summaryrefslogtreecommitdiffstats
path: root/libexec/ld.so/amd64/syscall.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Repurpose the "syscalls must be on a writeable page" mechanism toderaadt2019-11-291-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like. This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read. For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2) For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon. We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface. This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations. ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
* ld.so's $ORIGIN handling when argv[0] is a relative path was broken byguenther2019-07-141-3/+1
| | | | | | | | the change in __getcwd(2)'s return value. Fix it by switching to the __realpath(2) syscall, eliminating the ld.so copy of realpath(). problem caught by regress and noted by bluhm@ ok deraadt@
* unify the various per-arch syscall.h as much as possiblederaadt2018-07-091-7/+7
| | | | ok kettenis guenther
* Replace heaps of hand-written syscall stubs with a simpler frameworkderaadt2017-08-271-5/+5
| | | | | which is largely MI. ok visa kettenis
* On fatal errors, kill ourselves with thrkill(0,9,NULL) instead ofguenther2017-01-241-1/+3
| | | | | | | | simply exiting, via helper functions _dl_die(), _dl_diedie(), and _dl_oom(). prompted by a complaint from jsing@ ok jsing@ deraadt@
* _dl_exit() is __dead, so it should return void.guenther2017-01-211-2/+9
| | | | | | | Move _dl_mmap() and _dl_mquery() inlines from archdep.h to syscall.h and remove pointless casts and unnecessary parens. ok kettenis@
* ld.so doesn't need gettimeofday or lstat stubs any moreguenther2016-08-281-3/+1
| | | | ok deraadt@
* Remove prebind support: binding to symbol table indices is too fragileguenther2016-07-041-7/+1
| | | | | | for our development process. ok kettenis@ deraadt@
* Use a Thread Information Block in both single and multi-threaded programs.guenther2016-05-071-1/+3
| | | | | | | | | | | | | | | | | This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable! Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now! Clean up libpthread's symbol exports like libc. On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec. Testing by various, particularly sthen@ and patrick@ ok kettenis@
* Rename the system call sendsyslog2 to sendsyslog. Keep the old onebluhm2016-03-211-2/+2
| | | | | | as osendsyslog for a while. The three argument variant is the only one that will stay. input kettenis@; OK deraadt@
* Switch ld.so's stack smash handler from sendsyslog to sendsyslog2guenther2016-03-211-2/+2
| | | | | | and pass the LOG_CONS flag like libc's handler. ok deraadt@ bluhm@ (who had a similar diff)
* ldd(1) sets environment variable LD_TRACE_LOADED_OBJECTS to tell ld.soderaadt2015-11-151-1/+2
| | | | | | | | that it should show information about the program it loads, rather than run it. In that specific case, ld.so can pledge to "stdio rpath" to ensure that code path in ld.so has no bugs. Yes, a pledge in ld.so.... who'd have thought! ok guenther
* kbind has eliminated the need for and use of the bind lock. Delete it, theguenther2015-09-191-3/+1
| | | | | | | | the callback, and the sigprocmask stub. Keep around the DL_SETBINDLCK case until libpthread stops using it. discussed with miod@ at l2k15 ok kettenis@
* Sync readlink(2) with IEEE Std 1003.1-2008.doug2014-09-011-2/+2
| | | | discussion, help and ok guenther@
* Now that we have sendsyslog(2), we can directly use it in thederaadt2014-07-141-1/+2
| | | | | (previously completely retarded) stack_smash_handler of ld.so ok beck miod tedu
* _dl_fcntl() is no longer used; kill the stubsguenther2014-07-091-2/+1
| | | | ok otto@ miod@
* move from sysclt(KERN_ARND) to getentropy(2); ok miod@, kettenis@otto2014-07-061-1/+2
|
* Mark _dl_exit __dead.miod2014-07-051-1/+2
|
* Switch time_t, ino_t, clock_t, and struct kevent's ident and dataguenther2013-08-131-2/+2
| | | | | | | | | | | | | | | | | | | | members to 64bit types. Assign new syscall numbers for (almost all) the syscalls that involve the affected types, including anything with time_t, timeval, itimerval, timespec, rusage, dirent, stat, or kevent arguments. Add a d_off member to struct dirent and replace getdirentries() with getdents(), thus immensely simplifying and accelerating telldir/seekdir. Build perl with -DBIG_TIME. Bump the major on every single base library: the compat bits included here are only good enough to make the transition; the T32 compat option will be burned as soon as we've reached the new world are are happy with the snapshots for all architectures. DANGER: ABI incompatibility. Updating to this kernel requires extra work or you won't be able to login: install a snapshot instead. Much assistance in fixing userland issues from deraadt@ and tedu@ and build assistance from todd@ and otto@
* Constify the mib argument of sysctl().miod2013-06-091-2/+2
| | | | ok matthew@ millert@
* Make all the syscall prototypes consistent with their real forms for types,guenther2013-06-011-11/+11
| | | | | | whitespace, and no argument names. ok matthew@ deraadt@
* Introduce ltrace(1). This tool works with ld.so to inject utrace record formiod2013-06-011-1/+2
| | | | | | | | | | | | | | | | | each plt call, allowing to trace a binary linked against shared library at the public function call level. To do so, ltrace(1) sets up some environment variables to enable plt tracing in ld.so, and invokes ktrace(2) for utrace events. ld.so will force lazy binding and will send an utrace record in the plt resolver, without updating the plt. Minimal filtering capabilities are provided, inspired by Solaris' truss -u, to limit tracing to libraries and/or symbol names. Non-traced libraries and symbols will have the regular resolver processing, with the expected plt update. "Get it in" deraadt
* - Add ORIGIN, OSNAME, OSREL and PLATFORM substitution support for rpaths.kurt2013-04-051-1/+4
| | | | Improvements and okay matthew@, millert@, guenther@
* Garbage-collect the _dl_stat() routine, now unusedguenther2012-10-241-2/+1
| | | | ok matthew@ deraadt@
* Change basep parameter of getdirentries() to be off_t *, not long *millert2010-10-281-2/+2
| | | | | | | | so it works correctly with large offsets (and matches other systems). This requires adding a new getdirentries syscall, with the old one renamed to ogetdirentries. All in-tree consumers of getdirentries() have been updated. Bump libc and libpthread major numbers. OK and with deraadt@
* Fix mmap() error checking to be correct 64-bit addresses. Consistentlykurt2008-10-021-4/+4
| | | | | | | use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of some local vars for 64-bit safety. okay millert@ drahn@
* prebind - how to prelink a binary without throwing security out the windowdrahn2006-05-031-1/+2
| | | | | | | | Prelink fixes the address of libraries making 'return to libc' attacks trival, prebind uses a different method to achieve most of the same gains, however without adding any security conerns. Still under development, now in-tree.
* prettyderaadt2004-02-231-2/+2
|
* AMD64 dynamic linker. initial work by mickey finished up by myself.drahn2004-02-101-0/+63
lazy binding not working yet. problem exists with gcc and -fpic jump tables. ok mickey@