Home | History | Annotate | Download | only in kern
History log of /src/sys/kern/kern_pax.c
RevisionDateAuthorComments
 1.63  26-Oct-2022  riastradh kern/kern_pax.c: Get maxsmap from sys/resourcevar.h.
 1.62  30-Aug-2021  rin Respect alignment requests of executable when PAX_ASLR is enabled on
kernel, but disabled for the process, as in the same manner as PAX_ASLR
is disabled; see pax_aslr_exec_offset() for !PAX_ASLR in sys/sys/pax.h.

This is a regression introduced in kern_pax.c rev 1.58:
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/kern_pax.c#rev1.58

Part of PR port-arm/56380 but unfortunately this does not fix the
problem described in the PR...
 1.61  23-Jan-2020  ad PAX_SEGVGUARD doesn't seem to work properly in testing for me, but at least
make it not cause problems:

- Cover it with exec_lock so the updates are not racy.
- Using fileassoc is silly. Just hang a pointer off the vnode.
 1.60  25-Jun-2017  snj branches: 1.60.6; 1.60.12;
fix typo
 1.59  06-May-2017  joerg Extend the mmap(2) interface to allow requesting protections for later
use with mprotect(2), but without enabling them immediately.

Extend the mremap(2) interface to allow duplicating mappings, i.e.
create a second range of virtual addresses references the same physical
pages. Duplicated mappings can have different effective protections.

Adjust PAX mprotect logic to disallow effective protections of W&X, but
allow one mapping W and another X protections. This obsoletes using
temporary files for purposes like JIT.

Adjust PAX logic for mmap(2) and mprotect(2) to fail if W&X is requested
and not silently drop the X protection.

Improve test cases to ensure correct operation of the changed
interfaces.
 1.58  18-Feb-2017  chs branches: 1.58.4;
obey the executable's ELF alignment constraints for PIE.
this fixes gdb of PIE binaries on mac68k (and other platforms
which use an ELF alignment that is larger than PAGE_SIZE).
 1.57  17-Sep-2016  christos branches: 1.57.2;
move aslr stuff to the aslr section
 1.56  03-Sep-2016  christos vsize_t is not always u_long :-)
 1.55  27-May-2016  christos branches: 1.55.2;
fix compilation without PAX_MPROTECT
 1.54  25-May-2016  wiz Consistent indent.
 1.53  25-May-2016  christos Give 0,1,2 for security.pax.mprotect.ptrace and make it default to 1
as documented in sysctl(7):
0 - ptrace does not affect mprotect
1 - (default) mprotect is disabled for processes that start executing from
the debugger (being traced)
2 - mprotect restrictions are relaxed for traced processes
 1.52  25-May-2016  christos Introduce security.pax.mprotect.ptrace sysctl which can be used to bypass
mprotect settings so that debuggers can write to the text segment of traced
processes so that they can insert breakpoints. Turned off by default.
Ok: chuq (for now)
 1.51  25-May-2016  christos randomize the location of the rtld.
 1.50  24-May-2016  martin Effectively disable aslr for non-topdown-VA binaries (unless they are
compat32, which we deal with properly). It would be possible to get
those working too, but it is not worth the code complexity.

This makes binaries compiled with -mcmodel=medlow (and ancient binaries)
work again on sparc64, smoothing the upgrade path.

ok: christos
 1.49  22-May-2016  christos reduce #ifdef mess caused by PaX
 1.48  22-May-2016  christos Account for the VA hole differently (simpler)
 1.47  19-May-2016  christos fix for ILP32.
 1.46  17-May-2016  christos Hook to clamp the random value for mmap for machies that don't have enough
VA bits.
 1.45  14-May-2016  christos only print debugging info if we are actually going to change the permission.
 1.44  13-May-2016  christos - make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4
and reduce the length of the randomization bits since this is unused.
- call the pax aslr stack function sooner so we don't need to re-adjust the
stack size.
- adjust the stack max resource limit to account for the maximum space that
can be lost by aslr
- tidy up debugging printfs
 1.43  08-May-2016  christos Fix stack allocation; limit delta to a quarter of the stack size. This should
get rid of the random aborts.
 1.42  08-May-2016  christos Move all the randomization inside kern_pax.c so we can control it directly.
Add debugging flags to be able to set the random number externally.
 1.41  10-Apr-2016  christos GC PAX_ASLR_EXEC
 1.40  10-Apr-2016  christos Fix ASLR stack setup:
- make it work on machine where the stack grows up.
- use the same limits as mmap.
 1.39  10-Apr-2016  christos Add a flags sysctl for ASLR to disable particular features. We seem to be
having issues with stack setup.
 1.38  07-Apr-2016  christos Add PAX_MPROTECT_DEBUG
 1.37  04-Apr-2016  christos Add some diagnostic printf's when we reset permissions.
 1.36  20-Mar-2016  christos simplify.
 1.35  20-Mar-2016  khorben Let PaX ASLR know about the current emulation

This effectively fixes PaX ASLR with 32-bits emulation on 64-bits
platforms. Without this knowledge, the offset applied for 32-bits
programs was really meant for a 64-bits address space - thus
shifting the address up to 12 bits, with a success rate of about
1/4096. This offset is calculated once in the lifetime of the
process, which therefore behaved normally when able to start.

Fixes kern/50469, probably also kern/50986

Tested on NetBSD/amd64 (emul_netbsd32)
 1.34  19-Mar-2016  christos Allow enabling and disabling PaX ASLR debug
 1.33  09-Oct-2015  christos PR/50312: Robert Elz: Unconditionally include <sys/exec.h> to fix compilation
when PAX_ASLR is not defined.
 1.32  26-Sep-2015  maxv Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when loading a PaX'ed binary, the
kernel updates the PaX flag of the calling process before it makes sure
the new process is actually launched. If the kernel fails to launch the
new process, it does not restore the PaX flag of the calling process,
leaving it in an inconsistent state.

Actually, simply restoring it would be horrible as well, since in the
meantime another thread may have used the flag.

The solution is therefore: modify all the functions used by PaX so that
they take as argument the exec package instead of the lwp, and set the PaX
flag in the process *right before* launching the new process - it cannot
fail in the meantime.
 1.31  04-Aug-2015  maxv Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
 1.30  31-Jul-2015  maxv Small changes:
- rename pax_aslr_init() to pax_aslr_init_vm()
- remove the PAX_ flags (unused)
- fix a comment in pax.h
 1.29  30-Jul-2015  maxv Revamp PaX:
- don't confuse between ELF flags and proc flags. Introduce the proc-
specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
- introduce pax_setup_elf_flags(), which takes as argument the PaX flag
of the ELF PaX note section, and which sets the proc flag as
appropriate. Also introduce a couple of other functions used for that
purpose.
- modify pax_aslr_active(), and all the other similar pieces of code, so
that it checks the proc flag directly, without extra ELF computation

In addition to making PaX clearer, the combination of these changes fixes
the following bug: if a non-PaX'ed process is launched, and then someone
sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
PaX'ed while its address space hasn't been randomized, which is not likely
to be a good idea.

Now, only the proc flag is checked at runtime, which means the process's
PaX status won't be altered during the execution.

Also:
- declare PAX_DPRINTF, makes it more readable
- fix a typo in exec_elf.h
 1.28  13-Apr-2015  riastradh <sys/rnd.h> not needed for kern_pax.c.
 1.27  25-Feb-2014  pooka branches: 1.27.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
 1.26  19-Nov-2011  tls branches: 1.26.8; 1.26.12;
First step of random number subsystem rework described in
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:

An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.

A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.

The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.

An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.

A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.

An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.

In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.

The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.

The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.

A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.

The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.

Manual pages for the new kernel interfaces are forthcoming.
 1.25  24-Apr-2011  rmind branches: 1.25.4;
- Replace few malloc(9) uses with kmem(9).
- Rename buf_malloc() to buf_alloc(), fix comments.
- Remove some unnecessary inclusions.
 1.24  23-Aug-2010  christos branches: 1.24.2;
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!
 1.23  15-Mar-2010  christos rename DEBUG_ASLR -> PAX_ASLR_DEBUG
 1.22  04-Jun-2008  ad branches: 1.22.8; 1.22.14; 1.22.16; 1.22.18; 1.22.20;
Fix broken enable test; fixes random coredumps.
 1.21  03-Jun-2008  ad Don't use proc specificdata. Speeds up mmap() and others.
 1.20  28-Dec-2007  elad branches: 1.20.6; 1.20.8; 1.20.10; 1.20.12;
Provide 8 more bits of stack randomization, from the PaX author.

While here, don't make too much use of one random value, and call
arc4random() directly. Allows for the removal of 'ep_random' from the
exec_package.

Prompted by and okay christos@.
 1.19  27-Dec-2007  elad PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.
 1.18  26-Dec-2007  christos Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
1. The data segment
2. The stack

For PIE executables(*) randomization is enabled for:
1. The program itself
2. All shared libraries
3. The data segment
4. The stack

(*) To generate a PIE executable:
- compile everything with -fPIC
- link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.
 1.17  21-Sep-2007  dsl branches: 1.17.6; 1.17.12;
Include sys/cdefs.h first.
 1.16  24-Jun-2007  christos branches: 1.16.6; 1.16.8;
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...
 1.15  22-Feb-2007  thorpej branches: 1.15.4; 1.15.6;
TRUE -> true, FALSE -> false
 1.14  21-Feb-2007  thorpej Replace the Mach-derived boolean_t type with the C99 bool type. A
future commit will replace use of TRUE and FALSE with true and false.
 1.13  06-Feb-2007  elad branches: 1.13.2;
PR/35253: YAMAMOTO Takashi: fileassoc hash size problem

fileassoc_table_add() was removed from the KPI and made internal. From now
fileassoc(9) will manage the optimal table size internally.

Input from and okay yamt@.
 1.12  09-Jan-2007  elad Remove advertising clause from all of my stuff.
 1.11  26-Dec-2006  elad Fix copy/paste error: Veriexec's sysctl setup routine was named after
PaX's.
 1.10  23-Dec-2006  yamt - remove the fileassoc "tabledata" functionality. use mountspecific instead.
- make pax_segvguard_cb static.

tested and ok'ed by elad.
 1.9  11-Dec-2006  yamt - remove a static configuration, FILEASSOC_NHOOKS. do it dynamically instead.
- make fileassoc_t a pointer and remove FILEASSOC_INVAL.
- clean up kern_fileassoc.c. unify duplicated code.
- unexport fileassoc_init using RUN_ONCE(9).
- plug memory leaks in fileassoc_file_delete and fileassoc_table_delete.
- always call callbacks, regardless of the value of the associated data.

ok'ed by elad.
 1.8  22-Nov-2006  elad branches: 1.8.2;
Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).
 1.7  22-Nov-2006  elad Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.
 1.6  01-Nov-2006  yamt - remove an unnecessary #include.
- make some variables static.
 1.5  25-Oct-2006  cbiere Added missing whitespace in sysctl description string. PR kern/34915.
 1.4  26-Sep-2006  elad Change the PaX mprotect(2) restrictions' "global_protection" knob to
just "global" -- it's shorter and more readable. Update documentation.
 1.3  20-May-2006  elad branches: 1.3.2; 1.3.4; 1.3.6; 1.3.10; 1.3.14; 1.3.16; 1.3.18;
Better implementation of PaX MPROTECT, after looking some more into the
code and not trying to use temporary solutions.

Lots of comments and help from YAMAMOTO Takashi, also thanks to the PaX
author for being quick to recognize that something fishy's going on. :)

Hook up in mmap/vmcmd rather than (ugh!) uvm_map_protect().

Next time I suggest to commit a temporary solution just revoke my
commit bit.
 1.2  18-May-2006  elad branches: 1.2.2;
CTLFLAG_IMMEDIATE doesn't do what I thought it did. from yamt@, thanks!
 1.1  16-May-2006  elad Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.
 1.2.2.1  19-Jun-2006  chap Sync with head.
 1.3.18.3  18-Dec-2006  yamt sync with head.
 1.3.18.2  10-Dec-2006  yamt sync with head.
 1.3.18.1  22-Oct-2006  yamt sync with head
 1.3.16.2  09-Sep-2006  rpaulo sync with head
 1.3.16.1  20-May-2006  rpaulo file kern_pax.c was added on branch rpaulo-netinet-merge-pcb on 2006-09-09 02:57:16 +0000
 1.3.14.3  09-Feb-2007  ad Sync with HEAD.
 1.3.14.2  12-Jan-2007  ad Sync with head.
 1.3.14.1  18-Nov-2006  ad Sync with head.
 1.3.10.7  21-Jan-2008  yamt sync with head
 1.3.10.6  27-Oct-2007  yamt sync with head.
 1.3.10.5  03-Sep-2007  yamt sync with head.
 1.3.10.4  26-Feb-2007  yamt sync with head.
 1.3.10.3  30-Dec-2006  yamt sync with head.
 1.3.10.2  21-Jun-2006  yamt sync with head.
 1.3.10.1  20-May-2006  yamt file kern_pax.c was added on branch yamt-lazymbuf on 2006-06-21 15:09:37 +0000
 1.3.6.2  01-Jun-2006  kardel Sync with head.
 1.3.6.1  20-May-2006  kardel file kern_pax.c was added on branch simonb-timecounters on 2006-06-01 22:38:07 +0000
 1.3.4.2  24-May-2006  tron Merge 2006-05-24 NetBSD-current into the "peter-altq" branch.
 1.3.4.1  20-May-2006  tron file kern_pax.c was added on branch peter-altq on 2006-05-24 15:50:40 +0000
 1.3.2.2  24-May-2006  yamt sync with head.
 1.3.2.1  20-May-2006  yamt file kern_pax.c was added on branch yamt-pdpolicy on 2006-05-24 10:58:41 +0000
 1.8.2.2  09-Jul-2007  liamjfoy Pull up following revision(s) (requested by christos in ticket #755):
sys/sys/pax.h: revision 1.9
sys/sys/exec_elf.h: revision 1.90
usr.sbin/paxctl/paxctl.c: revision 1.2
sys/kern/kern_pax.c: revision 1.16
sys/sys/exec.h: revision 1.117
sys/kern/exec_elf32.c: revision 1.124
libexec/ld.elf_so/sysident.h: revision 1.14
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...
 1.8.2.1  04-Jan-2007  bouyer branches: 1.8.2.1.2;
Pull up following revision(s) (requested by elad in ticket #314):
sys/kern/kern_verifiedexec.c: revision 1.86
sys/kern/kern_pax.c: revision 1.11
Fix copy/paste error: Veriexec's sysctl setup routine was named after
PaX's.
 1.8.2.1.2.1  03-Sep-2007  wrstuden Sync w/ NetBSD-4-RC_1
 1.13.2.1  27-Feb-2007  yamt - sync with head.
- move sched_changepri back to kern_synch.c as it doesn't know PPQ anymore.
 1.15.6.1  11-Jul-2007  mjf Sync with head.
 1.15.4.2  09-Oct-2007  ad Sync with head.
 1.15.4.1  15-Jul-2007  ad Sync with head.
 1.16.8.2  09-Jan-2008  matt sync with HEAD
 1.16.8.1  06-Nov-2007  matt sync with HEAD
 1.16.6.1  02-Oct-2007  joerg Sync with HEAD.
 1.17.12.1  02-Jan-2008  bouyer Sync with HEAD
 1.17.6.1  18-Feb-2008  mjf Sync with HEAD.
 1.20.12.1  23-Jun-2008  wrstuden Sync w/ -current. 34 merge conflicts to follow.
 1.20.10.3  09-Oct-2010  yamt sync with head
 1.20.10.2  11-Aug-2010  yamt sync with head.
 1.20.10.1  04-May-2009  yamt sync with head.
 1.20.8.1  17-Jun-2008  yamt sync with head.
 1.20.6.1  05-Jun-2008  mjf Sync with HEAD.

Also fix build.
 1.22.20.3  31-May-2011  rmind sync with head
 1.22.20.2  05-Mar-2011  rmind sync with head
 1.22.20.1  30-May-2010  rmind sync with head
 1.22.18.2  22-Oct-2010  uebayasi Sync with HEAD (-D20101022).
 1.22.18.1  30-Apr-2010  uebayasi Sync with HEAD.
 1.22.16.1  20-May-2011  matt bring matt-nb5-mips64 up to date with netbsd-5-1-RELEASE (except compat).
 1.22.14.1  31-Aug-2010  bouyer Pull up following revision(s) (requested by christos in ticket #1444):
sys/kern/kern_pax.c: revision 1.24
sys/kern/exec_subr.c: revision 1.65
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!
 1.22.8.1  31-Aug-2010  bouyer Pull up following revision(s) (requested by christos in ticket #1444):
sys/kern/kern_pax.c: revision 1.24
sys/kern/exec_subr.c: revision 1.65
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!
 1.24.2.1  06-Jun-2011  jruoho Sync with HEAD.
 1.25.4.2  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.25.4.1  17-Apr-2012  yamt sync with head
 1.26.12.1  18-May-2014  rmind sync with head
 1.26.8.2  03-Dec-2017  jdolecek update from HEAD
 1.26.8.1  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.27.6.7  28-Aug-2017  skrll Sync with HEAD
 1.27.6.6  05-Oct-2016  skrll Sync with HEAD
 1.27.6.5  29-May-2016  skrll Sync with HEAD
 1.27.6.4  22-Apr-2016  skrll Sync with HEAD
 1.27.6.3  27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.27.6.2  22-Sep-2015  skrll Sync with HEAD
 1.27.6.1  06-Jun-2015  skrll Sync with HEAD
 1.55.2.2  20-Mar-2017  pgoyette Sync with HEAD
 1.55.2.1  04-Nov-2016  pgoyette Sync with HEAD
 1.57.2.1  21-Apr-2017  bouyer Sync with HEAD
 1.58.4.1  11-May-2017  pgoyette Sync with HEAD
 1.60.12.1  25-Jan-2020  ad Sync with head.
 1.60.6.1  08-Apr-2020  martin Merge changes from current as of 20200406

RSS XML Feed