On November 2, 2021 6:31:17 PM GMT+02:00, Sergey Bugaev <firstname.lastname@example.org> wrote:
As promised , here are the details of the Hurd vulnerabilities I have found
earlier this year  .
(You'll notice that I'm formatting this just like a patch series. I'll even try
to send it out with git send-email; if you're reading this, it has worked!)
These texts are partly based on the mails and write-ups I sent to Samuel at the
time, but most of the text is new, rewritten to incorporate the better
understanding that I now have as the result of exploring the issues and working
with Samuel on fixing them.
I've grouped the information by the four "major" vulnerabilities -- ones that I
have actually written an exploit for. Other related vulnerabilities are briefly
mentioned in the notes sections.
Each text contains a short and a detailed description of the relevant issue,
source code of the exploit I have written for the issue, commentary on how the
exploit works, and a description of how we fixed the issue. While this should
hopefully be an interesting read for everyone, understanding some of the details
requires some familiarity with the Mach and Hurd mechanisms involved. I've tried
to briefly describe the necessary bits (as I understand them myself) in the
"Background" sections throughout the texts -- hopefully this will make it easier
to understand. Please don't hesitate to ask me questions (while I can still
I also hope that all this info should be enough to finally allocate official
CVEs for these vulnerabilities, if anyone is willing to go forward with that in
While all of the vulnerabilities described have been fixed, most of the fixes
are not yet in the main Hurd tree for legal reasons: namely, my FSF copyright
assignment process is still unfinished. All the out-of-tree patches with the
fixes can be found in the Debian repo .
Our work on fixing these vulnerabilities required some large changes and touches
most of the major Hurd components (now I can actually name them: glibc, GNU
Mach, libports, libpager, libfshelp, libshouldbeinlibc, lib*fs, proc server,
exec server, *fs, ...) -- and this was even more true of the previous designs
that we have considered (the final design ended up being the most compact one).
Still, it's kind of amazing _how little_ has changed: we managed to keep most
things working just as they were (with the notable exception of mremap ()). The
Hurd still looks and behaves like the Hurd, despite all the changes.
Finally, I should note that there still are unfixed vulnerabilities in the Hurd.
There's another "major" vulnerability that I have already written an exploit
for, but I can't publish the details since it's still unfixed. I won't be there
to see it fixed (assuming it will take less than a year to fix it -- which I
hope it will), but Samuel should have all the details.
Let me know what you think!