Thank you very much! I now understand things that I desperately want to know about hurd internal.
On November 2, 2021 6:31:17 PM GMT+02:00, Sergey Bugaev <buga...@gmail.com> wrote: >Hello! > >As promised [0], here are the details of the Hurd vulnerabilities I have found >earlier this year [1] [2]. > >[0]: https://lists.gnu.org/archive/html/bug-hurd/2021-10/msg00006.html >[1]: https://lists.gnu.org/archive/html/bug-hurd/2021-05/msg00079.html >[2]: https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00008.html > >(You'll notice that I'm formatting this just like a patch series. I'll even try >to send it out with git send-email; if you're reading this, it has worked!) > >These texts are partly based on the mails and write-ups I sent to Samuel at the >time, but most of the text is new, rewritten to incorporate the better >understanding that I now have as the result of exploring the issues and working >with Samuel on fixing them. > >I've grouped the information by the four "major" vulnerabilities -- ones that I >have actually written an exploit for. Other related vulnerabilities are briefly >mentioned in the notes sections. > >Each text contains a short and a detailed description of the relevant issue, >source code of the exploit I have written for the issue, commentary on how the >exploit works, and a description of how we fixed the issue. While this should >hopefully be an interesting read for everyone, understanding some of the >details >requires some familiarity with the Mach and Hurd mechanisms involved. I've >tried >to briefly describe the necessary bits (as I understand them myself) in the >"Background" sections throughout the texts -- hopefully this will make it >easier >to understand. Please don't hesitate to ask me questions (while I can still >answer them)! > >I also hope that all this info should be enough to finally allocate official >CVEs for these vulnerabilities, if anyone is willing to go forward with that in >my absence. > >While all of the vulnerabilities described have been fixed, most of the fixes >are not yet in the main Hurd tree for legal reasons: namely, my FSF copyright >assignment process is still unfinished. All the out-of-tree patches with the >fixes can be found in the Debian repo [3]. > >[3]: https://salsa.debian.org/hurd-team/hurd/-/tree/master/debian/patches > >Our work on fixing these vulnerabilities required some large changes and >touches >most of the major Hurd components (now I can actually name them: glibc, GNU >Mach, libports, libpager, libfshelp, libshouldbeinlibc, lib*fs, proc server, >exec server, *fs, ...) -- and this was even more true of the previous designs >that we have considered (the final design ended up being the most compact one). >Still, it's kind of amazing _how little_ has changed: we managed to keep most >things working just as they were (with the notable exception of mremap ()). The >Hurd still looks and behaves like the Hurd, despite all the changes. > >Finally, I should note that there still are unfixed vulnerabilities in the >Hurd. >There's another "major" vulnerability that I have already written an exploit >for, but I can't publish the details since it's still unfixed. I won't be there >to see it fixed (assuming it will take less than a year to fix it -- which I >hope it will), but Samuel should have all the details. > >Let me know what you think! > >Sergey >
