            hahaha he's dying right now

            MORE BUGS FOR THEO

            Comments
            1. By rankor_industries () on

              Funny how a large majority of the troll posts come from probably one person. <br> <br> OrgName: GST Telecom, Inc <br> OrgID: GSTD <br> Address: 10475 Park Meadows Drive <br> City: Littleton <br> StateProv: CO <br> PostalCode: 80124 <br> Country: US <br> <br> NetRange: 209.234.128.0 - 209.234.223.255 <br> CIDR: 209.234.128.0/18, 209.234.192.0/19 <br> <br> Funny thing is how the troll in that netblock will point to another one of his own posts and say "see everyone agrees with me". <br> <br> Look at the google results to see what I mean: <br> <br> http://www.google.com/search?q=site:www.deadly.org+209.234&hl=en&lr=&ie=UTF-8&oe=UTF-8&start=10&sa=N <br> <br>

              Comments
              1. By Anonymous Coward () on

                funny that you don't know about anonymizer, retard.

                Comments
                1. By Anonymous Coward () on

                  Funny that you don't know how anonymizer works. Ummmm, what goes next... oh yeah... retard.

                  Comments
                  1. By bumby () on

                    unfunny that you all call eachother names, the next not better then the first.

                    just leave the trolls alone, they are not worth the time anyways...

                    Comments
                    1. By Anonymous Coward () on

                      Speaking of namecalling because you have nothing to offer...

                      Comments
                      1. By bumby () on

                        I rest my case...

                        Comments
                        1. By Anonymous Coward () on

                          be useful. tell me what happens in OpenBSD when you mprotect a page of the stack RWX! Since you claim to be intellectually and morally "better" than the "trolls" here, surely you can answer this simple question.

                          Comments
                          1. By Anonymous Coward () on

                            I haven't tried it, but I would have thought it would cause the application to crash.

                            Comments
                            1. By Anonymous Coward () on

                              nope, it doesn't crash...try again.

                          2. By bumby () on

                            I can't really see how you connect answering your question about mprotect() (which you most likley alreay know the answer for) to beeing "morally better" then any troll here.

                            What I wanted to have said, was that I thought it was, and is, rather useless to be calling people retards back and forth, even though the poster has a point in his/her comment.

                            Of course, posting a comment about it, with no further "usefullnes" for the parent posts obviusly didn't do any good.

                            So I guess I was hoisted by my own petard.

                            And to answer your question, even though you surely know the answer for it:

                            Assumed the page you want to mprotect is first mmaped you'll get yourself a rwx:ed stackpage, which I guess would later be used to execute code from, probably placed there from an overflowed buffer.

                            But what do I know, I'm not as 1337 as you are.

                            Your point was?

                            Comments
                            1. By Anonymous Coward () on

                              You are right about one thing. You're certainly not as 1337. Your answer was incorrect. First, your comment regarding mmap is stupid, since I said "mprotect a page in the stack". This has nothing to do with mmap. Then your following answer to the question is wrong. You do not get an rwx'd stackpage.
                              Taking a look at this might help:
                              http://www.openbsd.org/papers/pacsec03/e/mgp00010.html

                              You get an rwx'd stackpage, and everything else becomes rwx as well (data, bss, heap..etc). And when it happens, you'll never know. Sleep soundly my OpenBSD friends!

                              Ask your OpenBSD developers why they never told you about this. Ask them why they failed to mention when they said that W^X doesn't break anything, why XFree86 modules do not work.

                              Comments
                              1. By Anonymous Coward () on

                                BTW, this happens on nested functions, so don't say it will never happen in real life. Thank you.

                                Comments
                                1. By krh () on

                                  You included some extra words in your previous post. Let me help you:

                                  > nested functions

                                  > never happen in real life.

                                  There you go! Much better now.

                                  > Thank you.

                                  You're welcome.

                                  Comments
                                  1. By Anonymous Coward () on

                                    Care to give proof of this? I have proof to counter your claims. You have your blissful stupidity.

                              2. By bumby () on

                                So, as I said, you already knew the answer, to the question which had no connection whatsoever to my point. (except for making me look less 1337, which was the point of your question, but otherwise totaly irrelevant)

                                "Ask your OpenBSD developers why they never told you about this."

                                Why should I even try to accuse them for anything? They are spending their time to create a product which they give a away for free, and they even give me the source for it, for me to do whatever I want with. I think they are doing a great job, and I love their product. Of course it has bugs, most code have. And I'm sure they do what is in their power to fix these bugs.

                                Now, if you are so much better, why don't you help fixing it?

                                You see, the beauty in it is that I don't need to know the answer to your question to use openbsd. Of course, I wouldn't mind having the knowladge you have since I could then fix such stuff myself. We all spend our time on different things, and we all enjoy different things. I'm greatfull that there are people like you, who enjoy spending their time fixing these bugs, so people like me, who enjoy other things can spend time on those.

                                Have a nice day.

                                Comments
                                1. By Anonymous Coward () on

                                  If your developers had their way, you'd never know about things like these. You are telling me you APPRECIATE having a false sense of security on your mission-critical machines? Simply because they give away the software for free (and let's not construe this to mean that they don't benefit monitarily from doing such a thing) is no excuse for their deliberate distortion and suppression of facts that paint their image of security any differently than what they want people to see. Reputation is number one, security comes next.

                                2. By Anonymous Coward () on

                                  Sorry, I forgot. People who know about such things and understand security are using something else. The remainder use OpenBSD.

                                  Comments
                                  1. By Anonymous Coward () on

                                    Yes, they use something else - but it isn't linux. Do you really think an environment which requires *real* security (as in: no break-in allowed or else 'shit there goes the country/financial holding group/industrial consortium') uses unices or even vms?? There are far better proprietary operating systems aimed at security which would, in the old orange book classifications, rate similar to B1. No linux comes close to this (openbsd either). Grow up and learn how to put things into the right perspective.

                                    Do you think that openbsd with it's limited developper base and almost non-contributing users has the same resources as the linux-scene? Openbsd does quite well at the moment, and if they weren't around for the last 7 years or so, security in general unices would still be in it's infancy...

                                    Comments
                                    1. By Anonymous Coward () on

                                      Openbsd does quite well at the moment, and if they weren't around for the last 7 years or so, security in general unices would still be in it's infancy...

                                      you have got to be kidding me...

                                      like to provide some proof of how without openbsd for the last 7 years, linux would be in security infancy?

                                      the only thing openbsd has come up with themselves is strlcpy, and no one in linux gives a shit about it (as well they shouldn't)
                                      i'd like to hear your reasons, really. excuse my laughter.

                                      Comments
                                      1. By krh () on

                                        OpenSSH

                                        Comments
                                        1. By Anonymous Coward () on

                                          haha, as if the world couldn't survive if it weren't for OpenSSH. Like no one else would have done something.. SSH did not come from OpenBSD.

                              3. By Anonymous Coward () on

                                You get an rwx'd stackpage, and everything else becomes rwx as well (data, bss, heap..etc). And when it happens, you'll never know. I assume this happens on x86 because of the code segment limit. changing the protection permissions on a page in stack from not-x to x will force the whole stack out of the non-x space and back into x space. If this is correct than it will not affect sparc and alpha users. perhaps a change to the man page would make it clearer for programmers, but as for crackers ..... when they said that W^X doesn't break anything, why XFree86 modules do not work wasn't it that they don't break POSIX ? I have a question, why do the PaX lot hang out on deadly ? why do they not produce PaX for BSD if they can do better ? do they benefit from OpenBSD's potential demise ? oh well ....

                          3. By Anonymous Coward () on

                            be useful. tell me what happens in OpenBSD when you mprotect a page of the stack RWX!

                            Dear god. Must every one of your 4 IP based alter-egos _always_ have to come back to a PAX related vendetta? Have you _really_ nothing better do with your time?

                2. By Dunceor () on

                  funny that you can't even stand behind your opinions, loser.

                  Comments
                  1. By Anonymous Coward () on

                    Do you read any of the OpenBSD mailing lists? They're proof enough. Seriously, think for your self. The level of groupthink on this site is ridiculous.

              2. By Anonymous Coward () on

                That doesn't change the fact that his comments are all true.

                Comments
                1. By Sam () on

                  Most people would expect that the owner of clue4all.net would have, well, some clue.

                  You clearly don't.

                  Comments
                  1. By Anonymous Coward () on

                    Coming from someone running Windows XP, I think I'll be less than insulted. It also doesn't change that the original poster is correct, but because he doesn't subscribe to your groupthink, he must be a "troll." Quick, someone say he's say spreading FUD, that's always a good way to disagree with someone without providing any supporting evidence!

                    Comments
                    1. By SH () on


                      Coming from someone running Windows XP, I think I'll be less than insulted. It also doesn't change that the original poster is correct, but because he doesn't subscribe to your groupthink, he must be a "troll." Quick, someone say he's say spreading FUD, that's always a good way to disagree with someone without providing any supporting evidence!


                      You and the original poster beeing one and the same? Your contribution here is just immature pissing in other peoples forum.

                      Comments
                      1. By Anonymous Coward () on

                        I'm sorry you see quoting Theo on the mailing list as a personal insult. That's pretty sad.

                        Comments
                        1. By SH () on


                          I'm sorry you see quoting Theo on the mailing list as a personal insult. That's pretty sad.


                          You apparently have a tenuous grip on reality. I've made a similar comment to another post on this forum, and I suppose it was you?

              3. By sigh () on

    3. By Anonymous Coward () on

      Correlation does not imply causation. Certain not without without some discussion and research .

  3. By theo the rat () on

    I have been spending the last 10 days making openbsd releases for
    about 14-15 hours a day for people to use
    We've been spending hours and hours making openssh release
    We are dealing with an, as far as we know, unexploitable hole
    (affects some systems, but not openbsd it is pretty clear) issue
    for all of you who run other system
    we've been dealing with this frantically
    to make something that the internet relies on as good
    as good as it possibly can be
    no sleep for 30 hours
    and you expect me to treat you special?

    AND YOU EXPECT ME TO TREAT YOU SPECIAL?

    AND YOU THINK THAT PASTING THAT TO SOME IRC CHANNEL MAKES YOU LOOK
    RIGHT?

    and you think that you pasting it to some icb channel makes me feel
    worth less, when every single hp and cisco switch containing this code
    is likely vulnerable, and i don't like that, and want to make the
    world a better place even if it kills me due to stress and lack of
    sleep because i think that a better world is a better place to live
    my life?


    Comments
    1. By Anonymous Coward () on

      Dude, Get a life. You picked OpenBSD cause it was the most secure. Not only that but it sounds like you have great job. Were they make sure to have the ARE secure instead of just saying they are secure.

    2. By Anonymous Coward () on

      Security through obscurity is no security at all.

    3. By () on

      It's because of that attitude that I won't use OpenBSD. It's a shame, they have a great product, but without professional developers standing behind their work, I will have no part of it. So sad...

      Comments
      1. By SH () on

        You really have an unbalanced mind, don't you?

        Comments
        1. By Anonymous Coward () on

          Unbalanced? Are you kidding? How could you, in good conscience, use a product developed and managed by people like this? Or have I been in the real world for too long and I'm just being trolled by a dorm jockey?

          Comments
          1. By Anonymous Coward () on

            "How could you, in good conscience, use a product developed and managed by people like this?"

            So you vet each and every product you buy with regards to the engineers' personality? I'm amazed.

            What car do you drive? What hardware do you use? What brand of toothpaste is pure enough to pass your lips?

            Comments
            1. By Anonymous Coward () on

              I think you're missing the point. The OpenBSD team (Theo) have continually ousted themselves. Usually in a very public manor. My car company hasn't done that. Neither has my toothpaste company.

              I just wish he could keep his mouth shut and roll with a punch or two. It's part of the gig man.

              All that said I still like OpenBSD as a product.

              Comments
              1. By Anonymous Coward () on

                I understood his point; I just thought that it was rather idiotic to refuse to use a product (especially one where your money doesn't go to those who make it if you don't want it to) based entirely on the social skills of those who engineer it.

  4. By Anonymous Coward () on

    THEO-

    Please release to the community a picture of you and your boyfriend from Argentina who works at CORE. We will then continue with sending you useful bugs to fix!!

    Comments
    1. By Anonymous Coward () on

      What the hell? Whats wrong with you?

  5. By name protected () on

    cut it out

    we're all well aware that, as always, the developers are doing everything they can to improve security all the time.

    baiting the developers will not work: why do you think there have been next to no posts from developers here about this? clearly they are not interested in silly flame-wars. replying to bait from idiots won't help either - but i'm sure the rest of us share your sentiment and intentions :-)

    as a professional software developer i have seen shocking code and i have seen good code. generally the good code is from the bigger open source projects (no, i'm not listing any because i'd just start another flame war), and the shocking code tends to be part of systems labelled "carrier grade" and sold for a million pounds upwards... go figure.

    openbsd lives on side of "good code", along with a few other os projects that people get zealous about.

    here's a challenge to those who want to sit and talk about openbsd code and security: get off your butt and get involved. buy "The Design and Implementation of the 4.4BSD Operating System" and get your hands dirty. but be careful, you won't be allowed to commit the same junk code you write at your day job.

    if you're not a coder there are still many, many things you can do to help. if you can run autoconf and follow basic guidelines you have a headstart on helping the porters. if you can read or write any language (and i'm hoping that most people who post here can) you can help with the FAQ, miniFAQ's, man pages or other documentation.

    come _on_ people! get involved. we're all busy, but even 20 minutes a day from each user will make a massive difference - put your skills to use and give a little back instead of just waiting for someone else to do it.

    and no, i don't use capitalisation on weekends.

    Comments
    1. By Anonymous Coward () on

      Bravo.

      And a nice job on spoofing the IP field (just wish I had thought of doing it first :)

      Comments
      1. By Anonymous Coward () on

        typical of openbsd users. this vulnerability in their website was reported months ago. it has yet to be corrected.

      2. By Anonymous Coward () on

        actually, that was done quite by mistake :-)

    2. By Anonymous Coward () on


      I hope you're not an openbsd developer because there's some really bad advice in that post not to mention support for really bad code.

      In general, I would disagree with your comments about free software vs proprietary. In the end it all comes down to the maturity if the developers and the process(es) involved in the engineering side. There is a lot of really bad open source code, maybe not more (in quantity) than commercial stuff simply because there are less people producing output. Then again, there is Linux.

  6. By Dino () on

    I've been a user of OpenBSD for many years, I regularly submit detailed bug reports, and on more than one occasion have contributed code to the project. However, Theo's behavior in the recent past has led me to reconsider my involvement in the project, and I will now be taking my leave of it. I consider his behavior disgraceful, and not in line with an operating system that has such worthy potential, and I will no longer be supporting it. Goodbye. It was nice while it lasted.

  7. By Anonymous Coward () on

    security or reliability? make up your mind please, or maybe do what EVERY OTHER OS THAT CARES ABOUT SECURITY does, and forget the whole reliability classification crap that is nothing but a marketing ploy.

    Comments
    1. By squid () on

      you really don't know the difference, do you?

      Comments
      1. By Anonymous Coward () on

        Oh, so since you know the difference tell me:
        Is the recent OpenSSH bug a reliability or security issue on Linux?

        I know your answer will be "reliability", and that shows exactly what the problem is with this stupid classification. It's a marketing ploy so that OpenBSD doesn't have to call things security issues if their small minds think its unexploitable. History shows they've been proved wrong.

        Comments
        1. By squid () on

          i'm unaware of how the bug manifested on linux platforms, but on OpenBSD (>=3.3) it was definitely a reliability issue.

          the distinction should be obvious to anyone with even the slightest sysadmin/development background. a security issue is one where a user can escalate their system privileges or otherwise attain access to data they normally not be able to access. a reliability issue is one where no such compromise of access-rights takes place, but rather results in the crashing of an application or an entire system.

          don't get me wrong, they're both serious issues that need to be dealt with asap, but they are distinctly different. some admins may choose to treat a reliability issue with less importance than a security issue on small, low-traffic, less-critical systems. for example, i admin a number of small local networks for various local businesses (cvs repos, internal-business apps, etc.). some of them can't even be accessed (physically) from the net, and are relatively low traffic. so, if a reliability issue is found in one of those systems, i'm really in no hurry to fix it. it's not as important. the possiblity of some non-technically-inclined individual crashing an application/system on such a network is fairly remote. and even if they do, no big deal. it's a low traffic network that can stand to be down for 1/2 a day.

          however, if that same reliability issue occurs in one of the networks attached to the internet, or a system with much higher volume of traffic, i will definitely give the issue top priority.

          the term "reliability issue" was simply introduced as another means of catagorizing issues. if you wish to treat them as severe as security issues in all cases, then do so. but not everybody does.

          and besides...we all know that most OpenBSD developers could care less what mainstream users think of their OS (and it shows...from the relatively unfriendly and unattainable tech support for newbies). so if OpenBSD was trying to launch a marketing campaign against mainstream users...they'd have to try a bit harder.

          Comments
          1. By Anonymous Coward () on

            You ignored my entire point. My point was that OpenBSD is choosing to use the term "reliability" in cases where they simply don't think a bug is exploitable. The problem is when they use this classifcation for bugs that actually are exploitable. They just did this recently with the first ibcs2 bug from Guninski. They were quick to label it a "reliability" issue, before Guninski said he didn't think it was just a crash and Noir claimed to have an exploitation method for the bug. This bug still has not been given "security" status, which it should have been from the start. Just because the developers don't know what they're talking about when it comes to exploitation methods (have the developers ever even written an exploit?) doesn't mean it should be accepted in the OpenBSD community to allow them to downplay important bugs just to save face.

            Comments
            1. By Anonymous Coward () on

              The last thing obsd developpers want to spend time on is probably 'saving their face'. They're, compared to any linux distro or other operating system, a small group of coders with limited time and resources who actually try to make a change.

              These developpers know their system by heart, and yes, it's possible that a 'reliability' is exploitable and, yes, that they don't know how, but at least they try (instead of cramming a lousy operating sytem down their user's throat like most popular linux-distros do).

              If you know better, than please cooperate a little and show them examples, proof of concept, real exploits or simply better code.

              Don't argue semantics. 'Reliability' and 'security' have overlapping areas. If obsd developpers find it not exploitable, and no-one proves the contrary - what do you expect.

              Final note: PAX on linux may be technically better against exploits in general (compared to the different techniques in obsd), but that shouldn't be a reason for the linux security freaks to start a holy war against obsd. What do most companies run if they do run linux? They run redhat with an almost default install... go figure what's more secure. Obsd is more secure by default, anyone can deduct that. Ask yourself: how many companies do make use of grsecurity/pax/selinux/rsbac/whatever ? Not many, because it's far from mainstream.

              Comments
              1. By Anonymous Coward () on

                PAX on linux may be technically better against exploits in general

                on x86 possibly, stack pages are marked as supervisor.
                on the sparc and alpha non-execution is handled in hardware, and so no little hacks are needed.

                I guess the edge comes from a greater randomisation of mmaped pages.

                Comments
                1. By Anonymous Coward () on

                  uhh, no. sorry, you don't know how PaX works. Please read first, then comment. It's also better on powerpc, and supports more architectures than W^X. Plus PaX is for a useful OS.

                  Comments
                  1. By ulysses () on

                    oh, now we're getting somewhere.

                  2. By Anonymous Coward () on

                    uhh, no. sorry, you don't know how PaX works.
                    would you like to explain it then ?
                    it appears as if all protected page table entries are set to supervisor. Each time we access one of these pages, the page fault handler is executed because the supervisor bit has been detected during the linear-to-physical address translation. That appears to be how pages are handled, segmexec works a bit like W^X, according to a grsecurity presentation.

                    The information on pages was derived from pageexec.txt, so if I am wrong, please correct me.

                    Plus PaX is for a useful OS. now you are just trolling

                    Comments
                    1. By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu

                      what you describe is PAGEEXEC and is correct, except it's applied on all non-executable pages not only the stack (not sure why you exempted it in your original post, if it was just an example, then forget this sidenote ;-). on the other hand SEGMEXEC has very little to do with W^X, about the only similarity i can think of is the fact that both make use of the segmentation logic in IA-32, but they do that differently. W^X uses overlapping code/data segments (code is a true subset of data) and plays with the code segment limit to carve out the executable range within the address space whereas SEGMEXEC creates non-overlapping code/data segments and uses normal file mappings instead (well, with a bit of a trickery) to make something executable. since you were speculating about the technical edge, it's the fact that both non-exec approaches in PaX give you a per-page non-exec bit which is not true for W^X and can be nicely abused in exploits.

            2. By squid () on

              ahhh..yes... i forgot...
              everybody "thinks" they have exploits for these bugs. i forgot that all it takes for somebody to create an exploit is for them to think it into existence.

              once some actual exploit code is made public (that actually escalates the privileges of the user executing the code, rather than just crashing the app/machine), i'll believe it's a security issue. and yes, i've tried the recent code from noir and guninski, and it successfully crashed my machines. nothing more. thus, it's a reliability issue (at least on the versions i run, which are 3.3 and 3.4)

              OpenBSD uses the term "security issue" when they believe there is even the slightest chance of a privilege-escalation taking place. check the errata page for 3.3, specifically issue 004. it's labelled "SECURITY" because they are unsure if the bug is exploitable. they recognize the fact that it could happen, even though no proof has been presented. the rest of the issues aren't exploitable because of the measures taken in the kernel to prevent various things such as this from happening. they're not downplaying the issues...they just know they're nothing more than reliability issues.

              further, note that roughly half (7/13) of the issues on the 3.3 errata page are listed as "SECURITY" issues. they aren't afraid to address serious security issues.

  8. By Anonymous Coward () on

    I would like to know how W^X protects applications that use nested functions. Can you show me an example of W^X doing such a thing? I don't remember Theo mentioning anything about it in his presentation slides....he must have forgot I'm sure.

    Comments
    1. By SH () on

      For the vast majority of SuSE, Redhat and Mandrake users, the grsecurity patches are unusable to them.

      Even when distros do support it, it is still unusable :http://forums.grsecurity.net/viewtopic.php?t=443&highlight=mandrake

      However, even a newbie OpenBSD user can take advantage of W^X right out of the box.

      So the question is really : What are the grsecurity developers doing to make useful technology usable to ordinary Linux users? Run Gentoo?

      Comments
      1. By Anonymous Coward () on

        troll!

        Comments
        1. By SH () on


          troll!


          I had a good laugh when I read that comment. This is not Slashdot where claiming parent post is a troll gives you mod points.

          But still, in what way is grsecurity useable to the ordinary SuSE, Redhat and Mandrake user?

          In the case of Mandrake that does support grsecurity, what has PaX Team to say about it (grsecurity forum):


          espicom wrote:
          And the near total lack of anyone willing to answer how to fix it made it maddening!


          maybe the following will sound a bit disappointing to you, but the fact is that grsecurity is supported on exactly one kernel version: vanilla from kernel.org. every other combination is the responsibility of the respective party who makes it (well, more or less, we do try to support some other patches as well, but only when they use the latest version which is not true for Mandrake). Mandrake's case is particularly painful as spender did try to tell them a while ago to keep using the latest versions, all in vain as you had to find it out the hard way. if the vanilla kernel is ok for you, please use it by all means, then we can actually support you, should you still run into problems.


          Even a Mandrake user putting alot of effort to make grsecurity work, can't make it work.

          In contrast to OpenBSD, anybody not using the standard Linux kernel is left on their own. That pretty much leaves the vast majority of Linux users on their own.

          Comments
          1. By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu

            i reflected on most of the stuff here, let's just see this one:

            > In contrast to OpenBSD, anybody not using the standard Linux kernel is left on their own.

            care to explain this poor guy's experience then (from http://marc.theaimsgroup.com/?l=openbsd-misc&m=106920547431350&w=2 ):

            ------------------------------------------------------------------------
            I ask some guys here wich Kernel-Options I need. They told me USE GENERIC.
            Even I wont use GENERIC, I use it. Couse I wont be able to analyse problems
            (if there problems..).
            The problem in my point of view is not the work of the developers, they do a
            very well job(!), and it's not this guy with his exploit and not the hole
            itselfs too. I think The problem is the maening about GENERIC and wich
            things are "enabled" as default.
            GENERIC isn't the answer at all and so we shouldn't damn people who aske for
            options wich are not enabled/deactivated as default.
            GENERIC is the first step. It's the base.
            But maybe afterstep should told me in the next oBSD-Version that I've to
            disable kerneloptions I never need.
            Some weeks I asked what's happen if theres a hole into the kernel (and I
            asked and used these compat-options as example) and some guys told me that's
            "not possible". We see now it's possible so let change the mind about
            GENERIC.
            Patches are well but without this kernel-option I'm not affected and this is
            fact and not a riddle.
            So don't tell users again and again that they have to use GENERIC couse they
            wont be supported if they've problems with a non GENERIC-Kernel.
            I think it's sensless that nobody wont support me couse I enabled the
            speed-hack...
            ------------------------------------------------------------------------

            to paraphrase you, it sounds like as if 'anybody not using the standard OpenBSD kernel is left on their own'.

            Comments
            1. By SH () on

              If I compile my own kernel with my own kernel patches on my SuSE machine and things breaks, what do you think SuSE support will tell me if I call them? This, however, is precicely the case for someone wanting to use grsecurity, since just about no distro is using the standard kernel. Contrast this with OpenBSD, where use of Propolice and W^X is part of the OS. No need to use kernel patches here.





              Comments
              1. By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu

                putting it this way clears things up, your original statements came through to me as if you were faulting grsecurity for not being useful for all possible end users whereas it is clear now that you're blaming the distros instead. feel free to let them know, you'll get our full support ;-).

      2. By Anonymous Coward () on

        Probably when it doesn't break things. Apparently that seems to be too much to ask for some developers.

      3. By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu

        you're comparing apples to oranges. the thread you posted is about the ACL system not PaX or the other hardening features. unless you want to tell me that OpenBSD comes with properly set up (and enabled) systrace policies by default and makes it easy even for a newbie to take advantage of it. as for how a newbie can take advantage of W^X: http://marc.theaimsgroup.com/?t=106883183700002&r=1&w=2 . as for Gentoo, you made a lucky guess, grsecurity has been in the main gentoo kernel for 1.5 years at least (the changelog doesn't go back for longer, http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-kernel/gentoo-sources/ ) and is fully supported throughout userland: http://www.gentoo.org/proj/en/hardened/grsecurity.xml .

        Comments
        1. By SH () on

          I'm well aware that Gentoo supports grsecurity, and that was also the point of my remark : If you want better support for grsecurity than SuSE, Redhat or Mandrake gives, you go to Gentoo. That will leave ordinary Linux users without the protection of grsecurity.

          Grsecurity is _clearly usefull_, but for most it is also _unusable_. Even kernel patches is not enough, also userland should be supported as your post indicates : Grsecurity is fully supported in Gentoo throughout userland. You yourself want to use Propolice in combination with your own ideas to prevent some types of exploits. Do you think the above distros is going to use Propolice anytime soon?

          The crux of it is this : OpenBSD developers made usefull technology usable. Unless you run Gentoo, grsecurity is not there yet.

          Comments
          1. By PaX Team () pageexec at freemail.hu on mailto:pageexec at freemail.hu

            you're expecting something from 'mainstream' Linux distros that you don't expect from OpenBSD and then hold that against grsecurity. you either assume a userbase of technically competent people who can install OpenBSD/Linux themselves or you don't. in the former case i see no point in arguing about what some Linux distros do or don't do, the competent user should have enough clue to choose the right tool for the job, in this case use grsecurity and/or a distro built on it (vs. those 'mainstream' ones). in the latter case OpenBSD has no business either, technically incompetent people (for whom the Linux distros you mentioned are also aimed at) cannot *ever* make use of your technology.

          2. By Chris Humphries () chris@unixfu.net on http://unixfu.net/

            Debian it runs fine on.

            You act like you are bound and can't do anything. You can change anything on the system to meet your needs, admin the box. If you are messing with grsecurity and other trustedos-ish os's then admining the box and getting it setup how you like it should take alot of your time initially.

            The whole distro thing is kinda pointless if you can not even setup the box to how you like. I would also suggest you read the documentation on grsecurity that is available on their website.

            educating yourself could have saved you some energy.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]