A few thoughts after reading Are all BSDs created equally? by Ilja van Sprundel. Theo says OpenBSD is the best, Ilja fact checks.

The sendsyslog bug is kinda annoying. As in, annoying that it wasn’t caught, but it’s an easy mistake to make. The code mostly looks correct. There’s some length. We allocate some memory, and then we copy that amount. It’s unlike the typical buffer overflow where the wrong amount is allocated or copied. It’s just that the kernel imposes some extra restrictions to save itself from grinding to a halt with over sized allocations. This protection happens to take the form of a kernel assertion, however, so it’s not good to be user reachable.

“mbuf handling is complicated and error prone”

The NetBSD crypto overflow is a classic allocation overflow. A large count and a size, when multiplied, become very small. In OpenBSD, we replaced many (nearly all even?) instances of this pattern with mallocarray, which performs an overflow check before doing the multiplication. It would still end in a panic, but that’s better than memory corruption.

The FreeBSD ksyms bug is a pretty common object lifetime bug if I’m reading it correctly. It’s difficult to concretely identify the owner of some objects, or the last reference. A lot of references don’t necessarily have counts, relying on other implicit invariants to determine when it’s safe to free something. The result is stale references are fairly common. I would say that fd passing in particular causes all sorts of trouble because people like to assume they stay put, and then they end up in a different process. (There were some bugs like this reported against OpenBSD, too, where an fd is passed to another process and then bad things happen when the original process exits, but I don’t think any were serious.)

“Compat layers rot very quickly.”

On the point of fuse, at least in OpenBSD, you have to be root to mount a fuse filesystem, so you’re already pretty elevated. Still, the kernel in theory should be robust against even root, and especially we’d like for it to be possible to write a privilege dropping filesystem. Easy to slip up here and assume everything is already trusted.

Wifi: “They didn’t think about the attack surface on this one”

Conclusion: OpenBSD wins. A lot of this is reducing attack surface by deleting code. It’s not cheating if it works... Some of it is also trying to identify harmful patterns and reduce the impact, like mallocarray.

“Bugs are still easy to find in those kernels.” Sigh.