OpenBSD 7.9: Mythos bug fixed, more partitions and security

Contents

With OpenBSD 7.9, the open-source operating system uncompromisingly focused on security has now reached its 60th release. Since the OpenBSD founder and his team release an updated version every six months, this means, despite the current Mythos panic, “Only two remote holes in the default install,” i.e., only two externally exploitable security vulnerabilities in 30 years with a standard installation.

AMD notebooks sleep longer in suspend mode

On the AMD64 platform, the AMD Power Management Controller amdpmc(4) has been extended and can now use the System Management Unit (SMU) to achieve even lower power consumption for suspend mode. Special fixes were made for AMD Zen/Zen+, for hangs on the ThinkPad X13 gen 6, and for a bug on machines with more than 512 GB of RAM – an amount of memory that is rather unusual for OpenBSD machines anyway.

The kernel can now handle CPUs whose cores run at different clock frequencies better. Via sysctl(4) and the variable hw.blockcpu, the scheduler in the kernel can be configured accordingly using the letters SPEL (SMT, Performance, Efficient, Lethargic). The default is SL, and the function is initially only available for AMD64 and ARM64. The maximum number of supported cores on AMD64 CPUs has been increased to 255.

The Direct Rendering Manager drm(4) and the corresponding graphics drivers have been updated to the level of Linux 6.18.22. The audio/MIDI daemon sndiod(8), popular for its extremely low latencies, has been further optimized along with libsndio. OpenBSD 7.9 has received more than a dozen new hardware drivers, and errors have been corrected in many drivers. In the WLAN area, there is finally basic support for 802.11ax (WiFi 6) as well as many improvements for iwx(4), the driver for Intel AX200/AX201/AX210/AX211 chips. Veb(4), the Virtual Ethernet Bridge device, can also handle VLANs in OpenBSD 7.9 with the help of PVID (Port VLAN IDentifier).

Packet filter pf(4) with new function

The importance of security at OpenBSD can be illustrated by a change for the root user: The Berkeley Packet Filter bpf(4) provides a protocol-independent interface via /dev/bpf to allow access to all network packets for sniffing or filtering. After opening /dev/bpf, a descriptor must be bound to the corresponding network interface, through which multiple tools can access the data. BIOCLOCK can be used to prevent this descriptor from being modified afterward. Previously, root could bypass this lock, but with OpenBSD 7.9, this is no longer possible even for root. pledge(2) for restricting system access and unveil(2) for restricting file system access have also been improved in detail.

David Gwynne has been working for three years on source and state limiters for the OpenBSD packet filter pf(4). OpenBSD 7.9 has adopted this innovation. Firewall setups can thus define the maximum usable resources very precisely. Gwynne's extension also considers that some limits were previously reset when reloading the rule set, which is not desired in the event of an active attack. Even if pf(4) internally splits a rule into multiple rules, the limits are distributed accordingly. OpenBSD administrators will likely quickly adopt and learn to love the new possibilities for pf(4).

Too much dozing turns into hibernation

OpenBSD 7.9 aims to prevent a system from being abruptly shut down at the end of its battery life in suspend mode, causing potential data loss, with “Delayed Hibernation.” OpenBSD uses FFS2 (Fast File System 2), a simple file system that, unlike ZFS, for example, is not always unaffected by sudden power outages. “Delayed Hibernation” wakes the system from suspend mode after a freely definable period and then immediately switches to hibernation mode. The setting is made in seconds via sysctl machdep.hibernatedelay.

Up to 52 partitions on one disk

OpenBSD 7.9 also extends its historically grown disklabel(8) architecture to allow modern systems to be partitioned more flexibly without abandoning the traditional OpenBSD layout. To achieve this, the internal partition coding has been extended from 4 to 6 bits, allowing for a maximum of 64 instead of the previous 16 partitions. The limit of 52 partitions results from the lack of letters in the alphabet: OpenBSD uses one letter per partition, and with a-z plus A-Z, there are only 52 possibilities. With OpenBSD 7.9, the internal foundation for the transition is laid; the necessary tools will only be available in later OpenBSD versions.

Fine-tuning for the ARM architecture

The previous version, OpenBSD 7.8, brought great progress for the ARM architecture, especially for Raspberry Pi SBCs and Apple hardware. OpenBSD 7.9, through the ice(4) driver, enables the use of Intel PCIe Ethernet chips like the E810 or E823 of the 800 series at speeds of 1 Gb/s, 10 Gb/s, 25 Gb/s, 50 Gb/s, or 100 Gb/s. Since Intel does not allow OpenBSD developers to deliver the firmware on the installation media under their terms, the Intel chips initially run without hardware offloading. However, the current firmware (ice-ddp) is downloaded and installed separately on the running system via fw_update(8). Thus, after successful installation, OpenBSD machines can utilize the full functionality of the Intel chips.

New in OpenBSD 7.9 is support for the Rockchip SoCs RK3576 and the more powerful RK3588. Both are not used in smartphones but rather in SBCs (Single Board Computers), smart panels and industrial HMIs (Human-Machine Interfaces), robotics, AI vision, and similar applications. The new support for the Genesys Logic GL9755 SDHC controller benefits Apple laptops, among others.

RISC-V and other platforms

For RISC-V-based systems, OpenBSD 7.9 primarily brings a lot of new features for the SpacemiT K1 SoC, which was developed by the Chinese chip manufacturer SpacemiT, founded in 2021, primarily for simple AI applications such as CV (Computer Vision) and NLP (Natural Language Processing). The RISC-V CPU with eight cores and up to 2 TOPS AI performance (but no specialized AI coprocessor) is even used in the “MUSE Book RISC-V Laptop” – including an externally accessible UART/GPIO port.

As with ARM, the ice(4) driver is now also available for SPARC64, as are fixes for SPARC64 FPUs and adjustments for sun4u. PowerPC, Alpha, and MIPS64 also received minor bug fixes. The luna88k port has been switched to GCC 4, and developers there have also enabled PIE (Position Independent Executables) by default.

Mythos finds bug in OpenBSD – much ado about nothing?

In early April, Anthropic announced its “Claude Mythos Preview” and “Project Glasswing” with a long list of exploits found by their AI. The “27-year-old OpenBSD bug” made headlines, because if an AI finds a security vulnerability in the source code of the most secure operating system for computing time worth $20,000, it is of course remarkable at first. The OpenBSD developers fixed the exploit two weeks before its release with three lines of code already in OpenBSD 7.8. Anyone who uses the OpenBSD tool syspatch(8) to automatically download, check, and install security patches was already protected against this exploit on March 25 (Patch #025: RELIABILITY FIX: March 25, 2026).

Was the bug really as dramatic as presented? The exploit concerns RFC2018 “Selectively ACKnowledge” (SACK) in TCP connections. In TCP connections, the receiver informs the sender about the sequence ID of the last correctly received packet. If the sender sends a thousand packets, but the receiver only confirms up to packet 200, the sender (without SACK) resends all packets from 201 to 1000. With SACK, the receiver can also report “gaps”, i.e., packets 201 to 220 are missing. Now the sender only needs to resend the few actually missing packets, a significant increase in efficiency.

The problem with OpenBSD, simplified, was: The OpenBSD code in tcp_input.c checked the end of this “gap” for plausibility, but not its beginning. The simultaneous deletion of a “gap” along with the creation of a new “gap” whose start is at least 2^31 bytes away leads, due to the lack of prior checking, to an integer overflow and a kernel that wants to write to a NULL pointer – which causes it to crash and thus forces OpenBSD to restart (this is somewhat reminiscent of the “Ping of Death” from the 90s).

This DoS has likely never occurred in practice, and pen or fuzzy tests would also need to create a TCP “gap” where the start ID of the SACK block is 2,147,483,648 packets away from the actual “gap”. A more detailed technical analysis with code examples is available on GitHub.

Nevertheless, it is an impressive bug, and it was fixed by the OpenBSD team two weeks before the release. Ultimately, Anthropic should probably be thanked for currently freeing open-source operating systems and tools from even the most perfidious errors with giant leaps.

LibreSSL 4.3.0 and OpenSSH 10.3

Two of the most important projects for internet security, which also benefit other operating systems, are LibreSSL and OpenSSH. The list of improvements for LibreSSL 4.3.0 and OpenSSH 10.3 is again very long. New in LibreSSL 4.3.0 is support for handling keys in MLKEM768_X25519 for TLSv1.3 and the startssl protocol “sieve”. OpenSSH 10.3 also now supports ed25519 signatures via libcrypto.

Free and available immediately

OpenBSD is under the free MIT license and is available as open-source software in source code. OpenBSD 7.9 uses LLVM/Clang 19.1.7 as its compiler; versions 20.1.8 and 21.1.8 can also be installed. In addition to GCC 4.2.1, GCC 15.2.0 can be optionally installed. OpenBSD uses Xenocara based on X.Org 7.7 with Xserver 21.1.21, but also offers Wayland and runs partially with XLibre. In addition to OpenBSD's own cwm(1) Calm Window Manager, desktop environments such as MATE 1.28, Xfce 4.20, GNOME 49, or KDE Plasma 6.6.4 can be installed via the package management. Chromium 147, Firefox 150.0 and ESR 140.10.0, Thunderbird 140.10.0, and LibreOffice 26.3.3.3 round off the desktop. The OpenBSD projects LibreSSL and OpenSSH have reached versions 4.3.0 and 10.3. In total, the package management lists 12883 (OpenBSD 7.8: 12651) packages for the amd64 platform.

Installation media and instructions for fourteen hardware platforms are available for download on the project page. There you will also find the release information for OpenBSD 7.9 with a detailed overview of all changes.

(mho)