| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
| |
Tested in snaps and package builds
Tested on amd64 by naddy@
Tested on arm64 by patrick@
Tested on octeon by visa@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Prepared with help from jsg@ and mortimer@
Tested on amd64 by bcallah@, krw@, naddy@
Tested on arm64 by patrick@
Tested on macppc by kettenis@
Tested on octeon by visa@
Tested on sparc64 by claudio@
|
| | |
|
| |
|
|
|
|
|
| |
This adds more trap padding before the return while ensuring that the
return is still in the same cache line.
ok deraadt@
|
| |
|
|
|
|
|
| |
Makes things slightly faster and also improves security in these functions,
since the retguard cookie can't leak via the stack.
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
- Target all four kinds of return bytes (c2, c3, ca, cb)
- Fix up instructions using both ModR/M and SIB bytes
- Force alignment before instructions with return bytes in immediates
- Force alignment before instructions that have return bytes in their encoding
- Add a command line switch to toggle the functionality.
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
to fix a regression in floating point operations. Bluhm noticed that
the bc regression test has been failing after the upgrade to 7.0.1
because setting the floating point control register was in some cases
reordered erroneously.
Found and tested by bluhm@
ok bluhm@ kettenis@
|
| |
|
|
| |
ok dlg@
|
| |
|
|
|
|
| |
and use a bool type for a boolean in C++.
ok kettenis@ deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this is a bit different to gcc as gcc likes to use movs to move
stuff on and off the stack, and directly updates the stack pointers
with add and sub instructions. llvm prefers to use push and pop
instructions, is a lot more careful about keeping track of how
much stuff is currently on the stack, and generally pops the frame
pointer rather than do maths on it.
-msave-args adds a bunch of pushes as the first thing a function
prologue does. to keep the stack aligned, if there's an odd number
of arguments to the function it pushes the first one again to put
the frame back on a 16 byte boundary.
to undo the pushes the frame pointer needs to be updated in function
epilogues. clang emits a series of pops to fix up the registers on
the way out, but popping saved arguments is a waste of time and
harmful to actual data in the function. rather than add an offset
to the stack pointer, -msave-args emits a leaveq operation to fix
up the frame again. leaveq is effectively mov rbp,rsp; pop rbp, and
is a single byte, meaning there's less potential for gadgets compared
to a direct add to rsp, or an explicit mov rbp,rsp.
the only thing missing compared to the gcc implementation is adding
the SUN_amd64_parmdump dwarf flag to affected functions. if someone
can tell me how to add that from the frame lowering code, let me
know.
when enabled in kernel builds again, this will provide useful
arguments in ddb stack traces again.
|
| | |
|
| |
|
|
|
| |
With fixes from mortimer@ (thanks!)
Tested by many, especially naddy@ (thanks!)
|
| | |
|
| |
|
|
|
|
|
| |
explicitly in SMALL_KERNEL kernel builds.
tweaks from jsg@ and tb@
ok deraadt@ kettenis@
|
| | |
|
| |
|
|
| |
Spotted by Nan Xiao.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
random cookies to protect access to function return instructions, with the
effect that the integrity of the return address is protected, and function
return instructions are harder to use in ROP gadgets.
On function entry the return address is combined with a per-function random
cookie and stored in the stack frame. The integrity of this value is verified
before function return, and if this check fails, the program aborts. In this way
RETGUARD is an improved stack protector, since the cookies are per-function. The
verification routine is constructed such that the binary space immediately
before each ret instruction is padded with int03 instructions, which makes these
return instructions difficult to use in ROP gadgets. In the kernel, this has the
effect of removing approximately 50% of total ROP gadgets, and 15% of unique
ROP gadgets compared to the 6.3 release kernel. Function epilogues are
essentially gadget free, leaving only the polymorphic gadgets that result from
jumping into the instruction stream partway through other instructions. Work to
remove these gadgets will continue through other mechanisms.
Remaining work includes adding this mechanism to assembly routines, which must
be done by hand. Many thanks to all those who helped test and provide feedback,
especially deaadt, tb, espie and naddy.
ok deraadt@
|
| |
|
|
|
|
|
|
| |
friendly instructions with safe alternatives. This initial commit fixes
3 instruction forms that will lower to include a c3 (return) byte.
Additional problematic instructions can be fixed incrementally using
this framework.
ok deraadt@
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
"where is the kaboom?" deraadt@
|
| |
|
|
|
|
|
|
| |
instructions to have side effects so the optimizer does not reorder
them across fnstcw/fldcw sequences. Fixes a bug seen in sqlite3 on
i386.
ok kettenis@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
order it chooses. Reasons for choosing one register before another usually incl
ude compiled instruction size (avoidance of REX prefixes, etc.) or usage convent
ions, but somehow haven't included security implications in the compiled bytecod
e. Some bytecode is more useful in polymorphic ROP sequences than others, so it
seems prudent to try to avoid that bytecode when possible.
This patch moves EBX/RBX towards the end of the allocation preference for 32 and
64 bit general purpose registers. Some instructions using RBX/EBX/BX/BL as a de
stination register end up with a ModR/M byte of C3 or CB, which is often useful
in ROP gadgets. Because these gadgets often occur in the middle of functions, th
ey exhibit somewhat higher diversity than some other C3/CB terminated gadgets. T
his change removes about 3% of total gadgets from the kernel, but about 6% of un
ique gadgets.
There are other possible changes in this direction. BX/BL are obvious next targe
ts for avoidance, and MM3/XMM3 may also be useful to try to avoid if possible.
ok deraadt@
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
| |
Also from Todd Mortimer
tested by espie
|
| | |
|
| |
|
|
| |
development effort on OpenBSD/arm64.
|
| | |
|
| | |
|
|
|
ok hackroom@
|
patrick
mortimer
semarie
dlg
guenther
deraadt
pascal