Pierre Schweitzer | 9 Apr 21:43 2014

Heartbleed issue on the ReactOS infrastructure

Dear all,

In case you don't use SSL/TLS on our infrastructure (web sites - drupal,
jira, fisheye), skip reading (and reconsider your choices about such
non-usage).

As you may (should?) have heard recently, OpenSSL has suffered a
critical security vulnerability (CVE-2014-0160), known as Heartbleed Bug
(http://heartbleed.com/). Most of our services were using an affected
release of OpenSSL, with heartbeat feature activated. Be it, mails
services, web services (Drupal, Jira).

We reacted quickly passed the public announcement, and the availability
of the fix to apply it on our infrastructure to limit the risks. Anyway,
this might have been enough (actually, the issue has been here for two
years!) to allow potentials attackers to, for instance, steal our SSL
private keys. So, we took the decision to renew all our certificates and
private keys to guarantee safe infrastructure usage.
Due to the nature of the security issue, we don't know what may have
been compromised in the infrastructure and in the user database. Hence
our drastic measures.

What does it mean for you? It means that your account information
(username + password) might have been compromised, and your account
itself could have been compromised (cookie stealth with the attack).
We highly recommend you to change your passwords and check that
everything is fine on your account. I shall remind you that password
change can take up to 6h to propagate to Fisheye & Jira.

As a side note, we enabled a while ago Perfect Forward Secrecy on our
(Continue reading)

Timo Kreuzer | 7 Apr 00:08 2014
Picon

Re: [ros-diffs] [pschweitzer] 62675: [CHARMAP] Use rather wcsncpy(). A bit less safe, but at least, data are copied till possible


I don't really see the reason here. Whether using the secure function or
not is is a question of whether we need null-termination or not.
If we need it the secure function will do the right thing. If we do not
need null-termination the non-secure function does the right thing and
the secure function would not add any security, but simply do the wrong
thing.
MSDN says about the lfFaceName member of the LOGFONT structure "A
null-terminated string that specifies the typeface name of the font. "
So we want it to be null-terminated and adding one more character does
not add anything useful, but will result in a broken structure.
Another difference is that the non-secure function pads the destination
array with nulls, the secure function does - afaik - not. If that is the
reason, I'd prefer zeroing it out before copying the string.

Am 06.04.2014 22:20, schrieb pschweitzer@...:
> Author: pschweitzer
> Date: Sun Apr  6 20:20:39 2014
> New Revision: 62675
>
> URL: http://svn.reactos.org/svn/reactos?rev=62675&view=rev
> Log:
> [CHARMAP]
> Use rather wcsncpy(). A bit less safe, but at least, data are copied till possible
>
> Modified:
>     trunk/reactos/base/applications/charmap/lrgcell.c
>     trunk/reactos/base/applications/charmap/map.c
>
> Modified: trunk/reactos/base/applications/charmap/lrgcell.c
(Continue reading)

Minas Abrahamyan | 6 Apr 20:37 2014
Picon

Short announce: My Serial port-on-MMIO implementation works - allowing debug logging on laptops

Hi all,

With this few words I would like to share the joyous event of MMIO-based serial port implementation
has finally worked for me.

This is the equivalent of earlycon serial port implementation in Linux with some extension
(so now it is even better then Linux one)
Some work yet is needed to be done to transform the work into the normal patch, but the good news is
it is working, and still doesn't require PNPmanager for work, i.e. it starts very early in kernel and writes kernel log messages.

I use ExpressCard 34 extension board Serial RS232 port, on laptop,
but think it will work fro PC Cards too (former name PCMCIA).

==Importance: Touching the hardware==
For the more developers we need more working PC models ( Real Hardware)
Almost all modern PCs are laptops with PCIe bus (the rest are desktops)
(but few of them able to boot the ReactOS)
Modern serial ports are recommended to use /often use MMIO-based data transfer instead of former I/O ports.

So now possibility appears to debug these new computers and force the ReactOS to work on this important part of new PCs.

Thanks for attention

-Minas Abrahamyan

PS Curious note: for catching the debug logs I use the (small and cheap) soap box-sized microcontroller board with LCD (ready-unit), and I call it "ReactOS debug logger" appliance. It doesn't take space and doesn't produce any noise

_______________________________________________
Ros-dev mailing list
Ros-dev@...
http://www.reactos.org/mailman/listinfo/ros-dev
Thomas Faber | 6 Apr 18:53 2014

Re: [ros-diffs] [khornicek] 62665: [MAIN] - fix a copypasta - fix a possible buffer overrun (x5) - fix a negative array index access

You guys should consider replacing that stuff with strsafe functions
while you're at it ;)

On 2014-04-06 18:45, khornicek@... wrote:
> Author: khornicek
> Date: Sun Apr  6 16:45:21 2014
> New Revision: 62665
> 
> URL: http://svn.reactos.org/svn/reactos?rev=62665&view=rev
> Log:
> [MAIN]
> - fix a copypasta
> - fix a possible buffer overrun (x5)
> - fix a negative array index access
> 
> Modified:
>     trunk/reactos/dll/cpl/main/mouse.c
> 
> Modified: trunk/reactos/dll/cpl/main/mouse.c
> URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/cpl/main/mouse.c?rev=62665&r1=62664&r2=62665&view=diff
> ==============================================================================
> --- trunk/reactos/dll/cpl/main/mouse.c	[iso-8859-1] (original)
> +++ trunk/reactos/dll/cpl/main/mouse.c	[iso-8859-1] Sun Apr  6 16:45:21 2014
>  <at>  <at>  -499,7 +499,7  <at>  <at> 
>                  /* Remove quotation marks */
>                  if (szTempData[0] == _T('"'))
>                  {
> -                    lpStart = szValueData + 1;
> +                    lpStart = szTempData + 1;
>                      szTempData[_tcslen(szTempData) - 1] = 0;
>                  }
>                  else
>  <at>  <at>  -1022,9 +1022,9  <at>  <at> 
>  static VOID
>  LoadInitialCursorScheme(HWND hwndDlg)
>  {
> -    TCHAR szSchemeName[256];
> -    TCHAR szSystemScheme[256];
> -    TCHAR szCursorPath[256];
> +    TCHAR szSchemeName[MAX_PATH];
> +    TCHAR szSystemScheme[MAX_PATH];
> +    TCHAR szCursorPath[MAX_PATH];
>      HKEY hCursorKey;
>      LONG lError;
>      DWORD dwDataSize;
>  <at>  <at>  -1057,7 +1057,7  <at>  <at> 
>  
>      if (dwSchemeSource != 0)
>      {
> -        dwDataSize = 256 * sizeof(TCHAR);
> +        dwDataSize = MAX_PATH * sizeof(TCHAR);
>          lError = RegQueryValueEx(hCursorKey,
>                                   NULL,
>                                   NULL,
>  <at>  <at>  -1101,8 +1101,8  <at>  <at> 
>      else if (dwSchemeSource == 2)
>      {
>          LoadString(hApplet, IDS_SYSTEM_SCHEME, szSystemScheme, MAX_PATH);
> -        _tcscat(szSchemeName, _T(" "));
> -        _tcscat(szSchemeName, szSystemScheme);
> +        _tcsncat(szSchemeName, _T(" "), MAX_PATH - _tcslen(szSchemeName));
> +        _tcsncat(szSchemeName, szSystemScheme, MAX_PATH - _tcslen(szSchemeName));
>      }
>  
>      /* Search and select the curent scheme name from the scheme list */
>  <at>  <at>  -1276,6 +1276,10  <at>  <at> 
>                      {
>                          case LBN_SELCHANGE:
>                              nSel = SendMessage((HWND)lParam, LB_GETCURSEL, 0, 0);
> +
> +                            if(nSel == LB_ERR)
> +                                break;
> +
>                              SendDlgItemMessage(hwndDlg, IDC_IMAGE_CURRENT_CURSOR, STM_SETIMAGE, IMAGE_CURSOR,
>                                                 (LPARAM)g_CursorData[nSel].hCursor);
>                              EnableWindow(GetDlgItem(hwndDlg,IDC_BUTTON_USE_DEFAULT_CURSOR),
> 
> 
Thomas Faber | 6 Apr 18:10 2014

Re: [ros-diffs] [hbelusca] 62662: [NTDLL_APITEST]: Add braces and remove an unneeded trace.

This will make any failure messages in the loop useless, since you
won't know which test they're about.
Just because the tests are succeeding now doesn't mean they always will.

On 2014-04-06 17:51, hbelusca@... wrote:
>  <at>  <at>  -188,7 +190,6  <at>  <at> 
>  
>      for (i = 0; i < TestCount; i++)
>      {
> -        trace("i = %d\n", i);
>          switch (TestCases[i].PrefixType)
>          {
>              case PrefixNone:
> 
> 
Pierre Schweitzer | 1 Apr 11:27 2014

Re: [ros-builds] Linux_AMD64_2 VMWPlayer-Test: build failed

Working on DB server atm (hence the fails). Results will be properly
submitted later on.
Ignore failed shell errors for the next hour.

Sorry about that.

On 04/01/2014 11:24 AM, buildbot@... wrote:
> The Buildbot has detected a failed build on builder Linux_AMD64_2 VMWPlayer-Test while building ReactOS.
> Full details are available at:
>  http://build.reactos.org/builders/Linux_AMD64_2%20VMWPlayer-Test/builds/3636
>
> Buildbot URL: http://build.reactos.org/
>
> Buildslave for this Build: Linux_AMD64_2
>
> Build Reason: Triggerable(Linux_AMD64_1 KVM-Test Trigger)
> Build Source Stamp: 62598
> Blamelist: 
>
> BUILD FAILED: failed shell
>
> sincerely,
>  -The Buildbot
>
>
>
>

--

-- 
Pierre Schweitzer <pierre@...>
System Administrator
ReactOS Foundation

Attachment (smime.p7s): application/pkcs7-signature, 5819 bytes
_______________________________________________
Ros-dev mailing list
Ros-dev@...
http://www.reactos.org/mailman/listinfo/ros-dev
Pierre Schweitzer | 1 Apr 11:09 2014

Re: [ros-diffs] [dgorbachev] 62598: [BUGCODES] - Add an error message for Proprietary Software Execution Prevention feature supported by recent CPUs. - TODO: Implement this feature in the kernel.‏

Nice one :-). I thought you'd commit your ReactOS 1.0 patch today!

Beware though, you're sitting BUGCODE_NDIS_DRIVER.

Regards,

--

-- 
Pierre Schweitzer <pierre@...>
System Administrator
ReactOS Foundation

Attachment (smime.p7s): application/pkcs7-signature, 5819 bytes
_______________________________________________
Ros-dev mailing list
Ros-dev@...
http://www.reactos.org/mailman/listinfo/ros-dev
Maxime Daniel | 28 Mar 16:40 2014
Picon

Installing driver without reboot

Hi,

Is it possible to install a driver (virtual network interface) witout reboot the system ?
I tried TAP interface (installation with devcon: devcon install inf-file tap0901) but the interface is
only loaded during the next reboot (same for a ndis sample from DDK)

Is there a way to load a driver interface with a true plug'n'play mechanism ?

--

-- 
Daniel Maxime
Linux version 3.6.9-maxux64 (emy) (gcc version 4.7.3 (Gentoo 4.7.3-r1 p1.4, pie-0.5.5) ) #3 SMP PREEMPT
Wed Feb 19 16:40:22 CET 2014
 16:33:29 up 24 days, 8 min,  1 user,  load average: 0.31, 0.68, 0.72
Alexander Varnin | 26 Mar 05:20 2014
Picon

Need assistance on bug 7965

Hello, dear developers!
Sorry if I am doing something wrong, but I am not sure, if everyone who
may help would be notified by JIRA.
I made some bug hunting on CORE-7965 and now need some assistance in
finding way to fix it. I have posted the results in my last comment on
JIRA:
http://jira.reactos.org/browse/CORE-7965?focusedCommentId=57456&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-57456

In short: a bug is related to some interprocess virtual address
transmission that is leading to access attempt on unallocated virtual
memory, that finally crashes ReactOS.
Thomas Mueller | 26 Mar 04:34 2014

Re: Installing and running ReactOS on modern hardware

from "David Quintana (gigaherz)" <gigaherz@...>:

> [-- Attachment #1 --]
> [-- Type: multipart/alternative, Encoding: 7bit, Size: 9.5K --]
> Content-Type: multipart/alternative; boundary=001a1137e986d9c67404f56eb6c5

> Content-Type: text/plain; charset=UTF-8

> This is the Gmail web client, I have no control over MIME encodings, other
> than choosing if I want the text as HTML or just plain text.

> Some drivers do work, and it is one of the goals of the project, to be able
> to use drivers written for winxp/2003 (or whichever version of windows
> reactos is targetting, which is 2003sp1 at the moment). I personally use
> VMware, and we have had success using many of the drivers from the VMware
> Tools CDROM, including SVGA, Mouse, and I think also Network.

> Some people have lately shown an interest in making ReactOS bootable
> through PXE, sending a ramdisk image over the network, but I don't think
> the process is usable quite yet (someone correct me if I'm wrong).

I think you could choose plain text instead of HTML in Gmail?  Are there any Internet links or special effects
in your messages that require HTML?

A lot has happened with computer hardware since 2003, and winxp/2003sp1 won't support anything newer,
like GPT and USB 3.0, among other things.

But Windows drivers for individual devices would be provided by the manufacturer on CD or DVD in the package.

If ReactOS might be booted from a ramdisk image, could I use an image I already have on disk with syslinux,
grub2 or grub4dos?  That would be simpler than PXE.

Can Windows drivers provided by the device manufacturer be used by ReactOS when running under VMware, QEMU
or Virtualbox?

How big a file is recommended for installing ReactOS under VMware, QEMU or Virtualbox?

Tom
Hermès BÉLUSCA - MAÏTO | 26 Mar 03:44 2014
Picon

Resuscitating MSVC 2008 builds (at least) for testing purposes only :P

Because I was recently shocked (if I may say :D) that, for building a 2003-class operating system, we need 2010+ tools, I was wondering whether it was still possible to build ReactOS with MSVC 2008 and 2005. I’ve created a task for that in Jira: http://jira.reactos.org/browse/CORE-8023 . After application of the configure.cmd patch that I give in the report, plus few tweaks in two headers (and adding some stdint.h in the correct directory for MSVC, needed for compiling host-tools, because this file is not included in default MSVC installation until MSVC 2010+), I was able to build a full bootcd and livecd (see the details in the abovementioned report, basically it currently builds with MSVC 2008 but not 2005). However there happens an interesting thing: the [boot|live]cd boots (freeldr seems to work and load the kernel and drivers), but after that, the kernel (debugged in WinDbg) hangs indefinitely here:

 

Windows Server 2003 Kernel Version 3790 UP Checked x86 compatible

Built by: 20140326-r62565

Machine Name:

Kernel base = 0x80400000 PsLoadedModuleList = 0x005fcf88

System Uptime: not available

(f:\ros_vs_test\ntoskrnl\ke\i386\cpu.c:494) Supported CPU features : KF_V86_VIS KF_RDTSC KF_CR4 KF_CMOV KF_GLOBAL_PAGE KF_LARGE_PAGE KF_MTRR KF_CMPXCHG8B KF_MMX KF_WORKING_PTE KF_PAT KF_FXSR KF_FAST_SYSCALL KF_XMMI KF_XMMI64 KF_NX_BIT

(f:\ros_vs_test\ntoskrnl\ke\i386\cpu.c:801) Prefetch Cache: 64 bytes L2 Cache: 0 bytes            L2 Cache Line: 64 bytes L2 Cache Associativity: 0

 

<_hangs_forever_here_>

 

If some of you have an idea what *might* happen there, I’m all ears!

 

Cheers,

Hermès.

_______________________________________________
Ros-dev mailing list
Ros-dev@...
http://www.reactos.org/mailman/listinfo/ros-dev

Gmane