date:20171016

Is there an RTC prejudice?

2017-10-16 Thread Chris H

While I haven't [yet] experienced this problem. A bug[1] just came in
on the amd64 list that is over a *year old*, and there are several
individuals involved. As well as several [freebsd] versions. So I
thought I'd raise the issue here. In case someone(tm) thinks they
know what's wrong/ what to do.

1: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207677

--Chris


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: pfind_locked(pid) fails when in a jail?

2017-10-16 Thread Rick Macklem

[stuff snipped]
> > >
> > pfind* does not do any filtering.
> >
Hmm, well I have no idea why the jailed mounts get looping in here then.

> > The real question though is why are you calling it in the first place. The
> > calls
> > I grepped in nfscl_procdoesntexist are highly suspicious - there is no
> > guarantee
> > the process you found here is the same you had at the time you were saving
> > the pid.
> >
Long long ago (about 2002) this code was written for OpenBSD2.6. I added
a call from the kernel exit() code to do this. When I ported it to FreeBSD
around 2005, I didn't find any way for a process exit notification to be done,
so I created the first version of this code. (This way of doing it was first
coded for Mac OS X 10.3, if I recall correctly.)

Since it does check that the time of process creation is the same, it doesn't
seem likely that it would find a different process (ie. two processes with the
same pid that were created at the same time within the clock resolution of
that creation time seems highly unlikely in practice?).

> > There is no usable process exit notification right now, but it can be added
> > if necessary.
> >
If there was a way for the NFS client to register to get a notification that a
given process is terminating (exit'ng), that could certainly be used instead
of this code.

I wouldn't want a call for every exit(), but only the ones that have NFSv4 
opens.

>>
>> Does that mean there is something wrong with the existing eventhandler
>> notifications related to proc fork/exec/exit?
>>
>
>I already noted in the other mail that the current mechanism has
>avoidable global locking, lists traversals etc. But even with these
>issues fixed it calls everything for everyone.
>
>What's needed is a mechanism to register per-process callbacks. Details
>can be flamed over (e.g. should it require allocating a buffer per
>process or perhaps just one and then point to it from a resizable
>per-proc table when registered), but calling something which has nothing
>to do in almost all cases and from in a super inefficient way at that is
>definitely something we need to start cleaning up.
Yes, I would agree, although it doesn't explain what this CPU hog case is
caused by.

Thanks for the comments and if you create/commit the above, let me know
and I'll change the NFS client code to use it (if your patch doesn't do that).

rick

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: pfind_locked(pid) fails when in a jail?

2017-10-16 Thread Ian Lepore

On Tue, 2017-10-17 at 00:38 +0200, Mateusz Guzik wrote:
> On Tue, Oct 17, 2017 at 12:24 AM, Rick Macklem  wrote:
> 
> > 
> > Hi,
> > 
> > A problem w.r.t. the NFSv4 client's renew thread (nfscl) running up a lot
> > of CPU
> > when the NFSv4 mount is in a jail has been reported to the freebsd-stable@
> > mailing list.
> > 
> > I know nothing about jails, but when looking at the code, the most obvious
> > cause of this would be "pfind_locked(pid)" failing to find a process.
> > - Will a jail affect how pfind_locked() behaves?
> > - If the answer is "yes", then I need to know how to either...
> >    1 - Make pfind_locked() work the same as when no jail exists.
> >    OR
> >    2 - A way for the Renew thread can determine that a jail will affect
> > pfind_locked()
> >  behaviour, so it can avoid this problem.
> > #1 is preferred, since #2 may not be 100% correct, although #2 would allow
> > the
> > code to behave well for most cases. (The exception is a case where a file
> > remains
> > open for a long period of time, with different processes doing byte range
> > locks on
> > the file.)
> > 
> pfind* does not do any filtering.
> 
> The real question though is why are you calling it in the first place. The
> calls
> I grepped in nfscl_procdoesntexist are highly suspicious - there is no
> guarantee
> the process you found here is the same you had at the time you were saving
> the pid.
> 
> There is no usable process exit notification right now, but it can be added
> if necessary.
> 

Does that mean there is something wrong with the existing eventhandler
notifications related to proc fork/exec/exit?

-- Ian
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: pfind_locked(pid) fails when in a jail?

2017-10-16 Thread Mateusz Guzik

On Tue, Oct 17, 2017 at 12:24 AM, Rick Macklem  wrote:

> Hi,
>
> A problem w.r.t. the NFSv4 client's renew thread (nfscl) running up a lot
> of CPU
> when the NFSv4 mount is in a jail has been reported to the freebsd-stable@
> mailing list.
>
> I know nothing about jails, but when looking at the code, the most obvious
> cause of this would be "pfind_locked(pid)" failing to find a process.
> - Will a jail affect how pfind_locked() behaves?
> - If the answer is "yes", then I need to know how to either...
>1 - Make pfind_locked() work the same as when no jail exists.
>OR
>2 - A way for the Renew thread can determine that a jail will affect
> pfind_locked()
>  behaviour, so it can avoid this problem.
> #1 is preferred, since #2 may not be 100% correct, although #2 would allow
> the
> code to behave well for most cases. (The exception is a case where a file
> remains
> open for a long period of time, with different processes doing byte range
> locks on
> the file.)
>

pfind* does not do any filtering.

The real question though is why are you calling it in the first place. The
calls
I grepped in nfscl_procdoesntexist are highly suspicious - there is no
guarantee
the process you found here is the same you had at the time you were saving
the pid.

There is no usable process exit notification right now, but it can be added
if necessary.

-- 
Mateusz Guzik 
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

RE: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Cy Schubert

I'll test it when I get home tonight. The WiFi here at the tech park is open 
so, I couldn't test here.

---
Sent using a tiny phone keyboard. Apologies for any typos and autocorrect.

Cy Schubert
 or 

-Original Message-
From: Franco Fichtner
Sent: 16/10/2017 13:34
To: Cy Schubert
Cc: Rodney W. Grimes; Kevin Oberman; Adrian Chadd; Lev Serebryakov; blubee 
blubeeme; Poul-Henning Kamp; FreeBSD current
Subject: Re: cve-2017-13077 - WPA2 security vulni


> On 16. Oct 2017, at 10:19 PM, Cy Schubert  wrote:
> 
> It doesn't, which is why I patched the port at lunch today. It's a quick win 
> with the time I had.

Thank you, much appreciated.  Will give it some testing.

> I think we should update base to 2.6 and apply the patches.

Sounds like a plan when the port gives no apparent issues.


Cheers,
Franco

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

pfind_locked(pid) fails when in a jail?

2017-10-16 Thread Rick Macklem

Hi,

A problem w.r.t. the NFSv4 client's renew thread (nfscl) running up a lot of CPU
when the NFSv4 mount is in a jail has been reported to the freebsd-stable@
mailing list.

I know nothing about jails, but when looking at the code, the most obvious
cause of this would be "pfind_locked(pid)" failing to find a process.
- Will a jail affect how pfind_locked() behaves?
- If the answer is "yes", then I need to know how to either...
   1 - Make pfind_locked() work the same as when no jail exists.
   OR
   2 - A way for the Renew thread can determine that a jail will affect 
pfind_locked()
 behaviour, so it can avoid this problem.
#1 is preferred, since #2 may not be 100% correct, although #2 would allow the
code to behave well for most cases. (The exception is a case where a file 
remains
open for a long period of time, with different processes doing byte range locks 
on
the file.)

Thanks in advance for any help w.r.t. jail behaviour, rick
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Franco Fichtner


> On 16. Oct 2017, at 10:19 PM, Cy Schubert  wrote:
> 
> It doesn't, which is why I patched the port at lunch today. It's a quick win 
> with the time I had.

Thank you, much appreciated.  Will give it some testing.

> I think we should update base to 2.6 and apply the patches.

Sounds like a plan when the port gives no apparent issues.


Cheers,
Franco
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

RE: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Cy Schubert

It doesn't, which is why I patched the port at lunch today. It's a quick win 
with the time I had.

I think we should update base to 2.6 and apply the patches.

---
Sent using a tiny phone keyboard. Apologies for any typos and autocorrect.

Cy Schubert
 or 

-Original Message-
From: Franco Fichtner
Sent: 16/10/2017 11:57
To: Cy Schubert
Cc: Rodney W. Grimes; Kevin Oberman; Adrian Chadd; Lev Serebryakov; blubee 
blubeeme; Poul-Henning Kamp; FreeBSD current
Subject: Re: cve-2017-13077 - WPA2 security vulni


> On 16. Oct 2017, at 8:50 PM, Cy Schubert  wrote:
> 
> Eight patches have been posted so, it should be easy to patch 2.5, MFC, and 
> bring head up to 2.6 later. This should avoid the risk of possible 
> regressions.

Nope, does not apply easily.  Refactoring changed contexts, function names
and variable usage logic between 2.5 and 2.6.


Cheers,
Franco
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Cy Schubert

I'll commit the wpa_supplicant port now but I don't have enough time this 
lunch hour to create a vuxml entry or to update the hostapd port.

It may be simpler to update base to 2.6 to facilitate patching. What do 
people think?

-- 
Cheers,
Cy Schubert 
FreeBSD UNIX:     Web:  http://www.FreeBSD.org

The need of the many outweighs the greed of the few.

In message <201710161936.v9gjarlo072...@slippy.cwsent.com>, Cy Schubert 
writes:
> Looking at the wpa_supplicant port, it may be a quicker win than base at 
> the moment.
> 
> I don't have much of my lunch hour left to complete anything.
> 
> 
> -- 
> Cheers,
> Cy Schubert 
> FreeBSD UNIX:     Web:  http://www.FreeBSD.org
> 
>   The need of the many outweighs the greed of the few.
> 
> 
> In message

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Rodney W. Grimes

> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd 
> wrote:
> 
> > hi,
> >
> > I got the patches a couple days ago. I've been busy with personal life
> > stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
> > someone beats me to it, great, otherwise I'll try to do it in the next
> > couple days.
> >
> > I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
> > everything to but so far nope. It should be easy enough to update the
> > port for now as it's at 2.6.
> >
> >
> >
> > -adrian
> >
> >
> > On 16 October 2017 at 06:04, Cy Schubert  wrote:
> > > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev
> > Serebryakov
> > > writes:
> > >> On 16.10.2017 13:38, blubee blubeeme wrote:
> > >>
> > >> > well, that's a cluster if I ever seen one.
> > >>  It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
> > >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
> > >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
> > >
> > > The gory details are here: https://w1.fi/security/2017-1/
> > wpa-packet-number-reuse-with-replayed-messages.txt
> > >
> > > The announcement is here:
> > > https://www.krackattacks.com/
> > >
> > >
> > > --
> > > Cheers,
> > > Cy Schubert 
> > > FreeBSD UNIX:     Web:  http://www.FreeBSD.org
> > >
> > > The need of the many outweighs the greed of the few.
> > >
> >
> 
> While I do not encourage waiting, it is quite likely that the upstream
> patch wil show up very soon now that the vulnerability is public.
> 
> It's also worth noting that fixing either end of the connection is all that
> is required, as I understand it. So getting an update for your AP is not
> required. That is very fortunate as the industry has a rather poor record
> of getting out firmware updates for hardware more than a few months old.
> Also, it appears that Windows and iOS are not vulnerable due to flaws in
> their implementation of the WPA2 spec. (Of course, if you update your
> AP(s), you no longer need to worry about your end devices.
  ^^
>From my reading of the attack it is the client side that must
be fixed, you can not mitigate the client side bug by an update
to the AP.

> --
> Kevin Oberman, Part time kid herder and retired Network Engineer
> E-mail: rkober...@gmail.com
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
> 

-- 
Rod Grimes rgri...@freebsd.org
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Cy Schubert

Looking at the wpa_supplicant port, it may be a quicker win than base at 
the moment.

I don't have much of my lunch hour left to complete anything.


-- 
Cheers,
Cy Schubert 
FreeBSD UNIX:     Web:  http://www.FreeBSD.org

The need of the many outweighs the greed of the few.


In message

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Franco Fichtner


> On 16. Oct 2017, at 8:50 PM, Cy Schubert  wrote:
> 
> Eight patches have been posted so, it should be easy to patch 2.5, MFC, and 
> bring head up to 2.6 later. This should avoid the risk of possible 
> regressions.

Nope, does not apply easily.  Refactoring changed contexts, function names
and variable usage logic between 2.5 and 2.6.


Cheers,
Franco
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

RE: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Cy Schubert

Eight patches have been posted so, it should be easy to patch 2.5, MFC, and 
bring head up to 2.6 later. This should avoid the risk of possible regressions.

I haven't looked at the ports.

---
Sent using a tiny phone keyboard. Apologies for any typos and autocorrect.

Cy Schubert
 or 

-Original Message-
From: Rodney W. Grimes
Sent: 16/10/2017 11:14
To: Kevin Oberman
Cc: Adrian Chadd; Cy Schubert; Lev Serebryakov; blubee blubeeme; Poul-Henning 
Kamp; FreeBSD current
Subject: Re: cve-2017-13077 - WPA2 security vulni

> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd 
> wrote:
> 
> > hi,
> >
> > I got the patches a couple days ago. I've been busy with personal life
> > stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
> > someone beats me to it, great, otherwise I'll try to do it in the next
> > couple days.
> >
> > I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
> > everything to but so far nope. It should be easy enough to update the
> > port for now as it's at 2.6.
> >
> >
> >
> > -adrian
> >
> >
> > On 16 October 2017 at 06:04, Cy Schubert  wrote:
> > > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev
> > Serebryakov
> > > writes:
> > >> On 16.10.2017 13:38, blubee blubeeme wrote:
> > >>
> > >> > well, that's a cluster if I ever seen one.
> > >>  It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
> > >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
> > >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
> > >
> > > The gory details are here: https://w1.fi/security/2017-1/
> > wpa-packet-number-reuse-with-replayed-messages.txt
> > >
> > > The announcement is here:
> > > https://www.krackattacks.com/
> > >
> > >
> > > --
> > > Cheers,
> > > Cy Schubert 
> > > FreeBSD UNIX:     Web:  http://www.FreeBSD.org
> > >
> > > The need of the many outweighs the greed of the few.
> > >
> >
> 
> While I do not encourage waiting, it is quite likely that the upstream
> patch wil show up very soon now that the vulnerability is public.
> 
> It's also worth noting that fixing either end of the connection is all that
> is required, as I understand it. So getting an update for your AP is not
> required. That is very fortunate as the industry has a rather poor record
> of getting out firmware updates for hardware more than a few months old.
> Also, it appears that Windows and iOS are not vulnerable due to flaws in
> their implementation of the WPA2 spec. (Of course, if you update your
> AP(s), you no longer need to worry about your end devices.
  ^^
>From my reading of the attack it is the client side that must
be fixed, you can not mitigate the client side bug by an update
to the AP.

> --
> Kevin Oberman, Part time kid herder and retired Network Engineer
> E-mail: rkober...@gmail.com
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
> 

-- 
Rod Grimes rgri...@freebsd.org

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Oliver Pinter

Hi Adrian!

How big effort is to update he in-tree wpa_supplicant/hostapd to the
latest supported version?
Is there any known regression / feature loss when do the upgrade?

On 10/16/17, Adrian Chadd  wrote:
> Right, there are backported patches against 2.6, but we're running 2.5
> in contrib/ .
>
> This is all "I'm out of time right now", so if someone wants to do the
> ports work and/or the contrib work with the patches for this vuln then
> please do. I should be able to get to it in the next few days but I'm
> busy with family and employment.
>
>
>
> -adrian
>
>
> On 16 October 2017 at 10:19, Kevin Oberman  wrote:
>> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd 
>> wrote:
>>>
>>> hi,
>>>
>>> I got the patches a couple days ago. I've been busy with personal life
>>> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
>>> someone beats me to it, great, otherwise I'll try to do it in the next
>>> couple days.
>>>
>>> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
>>> everything to but so far nope. It should be easy enough to update the
>>> port for now as it's at 2.6.
>>>
>>>
>>>
>>> -adrian
>>>
>>>
>>> On 16 October 2017 at 06:04, Cy Schubert 
>>> wrote:
>>> > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev
>>> > Serebryakov
>>> > writes:
>>> >> On 16.10.2017 13:38, blubee blubeeme wrote:
>>> >>
>>> >> > well, that's a cluster if I ever seen one.
>>> >>  It is really cluster: CVE-2017-13077, CVE-2017-13078,
>>> >> CVE-2017-13079,
>>> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
>>> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
>>> >
>>> > The gory details are here:
>>> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
>>> >
>>> > The announcement is here:
>>> > https://www.krackattacks.com/
>>> >
>>> >
>>> > --
>>> > Cheers,
>>> > Cy Schubert 
>>> > FreeBSD UNIX:     Web:  http://www.FreeBSD.org
>>> >
>>> > The need of the many outweighs the greed of the few.
>>> >
>>
>>
>> While I do not encourage waiting, it is quite likely that the upstream
>> patch
>> wil show up very soon now that the vulnerability is public.
>>
>> It's also worth noting that fixing either end of the connection is all
>> that
>> is required, as I understand it. So getting an update for your AP is not
>> required. That is very fortunate as the industry has a rather poor record
>> of
>> getting out firmware updates for hardware more than a few months old.
>> Also,
>> it appears that Windows and iOS are not vulnerable due to flaws in their
>> implementation of the WPA2 spec. (Of course, if you update your AP(s),
>> you
>> no longer need to worry about your end devices.
>> --
>> Kevin Oberman, Part time kid herder and retired Network Engineer
>> E-mail: rkober...@gmail.com
>> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
>
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Adrian Chadd

Right, there are backported patches against 2.6, but we're running 2.5
in contrib/ .

This is all "I'm out of time right now", so if someone wants to do the
ports work and/or the contrib work with the patches for this vuln then
please do. I should be able to get to it in the next few days but I'm
busy with family and employment.



-adrian


On 16 October 2017 at 10:19, Kevin Oberman  wrote:
> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd 
> wrote:
>>
>> hi,
>>
>> I got the patches a couple days ago. I've been busy with personal life
>> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
>> someone beats me to it, great, otherwise I'll try to do it in the next
>> couple days.
>>
>> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
>> everything to but so far nope. It should be easy enough to update the
>> port for now as it's at 2.6.
>>
>>
>>
>> -adrian
>>
>>
>> On 16 October 2017 at 06:04, Cy Schubert  wrote:
>> > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev
>> > Serebryakov
>> > writes:
>> >> On 16.10.2017 13:38, blubee blubeeme wrote:
>> >>
>> >> > well, that's a cluster if I ever seen one.
>> >>  It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
>> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
>> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
>> >
>> > The gory details are here:
>> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
>> >
>> > The announcement is here:
>> > https://www.krackattacks.com/
>> >
>> >
>> > --
>> > Cheers,
>> > Cy Schubert 
>> > FreeBSD UNIX:     Web:  http://www.FreeBSD.org
>> >
>> > The need of the many outweighs the greed of the few.
>> >
>
>
> While I do not encourage waiting, it is quite likely that the upstream patch
> wil show up very soon now that the vulnerability is public.
>
> It's also worth noting that fixing either end of the connection is all that
> is required, as I understand it. So getting an update for your AP is not
> required. That is very fortunate as the industry has a rather poor record of
> getting out firmware updates for hardware more than a few months old. Also,
> it appears that Windows and iOS are not vulnerable due to flaws in their
> implementation of the WPA2 spec. (Of course, if you update your AP(s), you
> no longer need to worry about your end devices.
> --
> Kevin Oberman, Part time kid herder and retired Network Engineer
> E-mail: rkober...@gmail.com
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Kevin Oberman

On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd 
wrote:

> hi,
>
> I got the patches a couple days ago. I've been busy with personal life
> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
> someone beats me to it, great, otherwise I'll try to do it in the next
> couple days.
>
> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
> everything to but so far nope. It should be easy enough to update the
> port for now as it's at 2.6.
>
>
>
> -adrian
>
>
> On 16 October 2017 at 06:04, Cy Schubert  wrote:
> > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev
> Serebryakov
> > writes:
> >> On 16.10.2017 13:38, blubee blubeeme wrote:
> >>
> >> > well, that's a cluster if I ever seen one.
> >>  It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
> >
> > The gory details are here: https://w1.fi/security/2017-1/
> wpa-packet-number-reuse-with-replayed-messages.txt
> >
> > The announcement is here:
> > https://www.krackattacks.com/
> >
> >
> > --
> > Cheers,
> > Cy Schubert 
> > FreeBSD UNIX:     Web:  http://www.FreeBSD.org
> >
> > The need of the many outweighs the greed of the few.
> >
>

While I do not encourage waiting, it is quite likely that the upstream
patch wil show up very soon now that the vulnerability is public.

It's also worth noting that fixing either end of the connection is all that
is required, as I understand it. So getting an update for your AP is not
required. That is very fortunate as the industry has a rather poor record
of getting out firmware updates for hardware more than a few months old.
Also, it appears that Windows and iOS are not vulnerable due to flaws in
their implementation of the WPA2 spec. (Of course, if you update your
AP(s), you no longer need to worry about your end devices.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkober...@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Adrian Chadd

hi,

I got the patches a couple days ago. I've been busy with personal life
stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
someone beats me to it, great, otherwise I'll try to do it in the next
couple days.

I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
everything to but so far nope. It should be easy enough to update the
port for now as it's at 2.6.



-adrian


On 16 October 2017 at 06:04, Cy Schubert  wrote:
> In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev Serebryakov
> writes:
>> On 16.10.2017 13:38, blubee blubeeme wrote:
>>
>> > well, that's a cluster if I ever seen one.
>>  It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
>> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
>> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
>
> The gory details are here: 
> https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
>
> The announcement is here:
> https://www.krackattacks.com/
>
>
> --
> Cheers,
> Cy Schubert 
> FreeBSD UNIX:     Web:  http://www.FreeBSD.org
>
> The need of the many outweighs the greed of the few.
>
>
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Cy Schubert

In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev Serebryakov 
writes:
> On 16.10.2017 13:38, blubee blubeeme wrote:
> 
> > well, that's a cluster if I ever seen one.  
>  It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.

The gory details are here: 
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

The announcement is here:
https://www.krackattacks.com/


-- 
Cheers,
Cy Schubert 
FreeBSD UNIX:     Web:  http://www.FreeBSD.org

The need of the many outweighs the greed of the few.


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Cy Schubert

In message <21896d6e-75be-3376-bc32-9d911227d...@freebsd.org>, Stefan Esser 
wri
tes:
> Am 16.10.17 um 12:38 schrieb blubee blubeeme:
> > well, that's a cluster if I ever seen one.
> > 
> > On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp 
> > wrote:
> > 
> >> 
> >> In message  >> gmail.com>
> >> , blubee blubeeme writes:
> >>
> >>> Does anyone on FreeBSD know if it's affected by this?
> >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077
> >>
> >> It is, same as Linux, we use the same wpa_supplicant software
> 
> The attached patch includes the official patch applied by the WPA
> developers in   https://w1.fi/cgit/hostap/commit/?id=a00e946   but
> for our version of wpa_supplicant in /usr/src/contrib.
> 
> Regards, STefan
> Index: contrib/wpa/src/rsn_supp/wpa.c
> ===
> --- contrib/wpa/src/rsn_supp/wpa.c(Revision 324638)
> +++ contrib/wpa/src/rsn_supp/wpa.c(Arbeitskopie)
> @@ -1534,6 +1534,14 @@
>   sm->ptk_set = 1;
>   os_memcpy(>ptk, >tptk, sizeof(sm->ptk));
>   os_memset(>tptk, 0, sizeof(sm->tptk));
> + /*
> +  * This assures the same TPTK in sm->tptk can never be
> +  * copied twice to sm->pkt as the new PTK. In
> +  * combination with the installed flag in the wpa_ptk
> +  * struct, this assures the same PTK is only installed
> +  * once.
> +  */
> + sm->renew_snonce = 1;
>   }
>   }
>  
> 

We should also patch the wpa_supplicant and hostapd ports. Also rmove peerkey 
functionality: 
http://w1.fi/cgit/hostap/commit/?id=e760851176c77ae6de19821bb1d5bf3ae2cb5187

Looks like hostapd is also affected. Simple for us, not so simple if you've 
purchased a commodity wirless router. I doubt most of the vendors will do 
anything.

There are over a dozen (excluding tests and debugging outputs, 16 by my count) 
commits our upstream have applied to hostapd and wpa_supplicant.

Rather than commit a blob, we should a) mirror their commits which can be MFCed 
to stable and b) then update head and ports to the latest upstream. B could be 
MFCed at a later date.

-- 
Cheers,
Cy Schubert 
FreeBSD UNIX:     Web:  http://www.FreeBSD.org

The need of the many outweighs the greed of the few.

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Lev Serebryakov

On 16.10.2017 13:38, blubee blubeeme wrote:

> well, that's a cluster if I ever seen one.  
 It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.

-- 
// Lev Serebryakov
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread blubee blubeeme

This is awesome, thanks!

On Mon, Oct 16, 2017, 19:19 Stefan Esser  wrote:

> Am 16.10.17 um 12:38 schrieb blubee blubeeme:
> > well, that's a cluster if I ever seen one.
> >
> > On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp 
> > wrote:
> >
> >> 
> >> In message  >> gmail.com>
> >> , blubee blubeeme writes:
> >>
> >>> Does anyone on FreeBSD know if it's affected by this?
> >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077
> >>
> >> It is, same as Linux, we use the same wpa_supplicant software
>
> The attached patch includes the official patch applied by the WPA
> developers in   https://w1.fi/cgit/hostap/commit/?id=a00e946   but
> for our version of wpa_supplicant in /usr/src/contrib.
>
> Regards, STefan
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Stefan Esser

Am 16.10.17 um 12:38 schrieb blubee blubeeme:
> well, that's a cluster if I ever seen one.
> 
> On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp 
> wrote:
> 
>> 
>> In message > gmail.com>
>> , blubee blubeeme writes:
>>
>>> Does anyone on FreeBSD know if it's affected by this?
>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077
>>
>> It is, same as Linux, we use the same wpa_supplicant software

The attached patch includes the official patch applied by the WPA
developers in   https://w1.fi/cgit/hostap/commit/?id=a00e946   but
for our version of wpa_supplicant in /usr/src/contrib.

Regards, STefan
Index: contrib/wpa/src/rsn_supp/wpa.c
===
--- contrib/wpa/src/rsn_supp/wpa.c  (Revision 324638)
+++ contrib/wpa/src/rsn_supp/wpa.c  (Arbeitskopie)
@@ -1534,6 +1534,14 @@
sm->ptk_set = 1;
os_memcpy(>ptk, >tptk, sizeof(sm->ptk));
os_memset(>tptk, 0, sizeof(sm->tptk));
+   /*
+* This assures the same TPTK in sm->tptk can never be
+* copied twice to sm->pkt as the new PTK. In
+* combination with the installed flag in the wpa_ptk
+* struct, this assures the same PTK is only installed
+* once.
+*/
+   sm->renew_snonce = 1;
}
}
 
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread blubee blubeeme

well, that's a cluster if I ever seen one.

On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp 
wrote:

> 
> In message  gmail.com>
> , blubee blubeeme writes:
>
> >Does anyone on FreeBSD know if it's affected by this?
> >https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077
>
> It is, same as Linux, we use the same wpa_supplicant software
>
> --
> Poul-Henning Kamp   | UNIX since Zilog Zeus 3.20
> p...@freebsd.org | TCP/IP since RFC 956
> FreeBSD committer   | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread Poul-Henning Kamp


In message 
, blubee blubeeme writes:

>Does anyone on FreeBSD know if it's affected by this?
>https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077

It is, same as Linux, we use the same wpa_supplicant software

-- 
Poul-Henning Kamp   | UNIX since Zilog Zeus 3.20
p...@freebsd.org | TCP/IP since RFC 956
FreeBSD committer   | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

cve-2017-13077 - WPA2 security vulni

2017-10-16 Thread blubee blubeeme

Does anyone on FreeBSD know if it's affected by this?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Is there an RTC prejudice?

Re: pfind_locked(pid) fails when in a jail?

Re: pfind_locked(pid) fails when in a jail?

Re: pfind_locked(pid) fails when in a jail?

RE: cve-2017-13077 - WPA2 security vulni

pfind_locked(pid) fails when in a jail?

Re: cve-2017-13077 - WPA2 security vulni

RE: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

RE: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

Re: cve-2017-13077 - WPA2 security vulni

cve-2017-13077 - WPA2 security vulni

25 matches

Site Navigation

Mail list logo

Footer information