| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.
For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen
|
|
|
|
|
|
|
|
| |
the change in __getcwd(2)'s return value. Fix it by switching to the
__realpath(2) syscall, eliminating the ld.so copy of realpath().
problem caught by regress and noted by bluhm@
ok deraadt@
|
|
|
|
| |
ok kettenis guenther
|
|
|
|
|
| |
which is largely MI.
ok visa kettenis
|
|
|
|
|
|
|
|
| |
simply exiting, via helper functions _dl_die(), _dl_diedie(), and
_dl_oom().
prompted by a complaint from jsing@
ok jsing@ deraadt@
|
|
|
|
|
|
|
| |
Move _dl_mmap() and _dl_mquery() inlines from archdep.h to syscall.h and
remove pointless casts and unnecessary parens.
ok kettenis@
|
|
|
|
| |
ok deraadt@
|
|
|
|
|
|
| |
for our development process.
ok kettenis@ deraadt@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This stores errno, the cancelation flags, and related bits for each thread
and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable!
Make libpthread dlopen'able by moving the cancelation wrappers into libc
and doing locking and fork/errno handling via callbacks that libpthread
registers when it first initializes. 'errno' *must* be declared via
<errno.h> now!
Clean up libpthread's symbol exports like libc.
On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec.
Testing by various, particularly sthen@ and patrick@
ok kettenis@
|
|
|
|
|
|
| |
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@
|
|
|
|
|
|
| |
and pass the LOG_CONS flag like libc's handler.
ok deraadt@ bluhm@ (who had a similar diff)
|
|
|
|
|
|
|
|
| |
that it should show information about the program it loads, rather than
run it. In that specific case, ld.so can pledge to "stdio rpath" to
ensure that code path in ld.so has no bugs.
Yes, a pledge in ld.so.... who'd have thought!
ok guenther
|
|
|
|
|
|
|
|
| |
the callback, and the sigprocmask stub.
Keep around the DL_SETBINDLCK case until libpthread stops using it.
discussed with miod@ at l2k15
ok kettenis@
|
|
|
|
| |
discussion, help and ok guenther@
|
|
|
|
|
| |
(previously completely retarded) stack_smash_handler of ld.so
ok beck miod tedu
|
|
|
|
| |
ok otto@ miod@
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
members to 64bit types. Assign new syscall numbers for (almost
all) the syscalls that involve the affected types, including anything
with time_t, timeval, itimerval, timespec, rusage, dirent, stat,
or kevent arguments. Add a d_off member to struct dirent and replace
getdirentries() with getdents(), thus immensely simplifying and
accelerating telldir/seekdir. Build perl with -DBIG_TIME.
Bump the major on every single base library: the compat bits included
here are only good enough to make the transition; the T32 compat
option will be burned as soon as we've reached the new world are
are happy with the snapshots for all architectures.
DANGER: ABI incompatibility. Updating to this kernel requires extra
work or you won't be able to login: install a snapshot instead.
Much assistance in fixing userland issues from deraadt@ and tedu@
and build assistance from todd@ and otto@
|
|
|
|
| |
ok matthew@ millert@
|
|
|
|
|
|
| |
whitespace, and no argument names.
ok matthew@ deraadt@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
each plt call, allowing to trace a binary linked against shared library at the
public function call level.
To do so, ltrace(1) sets up some environment variables to enable plt tracing
in ld.so, and invokes ktrace(2) for utrace events. ld.so will force lazy
binding and will send an utrace record in the plt resolver, without updating
the plt.
Minimal filtering capabilities are provided, inspired by Solaris' truss -u,
to limit tracing to libraries and/or symbol names. Non-traced libraries and
symbols will have the regular resolver processing, with the expected plt
update.
"Get it in" deraadt
|
|
|
|
| |
Improvements and okay matthew@, millert@, guenther@
|
|
|
|
| |
ok matthew@ deraadt@
|
|
|
|
|
|
|
|
| |
so it works correctly with large offsets (and matches other systems).
This requires adding a new getdirentries syscall, with the old one
renamed to ogetdirentries. All in-tree consumers of getdirentries()
have been updated. Bump libc and libpthread major numbers.
OK and with deraadt@
|
|
|
|
|
|
|
| |
use _dl_mmap_error() to check for mmap() errors. Adjust datatypes of
some local vars for 64-bit safety.
okay millert@ drahn@
|
|
|
|
|
|
|
|
| |
Prelink fixes the address of libraries making 'return to libc' attacks trival,
prebind uses a different method to achieve most of the same gains, however
without adding any security conerns.
Still under development, now in-tree.
|
| |
|
|
lazy binding not working yet. problem exists with gcc and -fpic jump tables.
ok mickey@
|