Page MenuHomeFreeBSD

jo_bruelltuete.com (Johannes Totz)
Animal

Projects

User does not belong to any projects.

User Details

User Since
Feb 11 2021, 9:59 PM (32 w, 4 d)

Recent Activity

Sun, Sep 19

jo_bruelltuete.com added inline comments to D31722: ggatec: dynamic buffers.
Sun, Sep 19, 2:14 AM
jo_bruelltuete.com updated the diff for D31722: ggatec: dynamic buffers.
Sun, Sep 19, 2:12 AM
jo_bruelltuete.com added inline comments to D31722: ggatec: dynamic buffers.
Sun, Sep 19, 1:21 AM

Sun, Sep 12

jo_bruelltuete.com added inline comments to D31722: ggatec: dynamic buffers.
Sun, Sep 12, 6:16 PM
jo_bruelltuete.com added a comment to D31727: geom_gate: ensure readprov is null-terminated.

I wonder if this wants some abstraction in the form of a function rather than chasing every str*cpy...?

Sun, Sep 12, 6:09 PM

Sat, Sep 4

jo_bruelltuete.com updated the diff for D31722: ggatec: dynamic buffers.

Handle oversized write buffer coming from zfs

Sat, Sep 4, 1:50 AM

Fri, Sep 3

jo_bruelltuete.com added inline comments to D31722: ggatec: dynamic buffers.
Fri, Sep 3, 11:43 PM

Wed, Sep 1

jo_bruelltuete.com added inline comments to D31727: geom_gate: ensure readprov is null-terminated.
Wed, Sep 1, 11:51 PM

Mon, Aug 30

jo_bruelltuete.com added inline comments to D31727: geom_gate: ensure readprov is null-terminated.
Mon, Aug 30, 5:43 PM
jo_bruelltuete.com updated the diff for D31727: geom_gate: ensure readprov is null-terminated.

Try to avoid out-of-bounds reads that can happen with other str*cpy functions.

Mon, Aug 30, 5:41 PM
jo_bruelltuete.com added a comment to D31727: geom_gate: ensure readprov is null-terminated.

My preferred fix would be to make all string buffers in https://github.com/freebsd/freebsd-src/blob/main/sys/geom/gate/g_gate.h#L118 NAME_MAX+1 and enforce the last byte to be the null terminator.
But that'd be a ioctl interface change and an ABI change? Frowned upon?
Also this mainly affects hastd, which I cannot test at the moment.

Mon, Aug 30, 3:25 PM
jo_bruelltuete.com added inline comments to D31727: geom_gate: ensure readprov is null-terminated.
Mon, Aug 30, 3:22 PM
jo_bruelltuete.com added a reviewer for D31727: geom_gate: ensure readprov is null-terminated: philip.
Mon, Aug 30, 1:59 PM
jo_bruelltuete.com updated the summary of D31727: geom_gate: ensure readprov is null-terminated.
Mon, Aug 30, 1:57 PM
jo_bruelltuete.com added inline comments to D31727: geom_gate: ensure readprov is null-terminated.
Mon, Aug 30, 1:54 PM
jo_bruelltuete.com requested review of D31727: geom_gate: ensure readprov is null-terminated.
Mon, Aug 30, 1:48 PM
jo_bruelltuete.com updated jo_bruelltuete.com.
Mon, Aug 30, 1:46 PM
jo_bruelltuete.com added reviewers for D31722: ggatec: dynamic buffers: asomers, peterj.
Mon, Aug 30, 1:25 AM
jo_bruelltuete.com added inline comments to D31722: ggatec: dynamic buffers.
Mon, Aug 30, 1:25 AM
jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

follow up in https://reviews.freebsd.org/D31722

Mon, Aug 30, 1:23 AM
jo_bruelltuete.com requested review of D31722: ggatec: dynamic buffers.
Mon, Aug 30, 1:22 AM

Aug 29 2021

jo_bruelltuete.com added reviewers for D31709: Add ggated rc script: peterj, asomers.
Aug 29 2021, 1:30 AM
jo_bruelltuete.com updated jo_bruelltuete.com.
Aug 29 2021, 1:23 AM
jo_bruelltuete.com updated jo_bruelltuete.com.
Aug 29 2021, 1:21 AM
jo_bruelltuete.com updated jo_bruelltuete.com.
Aug 29 2021, 1:20 AM
jo_bruelltuete.com updated the diff for D31709: Add ggated rc script.
Aug 29 2021, 1:18 AM
jo_bruelltuete.com requested review of D31709: Add ggated rc script.
Aug 29 2021, 1:15 AM

Aug 27 2021

jo_bruelltuete.com updated the diff for D31318: Fix ggatec request handling.

Add test for ggatec to check handling of non-read/write request (e.g. trim).

Aug 27 2021, 7:31 PM

Aug 25 2021

jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

there's a rebase in https://github.com/bruelltuete/freebsd-src/commit/999394f2930d341b422a5421ff931dfb024eefc7, if that's easy to use (as a patch).
i dont actually know how to commit anything to src, never done that before.
do you commit via phabricator, like click a button here in the ui somewhere? does the patch in this review need to be updated?

Aug 25 2021, 9:10 PM
jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

the security patch has landed. do we still want the tests?

Aug 25 2021, 8:29 PM

Aug 4 2021

jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

Thanks for review and comments, everyone!

Aug 4 2021, 12:32 AM

Aug 1 2021

jo_bruelltuete.com added inline comments to D31318: Fix ggatec request handling.
Aug 1 2021, 5:27 PM
jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

I'm still on 12-stable with all my machines, and will not be able to upgrade for a few more months...

Aug 1 2021, 5:26 PM
jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

Yeah lots of stuff broken here. We can fix it all in a later patch. For now I really want to plug that remote code execution hole.

Aug 1 2021, 2:50 PM
jo_bruelltuete.com updated the diff for D31318: Fix ggatec request handling.

add test

Aug 1 2021, 1:51 AM

Jul 29 2021

jo_bruelltuete.com updated the diff for D31318: Fix ggatec request handling.

change size check and fix typo

Jul 29 2021, 7:42 PM

Jul 28 2021

jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

Maybe found another problem, this time with the ggate kernel module. I'm pretty unsure about some details, esp around ioctl, but here goes:
I think it's possible to craft ioctl with ggate to exfiltrate kernel memory.

  1. Right now ggatec sends commands (and receives them) by sending an ioctl to the ggctl device. It passes a pointer to a structure that matches on the kernel side. Notice that the ioctl does not have a size parameter, so cannot copyin the data. Instead the ggate-ioctl handler receives the corresponding user mode address as a direct-map address, https://github.com/freebsd/freebsd-src/blob/main/sys/geom/gate/g_gate.c#L736 can be see by setting kern.geom.gate.debug=4.
  1. lets say we are doing a G_GATE_CMD_CREATE. https://github.com/freebsd/freebsd-src/blob/main/sys/geom/gate/g_gate.c#L465. The ioctl structure has strings as arrays embedded, https://github.com/freebsd/freebsd-src/blob/main/sys/geom/gate/g_gate.h#L120.
  1. by filling gctl_readprov member with garbage and not null terminating we can trigger a printf of its contents: https://github.com/freebsd/freebsd-src/blob/main/sys/geom/gate/g_gate.c#L553. So far this is only our own data.
  1. But we can position this structure at the end of a page and fill the remaining members with non-zeros. The following G_GATE_DEBUG will leak the contents of the next physical page into the system console.
  1. That next physical page can be from a different process! The address passed in to the ioctl handler is from the direct map.

Does that sound about right?

A quick fix would be to check that gctl_readprov is null terminated.

Jul 28 2021, 7:44 PM

Jul 27 2021

jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

Maybe found another problem, this time with the ggate kernel module. I'm pretty unsure about some details, esp around ioctl, but here goes:
I think it's possible to craft ioctl with ggate to exfiltrate kernel memory.

Jul 27 2021, 11:49 PM
jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

While I have your attention here, can someone assign the bug reports linked in the description to geom@freebsd.org? Right now they are dangling assigned to nobody.

Jul 27 2021, 10:05 PM
jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

What do we want the test to verify? That the fixed version only supports reads and writes? That feels a bit limiting because adding bio_delete or bio_flush support looks pretty straight forward.
Any opinions?

Jul 27 2021, 7:05 PM
jo_bruelltuete.com added inline comments to D31318: Fix ggatec request handling.
Jul 27 2021, 2:58 PM
jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

Re testing, it's easy to repro if you can generate a request that is not read or write. I don't know of a reliable way to do that. At the moment zpool-create does that... but only if the right sysctls are set?
And looking at https://github.com/freebsd/freebsd-src/blob/main/tests/sys/geom/class/gate/ggate_test.sh, I'm not sure what to make of that, it's not obvious whats going on with the tests...

Jul 27 2021, 12:34 PM
jo_bruelltuete.com added a comment to D31318: Fix ggatec request handling.

Fix still relevant to current: https://github.com/freebsd/freebsd-src/blob/main/sbin/ggate/ggatec/ggatec.c

Jul 27 2021, 1:10 AM
jo_bruelltuete.com added a reviewer for D31318: Fix ggatec request handling: asomers.
Jul 27 2021, 1:06 AM
jo_bruelltuete.com added reviewers for D31318: Fix ggatec request handling: peterj, pjd.
Jul 27 2021, 1:06 AM
jo_bruelltuete.com requested review of D31318: Fix ggatec request handling.
Jul 27 2021, 1:02 AM

Apr 1 2021

jo_bruelltuete.com updated the test plan for D28635: Attempt at AMD's memory encryption.
Apr 1 2021, 1:10 AM
jo_bruelltuete.com added a comment to D28635: Attempt at AMD's memory encryption.

I'm still working on this but it's really slow going rn, got very little time.

Apr 1 2021, 1:10 AM

Mar 16 2021

jo_bruelltuete.com added inline comments to D28635: Attempt at AMD's memory encryption.
Mar 16 2021, 2:13 AM

Feb 22 2021

jo_bruelltuete.com added a comment to D28635: Attempt at AMD's memory encryption.

I think i've wrapped my head around dmap & friends... it makes things more complicated.
Will have to demote dmap mappings. If i try to encrypt user-mode pages first, i'll need to demote the dmap pages down from 1gb into 4k and set the c-bit for the small pages.
Same for trying to encrypt all pages. Will still have to demote dmap pages because of dma and the existing kernel text and preloaded module pages.

Feb 22 2021, 10:36 PM

Feb 15 2021

jo_bruelltuete.com added a comment to D28635: Attempt at AMD's memory encryption.

hi kib, thanks for taking a look!
i'll try to figure out the dmap bits, thanks for the pointer.

Feb 15 2021, 6:07 PM
jo_bruelltuete.com updated the summary of D28635: Attempt at AMD's memory encryption.
Feb 15 2021, 6:05 PM

Feb 14 2021

jo_bruelltuete.com added inline comments to D28635: Attempt at AMD's memory encryption.
Feb 14 2021, 4:44 PM
jo_bruelltuete.com updated the test plan for D28635: Attempt at AMD's memory encryption.
Feb 14 2021, 4:39 PM
jo_bruelltuete.com updated the diff for D28635: Attempt at AMD's memory encryption.
Feb 14 2021, 4:12 PM
jo_bruelltuete.com updated the test plan for D28635: Attempt at AMD's memory encryption.
Feb 14 2021, 3:39 PM
jo_bruelltuete.com updated the test plan for D28635: Attempt at AMD's memory encryption.
Feb 14 2021, 3:38 PM
jo_bruelltuete.com updated the diff for D28635: Attempt at AMD's memory encryption.

more context

Feb 14 2021, 2:20 PM

Feb 13 2021

jo_bruelltuete.com updated the test plan for D28635: Attempt at AMD's memory encryption.
Feb 13 2021, 2:05 AM
jo_bruelltuete.com updated the test plan for D28635: Attempt at AMD's memory encryption.
Feb 13 2021, 1:58 AM

Feb 12 2021

jo_bruelltuete.com requested review of D28635: Attempt at AMD's memory encryption.
Feb 12 2021, 11:54 PM