From owner-freebsd-current@FreeBSD.ORG Wed Nov 16 09:07:42 2011 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFA06106566C for ; Wed, 16 Nov 2011 09:07:41 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 611F88FC08 for ; Wed, 16 Nov 2011 09:07:40 +0000 (UTC) Received: from alf.home (alf.kiev.zoral.com.ua [10.1.1.177]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id pAG97X9K046194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Nov 2011 11:07:33 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: from alf.home (kostik@localhost [127.0.0.1]) by alf.home (8.14.5/8.14.5) with ESMTP id pAG97XZs006762; Wed, 16 Nov 2011 11:07:33 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by alf.home (8.14.5/8.14.5/Submit) id pAG97Wgv006761; Wed, 16 Nov 2011 11:07:32 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: alf.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 16 Nov 2011 11:07:32 +0200 From: Kostik Belousov To: Oliver Pinter Message-ID: <20111116090732.GZ50300@deviant.kiev.zoral.com.ua> References: <20111018183219.GN50300@deviant.kiev.zoral.com.ua> <20111115165756.GA11894@felucia.tataz.chchile.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FSvTb7d5Wg/QnVSK" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-3.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: Garrett Cooper , Jeremie Le Hen , current@freebsd.org, Arnaud Lacombe Subject: Re: [RFC] Enable nxstack by default X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2011 09:07:42 -0000 --FSvTb7d5Wg/QnVSK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 16, 2011 at 01:09:18AM +0100, Oliver Pinter wrote: > On 11/15/11, Jeremie Le Hen wrote: > > Hi, > > > > On Wed, Oct 19, 2011 at 12:37:44AM +0200, Oliver Pinter wrote: > >> In NetBSD has been some PaX feature [0] implemented. (ASLR, W^X > >> (~nxstack), mprotect restriction, veriexec, mmap randomization[2]...) > >> > >> [0] http://pax.grsecurity.net/docs/index.html > >> [1] http://www.netbsd.org/~elad/recent/man/security.8.html > >> [2] http://people.freebsd.org/~ssouhlal/testing/stackgap-20050527.diff > > > > Suleiman actually wrought two patches, one randomizing the stack (the > > one you pointed out) and another one randomizing non-fixed mmap(2) > > calls: > > > > http://people.freebsd.org/~ssouhlal/testing/mmap_random-20050528.diff > > > > > > FYI, they do not apply cleanly on recent source trees (the patches were > > made in 2005), but they can be applied with little fiddling. I'm > > running multiple 8.x production machines with them without any problem. >=20 > Yeah, I use thins patch in 7-STABLE and 9-STABLE too. > Patch for 9-STABLE has attached. One immediate issue, which is definitely not critical, is that the size of the stack of main thread becomes chopped by the random amount of bytes. This is not an issue for single-threaded process, because typical default stack size is around 64M. For the threaded process, libthr cuts the stack, see thr_init.c:init_main_thread(). There, the size of the stack is 2 or 4MB, and 64KB might be more significant part of it. Missed bit from the patch is some randomization at the load address for the PIE (which is the main feature of ASLR, I suspect). See imgact_elf.c:exec(), et_dyn_addr calculation. Another missed bit is the similar modification for freebsd32_copyout_strings(). The upper limit for the random offset for mmap() should be configurable in the same way as stack gap, instead of the dump enable/disable knob. There are numerous style violations in the patch, or rather, the patch fully violates the style. >=20 >=20 >=20 > > > > I've always wanted them to be committed as opt-in knobs, but I can't > > remember why they hadn't at the time. > > > > Cheers, > > -- > > Jeremie Le Hen > > > > Men are born free and equal. Later on, they're on their own. > > Jean Yanne > > --FSvTb7d5Wg/QnVSK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk7DfVQACgkQC3+MBN1Mb4htwQCfYJFZqOyzH6JDMxDxhUN2MKEC vn4AoIa1xI+ZA0JAHmkx4LitRTmv0y/O =kK3I -----END PGP SIGNATURE----- --FSvTb7d5Wg/QnVSK--