| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.
This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.
For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)
For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.
We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.
This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.
ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen
|
| |
|
|
|
|
|
|
|
|
| |
of resource limit structs has been done between processes. By applying
copy-on-write also between threads, threads can read rlimits in
a nearly lock-free manner.
Inspired by code in DragonFly BSD and FreeBSD.
OK mpi@, agreement from jmatthew@ and anton@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
|
| |
grabbing the rnglock repeatedly.
ok deraadt@ djm@
|
| |
|
|
| |
ok deraadt@, millert@, stefan@
|
| | |
|
| |
|
|
|
|
|
| |
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
| |
|
|
| |
MACHINE_STACK_GROWS_UP.
|
| |
|
|
|
|
| |
fixed stack area of the exec'd image, and risking hitting process limits,
should we want to increase stackgap_random, the randomness is applied to the
stack region in the process' vmspace.
|
| |
|
|
|
|
|
| |
legitimately use random section variables without execve failures...
Because this section is not demand faulted, yield() every page during
the fill otherwise the costs are charged poorly.
ok tedu matthew
|
| |
|
|
|
|
| |
doesn't have all the values and therefore can't be used everywhere.
ok deraadt@ kettenis@
|
| |
|
|
|
|
| |
objective: vnode.h doesn't include uvm_extern.h anymore.
followup changes: include uvm_extern.h or lock.h where necessary.
ok and help from deraadt
|
| |
|
|
|
|
| |
eliminating the must-be-kept-in-sync UVM_INH_* macros
ok deraadt@ tedu@
|
| | |
|
| |
|
|
| |
to include that than rdnvar.h. ok deraadt dlg
|
| |
|
|
| |
vmcmd_map_zero() just returns the result of uvm_map(), so make it a tail call
|
| |
|
|
|
|
|
| |
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis
|
| | |
|
| |
|
|
| |
ok doug tedu
|
| | |
|
| |
|
|
| |
after discussions with beck deraadt kettenis.
|
| |
|
|
|
| |
don't need to be married.
ok guenther miod beck jsing kettenis
|
| |
|
|
| |
ok guenther
|
| |
|
|
|
|
|
|
| |
it to be writable but otherwise uses the correct final permissions.
Ergo, it only needs to call uvm_map_protect() if the requested
permissions didn't include UVM_PROT_WRITE.
ok beck@
|
| |
|
|
|
|
| |
<uvm/uvm.h> if possible and remove double inclusions.
ok beck@, mlarkin@, deraadt@
|
| | |
|
| |
|
|
|
|
|
|
| |
segments to the kernel, ld (2.15), and ld.so. Tested on alpha, amd64,
i386, macppc, and sparc64 (thanks naddy, mpi, and okan!).
Idea discussed for some time; committing now for further testing.
ok deraadt
|
| | |
|
| |
|
|
| |
kern_descrip.c change ok deraadt
|
| |
|
|
|
|
| |
locked; with this diff VFSDEBUG kernels can boot again
ok pedro, thib (who came up with the same diff)
|
| |
|
|
| |
ok deraadt@ markus@
|
| |
|
|
|
|
|
| |
final protection has an X. Doesn't really change anything except reducing
I$ flushing.
niklas@ ok
|
| | |
|
| |
|
|
|
|
|
|
| |
Also uvm_map returns KERN_* codes that are directly mapped to
errnos, so we can return them instead of doing some attempt to
translation.
drahn@ "I see no problem" pval@ "makes sense"
|
| |
|
|
|
| |
It triggers on ppc and while the check itself is correct, it's better to
fix the bug before breaking peoples systems.
|
| | |
|
| | |
|
| |
|
|
| |
doesn't do anything since no pmap implements exec protection yet.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
machines or some configurations or in some phase of the moon (we actually
don't know when or why) files disappeared. Since we've not been able to
track down the problem in two weeks intense debugging and we need -current
to be stable, back out everything to a state it had before UBC.
We apologise for the inconvenience.
|
| |
|
|
|
| |
This time we're getting rid of KERN_* and VM_PAGER_* error codes and
use errnos instead.
|
| |
|
|
|
|
|
| |
code is written mostly by Chuck Silvers <chuq@chuq.com>/<chs@netbsd.org>.
Tested for the past few weeks by many developers, should be in a pretty stable
state, but will require optimizations and additional cleanups.
|
| |
|
|
| |
for the virtual address.
|
| |
|
|
| |
(Look ma, I might have broken the tree)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
to 8.
At the same time it seemed like a good idea to avoid to always malloc a
new vmcmd array, so put the default sized array into struct exec_vmcmd_set.
We might want to make a linked list of vmcmd arrays or exec_vmcmd_sets instead
of reallocating them some time in the future, but right now this seems like a
waste of time.
|
| |
|
|
| |
Other commands were checked and look safe.
|
| | |
|
deraadt
visa
mortimer
kettenis
jsg
miod
guenther
tedu
matthew
mpi
jmc
sturm
hshoexer
art
mickey
millert