Date: Wed, 2 Apr 2014 16:54:50 +0200 From: Oliver Pinter <oliver.pntr@gmail.com> To: Shawn Webb <lattera@gmail.com> Cc: FreeBSD-current <freebsd-current@freebsd.org> Subject: Re: [CFT] ASLR and PIE on amd64 Message-ID: <CAPjTQNEJh6xqOLC0gCZV2zjtqaJtw9%2Brxfg5jW6XJiVSVxWaEA@mail.gmail.com> In-Reply-To: <CAPjTQNH1x7UYVrV60QpaE3-q%2BJ%2B5OXRnNxhN=_UYpua-VJWvUA@mail.gmail.com> References: <CADt0fhzxTF=CoRZSLXv3MpKJisZx1kCd48O3wqkSL-8vL3ogaA@mail.gmail.com> <CAPjTQNFe7mrBCWNqWiJPPW7kkE9RyhEH-3XqvVkqDzb%2B-YrZkg@mail.gmail.com> <20140331002436.GB14025@pwnie.vrt.sourcefire.com> <CAPjTQNH1x7UYVrV60QpaE3-q%2BJ%2B5OXRnNxhN=_UYpua-VJWvUA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 4/2/14, Oliver Pinter <oliver.pntr@gmail.com> wrote: > On 3/31/14, Shawn Webb <lattera@gmail.com> wrote: >> On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: >>> On 3/22/14, Shawn Webb <lattera@gmail.com> wrote: >>> > Hey All, >>> > >>> > First off, I hope that even as a non-committer, it's okay that I post >>> > a call for testing. If not, please excuse my newbishness in this >>> > process. This is my first time submitting a major patch upstream to >>> > FreeBSD. >>> > >>> > Over the past few months, I've had the opportunity and pleasure to >>> > enhance existing patches to FreeBSD that implement a common exploit >>> > mitigation technology called Address Space Layout Randomization (ASLR) >>> > along with support for Position Independent Executables (PIE). >>> > ASLR+PIE has been a long-requested feature by many people I've met on >>> > IRC. >>> > >>> > I've submitted my patch to PR kernel/181497. I'm currently in the >>> > process of adding PIE support to certain high-visibility applications >>> > in base (mainly network daemons). I've added a make.conf knob that's >>> > default to enabled (WITH_PIE=1). An application has to also explicitly >>> > support PIE as well by defining CAN_PIE in the Makefile prior to >>> > including bsd.prog.mk. After I get a decent amount of applications >>> > enabled with PIE support, I'll submit one last patch. >>> > >>> > The following sysctl's can be set with a kernel compiled with the >>> > PAX_ASLR option: >>> > >>> > security.pax.aslr.status: 1 >>> > security.pax.aslr.debug: 0 >>> > security.pax.aslr.mmap_len: 16 >>> > security.pax.aslr.stack_len: 12 >>> > security.pax.aslr.exec_len: 12 >>> > >>> > The security.pax.aslr.status sysctl enables and disables the ASLR >>> > system as a whole. The debug sysctl gives debugging output. The >>> > mmap_len sysctl tells the ASLR system how many bits to randomize with >>> > mmap() is called. The stack_len sysctl tells the ASLR system how many >>> > bits to randomize in the stack. The exec_len sysctl tells the ASLR >>> > system how many bits to randomize the execbase (this controls PIE). >>> > These sysctls can be set as a per-jail basis. If you have an >>> > application which doesn't support ASLR, yet you want ASLR enabled for >>> > everything else, you can simply place that misbehaving application in >>> > a jail with only that jail's ASLR settings turned off. >>> > >>> > Please let me know how your testing goes. I'm giving a presentation at >>> > BSDCan regarding this. >>> > >>> > If you want to keep tabs on my bleeding-edge development process, >>> > please follow my progress on GitHub: >>> > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). >>> > >>> > Thank you very much, >>> >>> Hi! >>> >>> Please apply this patch. This fixed an issue with tunables. >> >> Patch merged successfully into my GitHub repo. Fixed with commit >> d2c0813. I'll include it in my next patch submission upstream when I >> submit my PIE work. Thanks! > > please see the attached patch, compile and boot tested on amd64 Some more patches, and one critical fix (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch). [-- Attachment #2 --] From 33b5d96414249097847ca606a00038e6958bd871 Mon Sep 17 00:00:00 2001 From: Oliver Pinter <oliver.pntr@gmail.com> Date: Wed, 2 Apr 2014 01:37:50 +0200 Subject: [PATCH 1/6] PAX ASLR: remove dirty hack to determine which pax_init should use probably this fixed some issue with linuxulator on amd64 bump __FreeBSD_version to 1000706 Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com> --- sys/amd64/amd64/elf_machdep.c | 10 ++++++++ sys/amd64/linux32/linux32_sysvec.c | 9 ++++++++ sys/arm/arm/elf_machdep.c | 10 ++++++++ sys/compat/ia32/ia32_sysvec.c | 9 ++++++++ sys/i386/i386/elf_machdep.c | 10 ++++++++ sys/i386/ibcs2/ibcs2_sysvec.c | 10 ++++++++ sys/i386/linux/linux_sysvec.c | 15 ++++++++++++ sys/ia64/ia64/elf_machdep.c | 11 +++++++++ sys/kern/imgact_aout.c | 14 +++++++++++ sys/kern/init_main.c | 1 + sys/kern/kern_pax.c | 46 ++++++++++++++++++++----------------- sys/mips/mips/elf_machdep.c | 15 ++++++++++++ sys/mips/mips/freebsd32_machdep.c | 9 ++++++++ sys/powerpc/powerpc/elf32_machdep.c | 10 ++++++++ sys/powerpc/powerpc/elf64_machdep.c | 10 ++++++++ sys/sparc64/sparc64/elf_machdep.c | 10 ++++++++ sys/sys/param.h | 2 +- sys/sys/pax.h | 3 +++ sys/sys/sysent.h | 3 +++ 19 files changed, 185 insertions(+), 22 deletions(-) diff --git a/sys/amd64/amd64/elf_machdep.c b/sys/amd64/amd64/elf_machdep.c index fdc4d56..ffb5e31 100644 --- a/sys/amd64/amd64/elf_machdep.c +++ b/sys/amd64/amd64/elf_machdep.c @@ -26,12 +26,17 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> #include <sys/exec.h> #include <sys/imgact.h> #include <sys/linker.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/sysent.h> #include <sys/imgact_elf.h> @@ -81,6 +86,11 @@ struct sysentvec elf64_freebsd_sysvec = { .sv_shared_page_base = SHAREDPAGE, .sv_shared_page_len = PAGE_SIZE, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, +#else + .sv_pax_aslr_init = NULL, +#endif }; INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec); diff --git a/sys/amd64/linux32/linux32_sysvec.c b/sys/amd64/linux32/linux32_sysvec.c index c06ce11..6212644 100644 --- a/sys/amd64/linux32/linux32_sysvec.c +++ b/sys/amd64/linux32/linux32_sysvec.c @@ -33,6 +33,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); #include "opt_compat.h" +#include "opt_pax.h" #ifndef COMPAT_FREEBSD32 #error "Unable to compile Linux-emulator due to missing COMPAT_FREEBSD32 option!" @@ -51,6 +52,9 @@ __FBSDID("$FreeBSD$"); #include <sys/malloc.h> #include <sys/module.h> #include <sys/mutex.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/resourcevar.h> #include <sys/signalvar.h> @@ -1037,6 +1041,11 @@ struct sysentvec elf_linux_sysvec = { .sv_shared_page_base = LINUX32_SHAREDPAGE, .sv_shared_page_len = PAGE_SIZE, .sv_schedtail = linux_schedtail, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init32, +#else + .sv_pax_aslr_init = NULL, +#endif }; INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec); diff --git a/sys/arm/arm/elf_machdep.c b/sys/arm/arm/elf_machdep.c index 6aec18b..8aca751 100644 --- a/sys/arm/arm/elf_machdep.c +++ b/sys/arm/arm/elf_machdep.c @@ -26,6 +26,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -34,6 +36,9 @@ __FBSDID("$FreeBSD$"); #include <sys/linker.h> #include <sys/sysent.h> #include <sys/imgact_elf.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/syscall.h> #include <sys/signalvar.h> @@ -79,6 +84,11 @@ struct sysentvec elf32_freebsd_sysvec = { .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = syscallnames, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, +#else + .sv_pax_aslr_init = NULL, +#endif }; static Elf32_Brandinfo freebsd_brand_info = { diff --git a/sys/compat/ia32/ia32_sysvec.c b/sys/compat/ia32/ia32_sysvec.c index a8e52e8..2897328 100644 --- a/sys/compat/ia32/ia32_sysvec.c +++ b/sys/compat/ia32/ia32_sysvec.c @@ -29,6 +29,7 @@ __FBSDID("$FreeBSD$"); #include "opt_compat.h" +#include "opt_pax.h" #define __ELF_WORD_SIZE 32 @@ -42,6 +43,9 @@ __FBSDID("$FreeBSD$"); #include <sys/mutex.h> #include <sys/mman.h> #include <sys/namei.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/pioctl.h> #include <sys/proc.h> #include <sys/procfs.h> @@ -139,6 +143,11 @@ struct sysentvec ia32_freebsd_sysvec = { .sv_shared_page_base = FREEBSD32_SHAREDPAGE, .sv_shared_page_len = PAGE_SIZE, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init32, +#else + .sv_pax_aslr_init = NULL, +#endif }; INIT_SYSENTVEC(elf_ia32_sysvec, &ia32_freebsd_sysvec); diff --git a/sys/i386/i386/elf_machdep.c b/sys/i386/i386/elf_machdep.c index 034b4c4..f2297c8 100644 --- a/sys/i386/i386/elf_machdep.c +++ b/sys/i386/i386/elf_machdep.c @@ -26,12 +26,17 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> #include <sys/exec.h> #include <sys/imgact.h> #include <sys/linker.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/sysent.h> #include <sys/imgact_elf.h> @@ -81,6 +86,11 @@ struct sysentvec elf32_freebsd_sysvec = { .sv_shared_page_base = SHAREDPAGE, .sv_shared_page_len = PAGE_SIZE, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, +#else + .sv_pax_aslr_init = NULL, +#endif }; INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec); diff --git a/sys/i386/ibcs2/ibcs2_sysvec.c b/sys/i386/ibcs2/ibcs2_sysvec.c index 5d007c7..08df5b78 100644 --- a/sys/i386/ibcs2/ibcs2_sysvec.c +++ b/sys/i386/ibcs2/ibcs2_sysvec.c @@ -31,6 +31,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -40,6 +42,9 @@ __FBSDID("$FreeBSD$"); #include <sys/module.h> #include <sys/sysent.h> #include <sys/signalvar.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/sx.h> @@ -89,6 +94,11 @@ struct sysentvec ibcs2_svr3_sysvec = { .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = NULL, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, /* XXXOP */ +#else + .sv_pax_aslr_init = NULL, +#endif }; static int diff --git a/sys/i386/linux/linux_sysvec.c b/sys/i386/linux/linux_sysvec.c index 0ad6791..5b14fee 100644 --- a/sys/i386/linux/linux_sysvec.c +++ b/sys/i386/linux/linux_sysvec.c @@ -29,6 +29,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_pax.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/exec.h> @@ -41,6 +43,9 @@ __FBSDID("$FreeBSD$"); #include <sys/malloc.h> #include <sys/module.h> #include <sys/mutex.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/signalvar.h> #include <sys/syscallsubr.h> @@ -974,6 +979,11 @@ struct sysentvec linux_sysvec = { .sv_shared_page_base = LINUX_SHAREDPAGE, .sv_shared_page_len = PAGE_SIZE, .sv_schedtail = linux_schedtail, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, /* XXXOP */ +#else + .sv_pax_aslr_init = NULL, +#endif }; INIT_SYSENTVEC(aout_sysvec, &linux_sysvec); @@ -1012,6 +1022,11 @@ struct sysentvec elf_linux_sysvec = { .sv_shared_page_base = LINUX_SHAREDPAGE, .sv_shared_page_len = PAGE_SIZE, .sv_schedtail = linux_schedtail, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, +#else + .sv_pax_aslr_init = NULL, +#endif }; INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec); diff --git a/sys/ia64/ia64/elf_machdep.c b/sys/ia64/ia64/elf_machdep.c index 05cb641..a73f20f 100644 --- a/sys/ia64/ia64/elf_machdep.c +++ b/sys/ia64/ia64/elf_machdep.c @@ -25,12 +25,17 @@ * $FreeBSD$ */ +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> #include <sys/exec.h> #include <sys/imgact.h> #include <sys/malloc.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/namei.h> #include <sys/fcntl.h> @@ -86,6 +91,12 @@ struct sysentvec elf64_freebsd_sysvec = { .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = syscallnames, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, +#else + .sv_pax_aslr_init = NULL, +#endif + }; static Elf64_Brandinfo freebsd_brand_info = { diff --git a/sys/kern/imgact_aout.c b/sys/kern/imgact_aout.c index 3ae78de..be699dd 100644 --- a/sys/kern/imgact_aout.c +++ b/sys/kern/imgact_aout.c @@ -27,6 +27,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_pax.h" + #include <sys/param.h> #include <sys/exec.h> #include <sys/imgact.h> @@ -36,6 +38,9 @@ __FBSDID("$FreeBSD$"); #include <sys/lock.h> #include <sys/malloc.h> #include <sys/mutex.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/racct.h> #include <sys/resourcevar.h> @@ -99,6 +104,10 @@ struct sysentvec aout_sysvec = { .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = syscallnames, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, /* XXXOP */ +#else + .sv_pax_aslr_init = NULL, }; #elif defined(__amd64__) @@ -143,6 +152,11 @@ struct sysentvec aout_sysvec = { .sv_set_syscall_retval = ia32_set_syscall_retval, .sv_fetch_syscall_args = ia32_fetch_syscall_args, .sv_syscallnames = freebsd32_syscallnames, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init32, /* XXXOP */ +#else + .sv_pax_aslr_init = NULL, +#endif }; #else #error "Port me" diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index ed343b6..369408d 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -410,6 +410,7 @@ struct sysentvec null_sysvec = { .sv_fetch_syscall_args = null_fetch_syscall_args, .sv_syscallnames = NULL, .sv_schedtail = NULL, + .sv_pax_aslr_init = NULL, }; /* diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c index b03cc03..9209038 100644 --- a/sys/kern/kern_pax.c +++ b/sys/kern/kern_pax.c @@ -30,8 +30,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); -#include "opt_pax.h" #include "opt_compat.h" +#include "opt_pax.h" #include <sys/param.h> #include <sys/systm.h> @@ -501,6 +501,28 @@ pax_aslr_init_prison(struct prison *pr) } void +_pax_aslr_init(struct vmspace *vm, struct prison *pr) +{ + vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_MMAP_LSB, (pr != NULL) ? pr->pr_pax_aslr_mmap_len : pax_aslr_mmap_len); + vm->vm_aslr_delta_stack = PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_STACK_LSB, (pr != NULL) ? pr->pr_pax_aslr_stack_len : pax_aslr_stack_len); + vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack); +} + +#ifdef COMPAT_FREEBSD32 +void +_pax_aslr_init32(struct vmspace *vm, struct prison *pr) +{ + vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_COMPAT_DELTA_MMAP_LSB, (pr != NULL) ? pr->pr_pax_aslr_compat_mmap_len : pax_aslr_compat_mmap_len); + vm->vm_aslr_delta_stack = PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_COMPAT_DELTA_STACK_LSB, (pr != NULL) ? pr->pr_pax_aslr_compat_stack_len : pax_aslr_compat_stack_len); + vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack); +} +#endif + +void pax_aslr_init(struct thread *td, struct image_params *imgp) { struct vmspace *vm; @@ -522,27 +544,9 @@ pax_aslr_init(struct thread *td, struct image_params *imgp) vm = imgp->proc->p_vmspace; sv_flags = imgp->proc->p_sysent->sv_flags; -#ifndef COMPAT_FREEBSD32 - vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(arc4random(), - PAX_ASLR_DELTA_MMAP_LSB, (pr != NULL) ? pr->pr_pax_aslr_mmap_len : pax_aslr_mmap_len); - vm->vm_aslr_delta_stack = PAX_ASLR_DELTA(arc4random(), - PAX_ASLR_DELTA_STACK_LSB, (pr != NULL) ? pr->pr_pax_aslr_stack_len : pax_aslr_stack_len); - vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack); -#else /* COMPAT_FREEBSD32 */ - if ((sv_flags & SV_LP64) != 0) { - vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(arc4random(), - PAX_ASLR_DELTA_MMAP_LSB, (pr != NULL) ? pr->pr_pax_aslr_mmap_len : pax_aslr_mmap_len); - vm->vm_aslr_delta_stack = PAX_ASLR_DELTA(arc4random(), - PAX_ASLR_DELTA_STACK_LSB, (pr != NULL) ? pr->pr_pax_aslr_stack_len : pax_aslr_stack_len); - vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack); - } else { - vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(arc4random(), - PAX_ASLR_COMPAT_DELTA_MMAP_LSB, (pr != NULL) ? pr->pr_pax_aslr_compat_mmap_len : pax_aslr_compat_mmap_len); - vm->vm_aslr_delta_stack = PAX_ASLR_DELTA(arc4random(), - PAX_ASLR_COMPAT_DELTA_STACK_LSB, (pr != NULL) ? pr->pr_pax_aslr_compat_stack_len : pax_aslr_compat_stack_len); - vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack); + if (imgp->proc->p_sysent->sv_pax_aslr_init != NULL) { + imgp->proc->p_sysent->sv_pax_aslr_init(vm, pr); } -#endif /* !COMPAT_FREEBSD32 */ } void diff --git a/sys/mips/mips/elf_machdep.c b/sys/mips/mips/elf_machdep.c index d374713..bbf3956 100644 --- a/sys/mips/mips/elf_machdep.c +++ b/sys/mips/mips/elf_machdep.c @@ -28,6 +28,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -36,6 +38,9 @@ __FBSDID("$FreeBSD$"); #include <sys/linker.h> #include <sys/sysent.h> #include <sys/imgact_elf.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/syscall.h> #include <sys/signalvar.h> @@ -83,6 +88,11 @@ struct sysentvec elf64_freebsd_sysvec = { .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = syscallnames, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, +#else + .sv_pax_aslr_init = NULL, +#endif }; static Elf64_Brandinfo freebsd_brand_info = { @@ -139,6 +149,11 @@ struct sysentvec elf32_freebsd_sysvec = { .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = syscallnames, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init32, +#else + .sv_pax_aslr_init = NULL, +#endif }; static Elf32_Brandinfo freebsd_brand_info = { diff --git a/sys/mips/mips/freebsd32_machdep.c b/sys/mips/mips/freebsd32_machdep.c index dfdf70f..9cfdb22 100644 --- a/sys/mips/mips/freebsd32_machdep.c +++ b/sys/mips/mips/freebsd32_machdep.c @@ -31,6 +31,7 @@ */ #include "opt_compat.h" +#include "opt_pax.h" #define __ELF_WORD_SIZE 32 @@ -42,6 +43,9 @@ #include <sys/exec.h> #include <sys/imgact.h> #include <sys/malloc.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/namei.h> #include <sys/fcntl.h> @@ -106,6 +110,11 @@ struct sysentvec elf32_freebsd_sysvec = { .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = freebsd32_syscallnames, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init32, +#else + .sv_pax_aslr_init = NULL, +#endif }; INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec); diff --git a/sys/powerpc/powerpc/elf32_machdep.c b/sys/powerpc/powerpc/elf32_machdep.c index dbe58df..e4ab2b9 100644 --- a/sys/powerpc/powerpc/elf32_machdep.c +++ b/sys/powerpc/powerpc/elf32_machdep.c @@ -25,6 +25,8 @@ * $FreeBSD$ */ +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -34,6 +36,9 @@ #include <sys/exec.h> #include <sys/imgact.h> #include <sys/malloc.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/namei.h> #include <sys/fcntl.h> @@ -107,6 +112,11 @@ struct sysentvec elf32_freebsd_sysvec = { .sv_shared_page_base = FREEBSD32_SHAREDPAGE, .sv_shared_page_len = PAGE_SIZE, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init32, +#else + .sv_pax_aslr_init = NULL, +#endif }; INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec); diff --git a/sys/powerpc/powerpc/elf64_machdep.c b/sys/powerpc/powerpc/elf64_machdep.c index 0c41a8d..85b5697 100644 --- a/sys/powerpc/powerpc/elf64_machdep.c +++ b/sys/powerpc/powerpc/elf64_machdep.c @@ -25,12 +25,17 @@ * $FreeBSD$ */ +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> #include <sys/exec.h> #include <sys/imgact.h> #include <sys/malloc.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/namei.h> #include <sys/fcntl.h> @@ -83,6 +88,11 @@ struct sysentvec elf64_freebsd_sysvec = { .sv_shared_page_base = SHAREDPAGE, .sv_shared_page_len = PAGE_SIZE, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, +#else + .sv_pax_aslr_init = NULL, +#endif }; INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec); diff --git a/sys/sparc64/sparc64/elf_machdep.c b/sys/sparc64/sparc64/elf_machdep.c index 4d55717..b9f2be0 100644 --- a/sys/sparc64/sparc64/elf_machdep.c +++ b/sys/sparc64/sparc64/elf_machdep.c @@ -34,12 +34,17 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_pax.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> #include <sys/exec.h> #include <sys/imgact.h> #include <sys/linker.h> +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif #include <sys/proc.h> #include <sys/sysent.h> #include <sys/imgact_elf.h> @@ -87,6 +92,11 @@ static struct sysentvec elf64_freebsd_sysvec = { .sv_fetch_syscall_args = cpu_fetch_syscall_args, .sv_syscallnames = syscallnames, .sv_schedtail = NULL, +#ifdef PAX_ASLR + .sv_pax_aslr_init = _pax_aslr_init, +#else + .sv_pax_aslr_init = NULL, +#endif }; static Elf64_Brandinfo freebsd_brand_info = { diff --git a/sys/sys/param.h b/sys/sys/param.h index 05b5968..ae1704a 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -58,7 +58,7 @@ * in the range 5 to 9. */ #undef __FreeBSD_version -#define __FreeBSD_version 1000705 /* Master, propagated to newvers */ +#define __FreeBSD_version 1000706 /* Master, propagated to newvers */ /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD, diff --git a/sys/sys/pax.h b/sys/sys/pax.h index b66e68b..3ee3982 100644 --- a/sys/sys/pax.h +++ b/sys/sys/pax.h @@ -31,6 +31,7 @@ #define __SYS_PAX_H struct image_params; +struct prison; struct thread; struct vmspace; struct vm_offset_t; @@ -157,6 +158,8 @@ extern int pax_aslr_exec_len; void pax_init(void); void pax_aslr_init_prison(struct prison *pr); bool pax_aslr_active(struct thread *td, struct proc *proc); +void _pax_aslr_init(struct vmspace *vm, struct prison *pr); +void _pax_aslr_init32(struct vmspace *vm, struct prison *pr); void pax_aslr_init(struct thread *td, struct image_params *imgp); void pax_aslr_mmap(struct thread *td, vm_offset_t *addr, vm_offset_t orig_addr, int flags); diff --git a/sys/sys/sysent.h b/sys/sys/sysent.h index c49db41..cfbcdc0 100644 --- a/sys/sys/sysent.h +++ b/sys/sys/sysent.h @@ -77,9 +77,11 @@ struct sysent { /* system call table */ #define SY_THR_INCR 0x8 struct image_params; +struct prison; struct __sigset; struct syscall_args; struct trapframe; +struct vmspace; struct vnode; struct sysentvec { @@ -130,6 +132,7 @@ struct sysentvec { uint32_t sv_timekeep_gen; void *sv_shared_page_obj; void (*sv_schedtail)(struct thread *); + void (*sv_pax_aslr_init)(struct vmspace *vm, struct prison *pr); }; #define SV_ILP32 0x000100 -- 1.9.0 [-- Attachment #3 --] From 4d4088a25db1a0d7f3a3127dabab14e60c1c3bc5 Mon Sep 17 00:00:00 2001 From: Oliver Pinter <oliver.pntr@gmail.com> Date: Wed, 2 Apr 2014 12:40:26 +0200 Subject: [PATCH 2/6] PAX ASLR: updated debug messages Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com> --- sys/kern/kern_pax.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c index 9209038..a2ca685 100644 --- a/sys/kern/kern_pax.c +++ b/sys/kern/kern_pax.c @@ -535,7 +535,7 @@ pax_aslr_init(struct thread *td, struct image_params *imgp) pax_aslr_init_prison(pr); if (imgp == NULL) { - panic("[PaX ASLR] pax_aslr_init - imgp == NULL"); + panic("[PaX ASLR] pax_aslr_init: imgp == NULL"); } if (!pax_aslr_active(td, NULL)) @@ -561,17 +561,17 @@ pax_aslr_mmap(struct thread *td, vm_offset_t *addr, vm_offset_t orig_addr, int f if (!(flags & MAP_FIXED) && ((orig_addr == 0) || !(flags & MAP_ANON))) { if (pax_aslr_debug) - uprintf("[PaX ASLR] applying to %p orig_addr=%p f=%x\n", + uprintf("[PaX ASLR] pax_aslr_mmap: applying to %p orig_addr=%p flags=%x\n", (void *)*addr, (void *)orig_addr, flags); if (!(td->td_proc->p_vmspace->vm_map.flags & MAP_ENTRY_GROWS_DOWN)) *addr += td->td_proc->p_vmspace->vm_aslr_delta_mmap; else *addr -= td->td_proc->p_vmspace->vm_aslr_delta_mmap; if (pax_aslr_debug) - uprintf("[PaX ASLR] result %p\n", (void *)*addr); + uprintf("[PaX ASLR] pax_aslr_mmap: result %p\n", (void *)*addr); } else if (pax_aslr_debug) - uprintf("[PaX ASLR] not applying to %p orig_addr=%p f=%x\n", + uprintf("[PaX ASLR] pax_aslr_mmap: not applying to %p orig_addr=%p flags=%x\n", (void *)*addr, (void *)orig_addr, flags); } @@ -587,6 +587,6 @@ pax_aslr_stack(struct thread *td, uintptr_t *addr, uintptr_t orig_addr) *addr -= td->td_proc->p_vmspace->vm_aslr_delta_stack; if ((pr) && pr->pr_pax_aslr_debug) - uprintf("[PaX ASLR] orig_addr=%p, addr=%p\n", + uprintf("[PaX ASLR] pax_aslr_stack: orig_addr=%p, new_addr=%p\n", (void *)orig_addr, (void *)*addr); } -- 1.9.0 [-- Attachment #4 --] From 468472eda3b92e1ea90ccf2910b26fe2263561e0 Mon Sep 17 00:00:00 2001 From: Oliver Pinter <oliver.pntr@gmail.com> Date: Wed, 2 Apr 2014 12:43:49 +0200 Subject: [PATCH 3/6] PAX ASLR: removed unused variable Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com> --- sys/kern/kern_pax.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c index a2ca685..792336d 100644 --- a/sys/kern/kern_pax.c +++ b/sys/kern/kern_pax.c @@ -526,7 +526,6 @@ void pax_aslr_init(struct thread *td, struct image_params *imgp) { struct vmspace *vm; - u_int sv_flags; struct prison *pr=NULL; pr = pax_aslr_get_prison(td, NULL); @@ -542,7 +541,6 @@ pax_aslr_init(struct thread *td, struct image_params *imgp) return; vm = imgp->proc->p_vmspace; - sv_flags = imgp->proc->p_sysent->sv_flags; if (imgp->proc->p_sysent->sv_pax_aslr_init != NULL) { imgp->proc->p_sysent->sv_pax_aslr_init(vm, pr); -- 1.9.0 [-- Attachment #5 --] From 6396fa8200a68080919bc8f448add8bd1c255755 Mon Sep 17 00:00:00 2001 From: Oliver Pinter <oliver.pntr@gmail.com> Date: Wed, 2 Apr 2014 12:55:40 +0200 Subject: [PATCH 4/6] PaX ASLR: added more debug messages Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com> --- sys/kern/kern_pax.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c index 792336d..84655d1 100644 --- a/sys/kern/kern_pax.c +++ b/sys/kern/kern_pax.c @@ -508,6 +508,11 @@ _pax_aslr_init(struct vmspace *vm, struct prison *pr) vm->vm_aslr_delta_stack = PAX_ASLR_DELTA(arc4random(), PAX_ASLR_DELTA_STACK_LSB, (pr != NULL) ? pr->pr_pax_aslr_stack_len : pax_aslr_stack_len); vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack); + + if (pax_aslr_debug) { + uprintf("[PaX ASLR] %s: vm_aslr_delta_mmap=%p", __func__, (void *) vm->vm_aslr_delta_mmap); + uprintf("[PaX ASLR] %s: vm_aslr_delta_stack=%p", __func__, (void *) vm->vm_aslr_delta_stack); + } } #ifdef COMPAT_FREEBSD32 @@ -519,6 +524,11 @@ _pax_aslr_init32(struct vmspace *vm, struct prison *pr) vm->vm_aslr_delta_stack = PAX_ASLR_DELTA(arc4random(), PAX_ASLR_COMPAT_DELTA_STACK_LSB, (pr != NULL) ? pr->pr_pax_aslr_compat_stack_len : pax_aslr_compat_stack_len); vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack); + + if (pax_aslr_debug) { + uprintf("[PaX ASLR] %s: vm_aslr_delta_mmap=%p", __func__, (void *) vm->vm_aslr_delta_mmap); + uprintf("[PaX ASLR] %s: vm_aslr_delta_stack=%p", __func__, (void *) vm->vm_aslr_delta_stack); + } } #endif -- 1.9.0 [-- Attachment #6 --] From 711f385a6cfc94e9e08837c659bf0190da8f1268 Mon Sep 17 00:00:00 2001 From: Oliver Pinter <oliver.pntr@gmail.com> Date: Wed, 2 Apr 2014 13:25:18 +0200 Subject: [PATCH 5/6] PAX ASLR: fix debug messages, added new line Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com> --- sys/kern/kern_pax.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c index 84655d1..3be9b47 100644 --- a/sys/kern/kern_pax.c +++ b/sys/kern/kern_pax.c @@ -510,8 +510,8 @@ _pax_aslr_init(struct vmspace *vm, struct prison *pr) vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack); if (pax_aslr_debug) { - uprintf("[PaX ASLR] %s: vm_aslr_delta_mmap=%p", __func__, (void *) vm->vm_aslr_delta_mmap); - uprintf("[PaX ASLR] %s: vm_aslr_delta_stack=%p", __func__, (void *) vm->vm_aslr_delta_stack); + uprintf("[PaX ASLR] %s: vm_aslr_delta_mmap=%p\n", __func__, (void *) vm->vm_aslr_delta_mmap); + uprintf("[PaX ASLR] %s: vm_aslr_delta_stack=%p\n", __func__, (void *) vm->vm_aslr_delta_stack); } } @@ -526,8 +526,8 @@ _pax_aslr_init32(struct vmspace *vm, struct prison *pr) vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack); if (pax_aslr_debug) { - uprintf("[PaX ASLR] %s: vm_aslr_delta_mmap=%p", __func__, (void *) vm->vm_aslr_delta_mmap); - uprintf("[PaX ASLR] %s: vm_aslr_delta_stack=%p", __func__, (void *) vm->vm_aslr_delta_stack); + uprintf("[PaX ASLR] %s: vm_aslr_delta_mmap=%p\n", __func__, (void *) vm->vm_aslr_delta_mmap); + uprintf("[PaX ASLR] %s: vm_aslr_delta_stack=%p\n", __func__, (void *) vm->vm_aslr_delta_stack); } } #endif -- 1.9.0 [-- Attachment #7 --] From bb284a1860fac7f3475707d28aa5677d392e9a8e Mon Sep 17 00:00:00 2001 From: Oliver Pinter <oliver.pntr@gmail.com> Date: Wed, 2 Apr 2014 16:39:30 +0200 Subject: [PATCH 6/6] PAX ASLR: use the right sysent, before this commit called wrong sv_pax_aslr_init this fixed some compat issues with COMPAT_FREEBSD32 and linuxulator Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com> --- sys/kern/kern_pax.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c index 3be9b47..fe546f4 100644 --- a/sys/kern/kern_pax.c +++ b/sys/kern/kern_pax.c @@ -552,8 +552,8 @@ pax_aslr_init(struct thread *td, struct image_params *imgp) vm = imgp->proc->p_vmspace; - if (imgp->proc->p_sysent->sv_pax_aslr_init != NULL) { - imgp->proc->p_sysent->sv_pax_aslr_init(vm, pr); + if (imgp->sysent->sv_pax_aslr_init != NULL) { + imgp->sysent->sv_pax_aslr_init(vm, pr); } } -- 1.9.0help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPjTQNEJh6xqOLC0gCZV2zjtqaJtw9%2Brxfg5jW6XJiVSVxWaEA>