Exploiting this vulnerability will not be easy: modern memory allocators provide protections against double frees, and the impacted sshd process is unprivileged and heavily sandboxed.

Quick update: we were able to gain arbitrary control of the “rip” register through this bug (i.e., we can jump wherever we want in sshd’s address space) on an unpatched installation of OpenBSD 7.2 (which runs OpenSSH 9.1 by default). This is by no means the end of the story: this was only step 1, bypass the malloc and double-free protections.

source: L

1a/ we set the LD_LIBRARY_PATH environment variable to one single dot (the current working directory) and approximately ARG_MAX colons (the maximum number of bytes for the argument and environment list); as described in man ld.so:

1b/ we set the RLIMIT_DATA resource limit to ARG_MAX * sizeof(char *) (2MB on amd64, 1MB on i386); as described in man setrlimit:

I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections.

Some more info in replies, such as https://marc.info/?l=oss-security&m=157554332429760&w=2.

As of this morning, OpenSSH now has experimental U2F/FIDO support, with U2F being added as a new key type “sk-ecdsa-sha2-nistp256@openssh.com” or “ecdsa-sk” for short (the “sk” stands for “security key“).

Also: https://marc.info/?l=openbsd-tech&m=157376801917387&w=2

We are pleased to announce the official release of OpenBSD 6.5. This is our 46th release.

source: L

Use of Process Context Identifiers (PCID) was introduced into Xen in order to improve performance after XSA-254 (and in particular its Meltdown sub-issue). This enablement implied changes to the TLB flushing logic. One aspect which was overlooked is the safety of switching between shadow pagetables, which previously relied on the unconditional flushing of a write to CR3.

With PCID enabled, a switch of shadow pagetable for a 64bit PV guest fails to invalidate the linear mappings of the previous shadow pagetable. As a result, subsequent accesses to the shadow pagetables may be deemed to be safe by the shadow logic (based on the old shadow pagetable) but fault when made in practice.

Almost all terminals now support hardware tabs so default to OXTABS off.

The future is here!

The computation of wumpus movement probability in games/wump/wump.c has a parenthesis problem that causes it not to work the way it evidently is meant to.

When a telnet server requests environment options the sprintf on line 1002 will not perform bounds checking and causes an overflow of stack buffer temp[50] defined at line 990. This issue can be trivially fixed using a patch to add bounds checking to sprintf such as with a call to snprintf();

What is dead may never die.

Modified files:
usr.bin/mandoc : out.c

Log message:
Better handle automatic column width assignments in the presence of horizontal spans, by implementing a moderately difficult iterative algoritm. The benefit is that spans containing long text no longer cause an excessive width of their starting column.

Also, use unicode for drawing: https://marc.info/?l=openbsd-cvs&m=154338047707592&w=2

And some other assorted commits that are fun.

WireGuard is a secure network tunnel written especially for Linux, which has faced around three years of serious development, deployment, and scrutiny. It delivers excellent performance and is extremely easy to use and configure. It has been designed with the primary goal of being both easy to audit by virtue of being small and highly secure from a cryptography and systems security perspective. WireGuard is used by some massive companies pushing enormous amounts of traffic, and likely already today you’ve consumed bytes that at some point transited through a WireGuard tunnel. Even as an out-of-tree module, WireGuard has been integrated into various userspace tools, Linux distributions, mobile phones, and data centers. There are ports in several languages to several operating systems, and even commercial hardware and services sold integrating WireGuard. It is time, therefore, for WireGuard to be properly integrated into Linux.

How about we add another new permission! This is not a hardware permission, but a software permission. It is opportunistically enforced by the kernel.

the permission is MAP_STACK. If you want to use memory as a stack, you must mmap it with that flag bit.

In reference to the inquiry, gettimeofday(2) does not conform to POSIX.1-2008?

Standards state a contract or implication: *if* you, the developer follow _these_ rules, *then* the standardized item will follow _these_other_ rules (if compliant). If you violate the implication, then the standard no longer applies and you have lost the guarantees of the standard.

Nice summary of the standards situation. If you color inside the lines, you get a pretty picture. If you don’t, you don’t.

Errata patches will continue to be generated for 2 releases.

The mechanism is like a userland ‘stackghost’ in the function prologue and epilogue. The preamble XOR’s the return address at top of stack with the stack pointer value itself.

A good summary of the bug affecting Ryzen CPUs.

If you’re still using rcp, you should not be. At all.

Over the last three weeks I’ve been working on a new randomization

feature which will protect the kernel.

As a result, the internal layout of every newly build bsd kernel is different from past kernels.

This should be enough for people to create images and help find and

fix bugs.