El 1/7/26 a las 22:27, nibletz escribió:
OpenBSD Security Hardening Suggestions
1. Introduction
The goal is to prevent exploitation of arbitrary read/write access bugs in
processes running on OpenBSD arm64 systems without PAC/BTI hardware support.
Current attack chains demonstrate that the following techniques can chain
together:
memory corruption (CVE-2026-8461 PixelSmash), information leaks (codec
decoders),
W^X bypass via file-backed RX mappings, MAP_STACK bypass via stack pivoting,
and ROP chain execution via pinsyscalls.
This document outlines hardening opportunities to block each stage of such
attacks. The following is not comprehensive but focuses on practical measures
that do not require fundamental architectural changes.
Scope note: CVE-2026-8461 (PixelSmash) is a vulnerability in FFmpeg's own
codebase, not in OpenBSD's kernel or base system source. OpenBSD's ports
tree carries FFmpeg largely as upstream code with packaging-level patches;
the decoder logic involved is not part of src.git and was not reviewed as
part of this document. References to PixelSmash below describe it only as
the entry-point vulnerability class used to motivate the surrounding
OpenBSD-side mitigations, not as something fixable in OpenBSD source.
Good idea, but very much AI-slop in this text.
--
*******************************************************
Dios en su Cielo, todo bien en la Tierra
*******************************************************