Date: Mon, 3 Feb 2014 00:40:00 GMT From: Shawn Webb <lattera@gmail.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/181497: [kernel] [patch] Add ASLR feature to kernel Message-ID: <201402030040.s130e0iB062296@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/181497; it has been noted by GNATS. From: Shawn Webb <lattera@gmail.com> To: bug-followup@FreeBSD.org, steven@roothosts.com Cc: Subject: Re: kern/181497: [kernel] [patch] Add ASLR feature to kernel Date: Sun, 2 Feb 2014 19:34:40 -0500 --Apple-Mail=_B6453ACB-0EC9-4C80-B575-87E00F273BCF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Over the past few months, I've had the pleasure of enhancing Oliver's = original patch. I've added support for randomizing the address of the = RTLD and changing the behavior of ASLR to be set on a per-jail basis. = This means that if a user requires an application that doesn't support = ASLR (crashes, exhibits bugs, etc.), then the affected application can = simply be placed in a jail with ASLR turned off. The rest of the system = and the rest of the jails would still have ASLR turned on. Oliver had ported over PaX's ASLR to NetBSD a few years back, and these = patches brings FreeBSD feature-for-feature complete with NetBSD's ASLR = implementation. What's lacking, along with NetBSD's implementation, is = exec base randomization. This needs to be done on a per-binary basis, = for binaries compiled with -fPIE. Additionally, we might want to = specifically mark executables with an ELF note, specifying that it's = safe to relocate the exec base. One known bug is that applications compiled with clang with -fPIC -fPIE = -static combined could segfault. I can provide a sample binary (with = sample code) if needed for a simple five-line test application. I will continue to research exec base randomization, but this task might = be a bit over my head skill-wise. Attached is the patch against 11-current as of 02 Feb 2014. If I make = more progress on exec base randomization, you can follow my GitHub repo = at https://github.com/lattera/freebsd, branch soldierx/lattera/aslr. Thanks, Shawn Webb --Apple-Mail=_B6453ACB-0EC9-4C80-B575-87E00F273BCF Content-Disposition: attachment; filename=fbsd_aslr_11-current-2014-02-02.patch.txt Content-Type: text/plain; name="fbsd_aslr_11-current-2014-02-02.patch.txt" Content-Transfer-Encoding: quoted-printable diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index f6da68e..3f9487c 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$"); #include "opt_capsicum.h" #include "opt_compat.h" #include "opt_core.h" +#include "opt_pax.h" =20 #include <sys/param.h> #include <sys/capability.h> @@ -47,7 +48,9 @@ __FBSDID("$FreeBSD$"); #include <sys/mount.h> #include <sys/mman.h> #include <sys/namei.h> +#include <sys/pax.h> #include <sys/pioctl.h> +#include <sys/jail.h> #include <sys/proc.h> #include <sys/procfs.h> #include <sys/racct.h> @@ -600,6 +603,7 @@ __elfN(load_file)(struct proc *p, const char *file, = u_long *addr, u_long rbase; u_long base_addr =3D 0; int error, i, numsegs; + struct prison *pr; /* For ASLR */ =20 #ifdef CAPABILITY_MODE /* @@ -664,6 +668,13 @@ __elfN(load_file)(struct proc *p, const char *file, = u_long *addr, goto fail; } =20 +#ifdef PAX_ASLR + pr =3D pax_aslr_get_prison(NULL, imgp->proc); + if (pax_aslr_active(NULL, imgp->proc)) { + rbase +=3D round_page(PAX_ASLR_DELTA(arc4random(), = PAX_ASLR_DELTA_EXEC_LSB, pr->pr_pax_aslr_exec_len)); + } +#endif + /* Only support headers that fit within first page for now = */ if ((hdr->e_phoff > PAGE_SIZE) || (u_int)hdr->e_phentsize * hdr->e_phnum > PAGE_SIZE - = hdr->e_phoff) { diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 9f4ceac..099ff0a 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -30,6 +30,7 @@ __FBSDID("$FreeBSD$"); #include "opt_capsicum.h" #include "opt_hwpmc_hooks.h" #include "opt_ktrace.h" +#include "opt_pax.h" #include "opt_vm.h" =20 #include <sys/param.h> @@ -94,6 +95,10 @@ __FBSDID("$FreeBSD$"); dtrace_execexit_func_t dtrace_fasttrap_exec; #endif =20 +#ifdef PAX_ASLR +#include <sys/pax.h> +#endif /* PAX_ASLR */ + SDT_PROVIDER_DECLARE(proc); SDT_PROBE_DEFINE1(proc, kernel, , exec, "char *"); SDT_PROBE_DEFINE1(proc, kernel, , exec__failure, "int"); @@ -1055,6 +1060,10 @@ exec_new_vmspace(imgp, sv) map =3D &vmspace->vm_map; } =20 +#ifdef PAX_ASLR + pax_aslr_init(curthread, imgp); +#endif /* PAX_ASLR */ + /* Map a shared page */ obj =3D sv->sv_shared_page_obj; if (obj !=3D NULL) { @@ -1232,12 +1241,16 @@ exec_copyout_strings(imgp) int argc, envc; char **vectp; char *stringp, *destp; +#ifdef PAX_ASLR + char *orig_destp; +#endif /* PAX_ASLR */ register_t *stack_base; struct ps_strings *arginfo; struct proc *p; size_t execpath_len; int szsigcode, szps; char canary[sizeof(long) * 8]; + unsigned int sgap; =20 szps =3D sizeof(pagesizes[0]) * MAXPAGESIZES; /* @@ -1255,11 +1268,16 @@ exec_copyout_strings(imgp) if (p->p_sysent->sv_szsigcode !=3D NULL) szsigcode =3D *(p->p_sysent->sv_szsigcode); } - destp =3D (caddr_t)arginfo - szsigcode - SPARE_USRSPACE - + sgap=3D(unsigned int)(ALIGN(arc4random()&((64*1024)-1))); + destp =3D (caddr_t)arginfo - szsigcode - SPARE_USRSPACE - = sgap - roundup(execpath_len, sizeof(char *)) - roundup(sizeof(canary), sizeof(char *)) - roundup(szps, sizeof(char *)) - roundup((ARG_MAX - imgp->args->stringspace), sizeof(char = *)); +#ifdef PAX_ASLR + orig_destp =3D destp; + pax_aslr_stack(curthread, &destp, orig_destp); +#endif /* PAX_ASLR */ =20 /* * install sigcode diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 700b7d6..af97118 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$"); #include "opt_ddb.h" #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_pax.h" =20 #include <sys/param.h> #include <sys/types.h> @@ -60,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include <sys/syscallsubr.h> #include <sys/sysctl.h> #include <sys/vnode.h> +#include <sys/pax.h> =20 #include <net/if.h> #include <net/if_var.h> @@ -114,6 +116,20 @@ struct prison prison0 =3D { .pr_flags =3D PR_HOST|_PR_IP_SADDRSEL, #endif .pr_allow =3D PR_ALLOW_ALL, +#ifdef PAX_ASLR + .pr_pax_set =3D 0, + .pr_pax_aslr_status =3D 0, + .pr_pax_aslr_debug =3D 0, + .pr_pax_aslr_mmap_len =3D PAX_ASLR_DELTA_MMAP_MIN_LEN, + .pr_pax_aslr_stack_len =3D PAX_ASLR_DELTA_STACK_MIN_LEN, + .pr_pax_aslr_exec_len =3D PAX_ASLR_DELTA_EXEC_MIN_LEN, +#ifdef COMPAT_FREEBSD32 + .pr_pax_aslr_compat_status =3D 0, + .pr_pax_aslr_compat_mmap_len =3D = PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN, + .pr_pax_aslr_compat_stack_len =3D = PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN, + .pr_pax_aslr_compat_exec_len =3D = PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN, +#endif /* COMPAT_FREEBSD32 */ +#endif /* PAX_ASLR */ }; MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF); =20 diff --git a/sys/kern/kern_pax.c b/sys/kern/kern_pax.c new file mode 100644 index 0000000..9182606 --- /dev/null +++ b/sys/kern/kern_pax.c @@ -0,0 +1,589 @@ +/*- + * Copyright (c) 2013, by Oliver Pinter <oliver.pntr at gmail.com> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. The name of the developer may NOT be used to endorse or promote = products + * derived from this software without specific prior written = permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' = AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, = THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR = PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE = LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR = CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE = GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS = INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, = STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN = ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY = OF + * SUCH DAMAGE. + * + * $FreeBSD$ + * + * Enhancements made by Shawn "lattera" Webb under the direction of = SoldierX. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_pax.h" +#include "opt_compat.h" + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/imgact.h> +#include <sys/sysent.h> +#include <sys/proc.h> +#include <sys/elf_common.h> +#include <sys/pax.h> +#include <sys/sysctl.h> +#include <sys/vnode.h> +#include <sys/queue.h> +#include <sys/libkern.h> +#include <sys/jail.h> + +#include <sys/mman.h> +#include <sys/libkern.h> +#include <sys/exec.h> + +#include <vm/pmap.h> +#include <vm/vm_map.h> + +static int sysctl_pax_aslr_status(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_mmap(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_stack(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_exec(SYSCTL_HANDLER_ARGS); + +/* + * sysctls and tunables + */ +int pax_aslr_status =3D PAX_ASLR_ENABLED; +int pax_aslr_debug =3D 0; + +#ifdef PAX_ASLR_MAX_SEC +int pax_aslr_mmap_len =3D PAX_ASLR_DELTA_MMAP_MAX_LEN; +int pax_aslr_stack_len =3D PAX_ASLR_DELTA_STACK_MAX_LEN; +int pax_aslr_exec_len =3D PAX_ASLR_DELTA_EXEC_MAX_LEN; +#else +int pax_aslr_mmap_len =3D PAX_ASLR_DELTA_MMAP_MIN_LEN; +int pax_aslr_stack_len =3D PAX_ASLR_DELTA_STACK_MIN_LEN; +int pax_aslr_exec_len =3D PAX_ASLR_DELTA_EXEC_MIN_LEN; +#endif /* PAX_ASLR_MAX_SEC */ + + +SYSCTL_NODE(_security, OID_AUTO, pax, CTLFLAG_RD, 0, + "PaX (exploit mitigation) features."); +SYSCTL_NODE(_security_pax, OID_AUTO, aslr, CTLFLAG_RD, 0, + "Address Space Layout Randomization."); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, status, + CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_status, "I", + "Restrictions status. " + "0 - disabled, " + "1 - enabled, " + "2 - global enabled, " + "3 - force global enabled"); +TUNABLE_INT("security.pax.aslr.status", &pax_aslr_status); + +SYSCTL_INT(_security_pax_aslr, OID_AUTO, debug, = CTLFLAG_RWTUN|CTLFLAG_PRISON, &pax_aslr_debug, 0, "ASLR debug mode"); +TUNABLE_INT("security.pax.aslr.debug", &pax_aslr_debug); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, mmap_len, + CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_mmap, "I", + "Number of bits randomized for mmap(2) calls. " + "32 bit: [8,16] 64 bit: [16,32]"); +TUNABLE_INT("security.pax.aslr.mmap", &pax_aslr_mmap_len); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, stack_len, + CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_stack, "I", + "Number of bits randomized for the stack. " + "32 bit: [6,12] 64 bit: [12,21]"); +TUNABLE_INT("security.pax.aslr.stack", &pax_aslr_stack_len); + +SYSCTL_PROC(_security_pax_aslr, OID_AUTO, exec_len, + CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_exec, "I", + "Number of bits randomized for the PIE exec base. " + "32 bit: [6,12] 64 bit: [12,21]"); +TUNABLE_INT("security.pax.aslr.stack", &pax_aslr_exec_len); + +static int +sysctl_pax_aslr_status(SYSCTL_HANDLER_ARGS) +{ + int err; + int val; + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(req->td, NULL); + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_status : pax_aslr_status; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + switch (val) { + case PAX_ASLR_DISABLED: + case PAX_ASLR_ENABLED: + case PAX_ASLR_GLOBAL_ENABLED: + case PAX_ASLR_FORCE_GLOBAL_ENABLED: + pax_aslr_status =3D val; + if (pr) + pr->pr_pax_aslr_status =3D val; + break; + default: + return (EINVAL); + } + + return (0); +} + +static int +sysctl_pax_aslr_mmap(SYSCTL_HANDLER_ARGS) +{ + int err; + int val; + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(req->td, NULL); + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_mmap_len : = pax_aslr_mmap_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_DELTA_MMAP_MIN_LEN + || val > PAX_ASLR_DELTA_MMAP_MAX_LEN) + return (EINVAL); + + pax_aslr_mmap_len =3D val; + if (pr) + pr->pr_pax_aslr_mmap_len =3D val; + + return (0); +} + +static int +sysctl_pax_aslr_stack(SYSCTL_HANDLER_ARGS) +{ + int err; + int val; + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(req->td, NULL); + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_stack_len : = pax_aslr_stack_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_DELTA_STACK_MIN_LEN + || val > PAX_ASLR_DELTA_STACK_MAX_LEN) + return (EINVAL); + + pax_aslr_stack_len =3D val; + if (pr) + pr->pr_pax_aslr_stack_len =3D val; + + return (0); +} + +static int +sysctl_pax_aslr_exec(SYSCTL_HANDLER_ARGS) +{ + int err; + int val; + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(req->td, NULL); + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_exec_len : = pax_aslr_exec_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_DELTA_EXEC_MIN_LEN + || val > PAX_ASLR_DELTA_EXEC_MAX_LEN) + return (EINVAL); + + pax_aslr_exec_len =3D val; + if (pr) + pr->pr_pax_aslr_exec_len =3D val; + + return (0); +} + +/* + * COMPAT_FREEBSD32 and linuxulator.. + */ +#ifdef COMPAT_FREEBSD32 +int pax_aslr_compat_status =3D PAX_ASLR_ENABLED; + +static int sysctl_pax_aslr_compat_status(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_compat_mmap(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_compat_stack(SYSCTL_HANDLER_ARGS); +static int sysctl_pax_aslr_compat_exec(SYSCTL_HANDLER_ARGS); + +#ifdef PAX_ASLR_MAX_SEC +int pax_aslr_compat_mmap_len =3D PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN; +int pax_aslr_compat_stack_len =3D PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN; +int pax_aslr_compat_exec_len =3D PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN; +#else +int pax_aslr_compat_mmap_len =3D PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN; +int pax_aslr_compat_stack_len =3D PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN; +int pax_aslr_compat_exec_len =3D PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN; +#endif /* PAX_ASLR_MAX_SEC */ + +SYSCTL_NODE(_security_pax_aslr, OID_AUTO, compat, CTLFLAG_RD, 0, + "Setting for COMPAT_FREEBSD32 and linuxulator."); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, status, + CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_status, "I", + "Restrictions status. " + "0 - disabled, " + "1 - enabled, " + "2 - global enabled, " + "3 - force global enabled"); +TUNABLE_INT("security.pax.aslr.compat.status", = &pax_aslr_compat_status); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, mmap_len, + CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_mmap, "I", + "Number of bits randomized for mmap(2) calls. " + "32 bit: [8,16]"); +TUNABLE_INT("security.pax.aslr.compat.mmap", = &pax_aslr_compat_mmap_len); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, stack_len, + CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_stack, "I", + "Number of bits randomized for the stack. " + "32 bit: [6,12]"); +TUNABLE_INT("security.pax.aslr.compat.stack", = &pax_aslr_compat_stack_len); + +SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, exec_len, + CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_TUN|CTLFLAG_PRISON, + NULL, 0, sysctl_pax_aslr_compat_exec, "I", + "Number of bits randomized for the PIE exec base. " + "32 bit: [6,12]"); +TUNABLE_INT("security.pax.aslr.compat.stack", = &pax_aslr_compat_exec_len); + + +static int +sysctl_pax_aslr_compat_status(SYSCTL_HANDLER_ARGS) +{ + int err; + int val, *ptr; + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(req->td, NULL); + ptr =3D (pr !=3D NULL) ? &(pr->pr_pax_aslr_compat_status) : = &pax_aslr_compat_status; + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + val =3D *ptr; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + switch (val) { + case PAX_ASLR_DISABLED: + case PAX_ASLR_ENABLED: + case PAX_ASLR_GLOBAL_ENABLED: + case PAX_ASLR_FORCE_GLOBAL_ENABLED: + pax_aslr_compat_status =3D val; + *ptr =3D val; + break; + default: + return (EINVAL); + } + + return (0); +} + +static int +sysctl_pax_aslr_compat_mmap(SYSCTL_HANDLER_ARGS) +{ + int err; + int val, *ptr; + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(req->td, NULL); + ptr =3D (pr !=3D NULL) ? &(pr->pr_pax_aslr_compat_mmap_len) : = &pax_aslr_compat_mmap_len; + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + val =3D *ptr; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN + || val > PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN) + return (EINVAL); + + pax_aslr_compat_mmap_len =3D val; + *ptr =3D val; + + return (0); +} + +static int +sysctl_pax_aslr_compat_stack(SYSCTL_HANDLER_ARGS) +{ + int err; + int val, *ptr; + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(req->td, NULL); + ptr =3D (pr !=3D NULL) ? &(pr->pr_pax_aslr_compat_stack_len) : = &pax_aslr_compat_stack_len; + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + val =3D (pr !=3D NULL) ? pr->pr_pax_aslr_compat_stack_len : = pax_aslr_compat_stack_len; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN + || val > PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN) + return (EINVAL); + + pax_aslr_compat_stack_len =3D val; + *ptr =3D val; + + return (0); +} + +static int +sysctl_pax_aslr_compat_exec(SYSCTL_HANDLER_ARGS) +{ + int err; + int val, *ptr; + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(req->td, NULL); + ptr =3D (pr !=3D NULL) ? &(pr->pr_pax_aslr_compat_exec_len) : = &pax_aslr_compat_exec_len; + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + val =3D *ptr; + err =3D sysctl_handle_int(oidp, &val, sizeof(int), req); + if (err || !req->newptr) + return (err); + + if (val < PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN + || val > PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN) + return (EINVAL); + + pax_aslr_compat_exec_len =3D val; + *ptr =3D val; + + return (0); +} +#endif /* COMPAT_FREEBSD32 */ + + +/* + * ASLR functions + */ +bool +pax_aslr_active(struct thread *td, struct proc *proc) +{ + int status; + struct prison *pr=3DNULL; +#ifdef notyet + uint32_t flags; +#endif /* notyet */ + + if (!(td) && !(proc)) + return (true); + +#ifdef notyet + flags =3D (td !=3D NULL) ? td->td_proc->p_pax : proc->p_pax; +#endif /* notyet */ + pr =3D pax_aslr_get_prison(td, proc); + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + status =3D (pr !=3D NULL) ? pr->pr_pax_aslr_status : = pax_aslr_status; + + switch (status) { + case PAX_ASLR_DISABLED: + return (false); + case PAX_ASLR_FORCE_GLOBAL_ENABLED: + return (true); + case PAX_ASLR_ENABLED: +#ifdef notyet + if ((flags & ELF_NOTE_PAX_ASLR) =3D=3D 0) + return (false); +#endif /* notyet */ + break; + case PAX_ASLR_GLOBAL_ENABLED: +#ifdef notyet + if ((flags & ELF_NOTE_PAX_NOASLR) !=3D 0) + return (false); +#endif /* notyet */ + break; + default: + return (true); + } + + return (true); +} + +struct prison * +pax_aslr_get_prison(struct thread *td, struct proc *proc) +{ + if ((td)) { + if ((td->td_proc) && (td->td_proc->p_ucred)) + return td->td_proc->p_ucred->cr_prison; + + return NULL; + } + + if (!(proc)) + return NULL; + + return proc->p_ucred->cr_prison; +} + +void +pax_aslr_init_prison(struct prison *pr) +{ + if (!(pr)) + return; + + if (pr->pr_pax_set) + return; + + if (pax_aslr_debug) + uprintf("[PaX ASLR] pax_aslr_init_prison: Setting prison %s = ASLR variables\n", pr->pr_name); + + pr->pr_pax_aslr_status =3D pax_aslr_status; + pr->pr_pax_aslr_debug =3D pax_aslr_debug; + pr->pr_pax_aslr_mmap_len =3D pax_aslr_mmap_len; + pr->pr_pax_aslr_stack_len =3D pax_aslr_stack_len; + pr->pr_pax_aslr_exec_len =3D pax_aslr_exec_len; + +#ifdef COMPAT_FREEBSD32 + pr->pr_pax_aslr_compat_status =3D pax_aslr_compat_status; + pr->pr_pax_aslr_compat_mmap_len =3D pax_aslr_compat_mmap_len; + pr->pr_pax_aslr_compat_stack_len =3D pax_aslr_compat_stack_len; + pr->pr_pax_aslr_compat_exec_len =3D pax_aslr_compat_exec_len; +#endif /* COMPAT_FREEBSD32 */ + + pr->pr_pax_set =3D 1; +} + +void +pax_aslr_init(struct thread *td, struct image_params *imgp) +{ + struct vmspace *vm; + u_int sv_flags; + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(td, NULL); + + if ((pr) && !(pr->pr_pax_set)) + pax_aslr_init_prison(pr); + + if (imgp =3D=3D NULL) { + panic("[PaX ASLR] pax_aslr_init - imgp =3D=3D NULL"); + } + + if (!pax_aslr_active(td, NULL)) + return; + + vm =3D imgp->proc->p_vmspace; + sv_flags =3D imgp->proc->p_sysent->sv_flags; + +#ifndef COMPAT_FREEBSD32 + vm->vm_aslr_delta_mmap =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_MMAP_LSB, (pr !=3D NULL) ? = pr->pr_pax_aslr_mmap_len : pax_aslr_mmap_len); + vm->vm_aslr_delta_stack =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_STACK_LSB, (pr !=3D NULL) ? = pr->pr_pax_aslr_stack_len : pax_aslr_stack_len); + vm->vm_aslr_delta_stack =3D ALIGN(vm->vm_aslr_delta_stack); + vm->vm_aslr_delta_exec =3D round_page(PAX_ASLR_DELTA(arc4random(), = PAX_ASLR_DELTA_EXEC_LSB, (pr !=3D NULL) ? pr->pr_pax_aslr_exec_len : = pax_aslr_exec_len)); +#else /* COMPAT_FREEBSD32 */ + if ((sv_flags & SV_LP64) !=3D 0) { + vm->vm_aslr_delta_mmap =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_MMAP_LSB, (pr !=3D NULL) ? = pr->pr_pax_aslr_mmap_len : pax_aslr_mmap_len); + vm->vm_aslr_delta_stack =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_DELTA_STACK_LSB, (pr !=3D NULL) ? = pr->pr_pax_aslr_stack_len : pax_aslr_stack_len); + vm->vm_aslr_delta_stack =3D ALIGN(vm->vm_aslr_delta_stack); + } else { + vm->vm_aslr_delta_mmap =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_COMPAT_DELTA_MMAP_LSB, (pr !=3D NULL) ? = pr->pr_pax_aslr_compat_mmap_len : pax_aslr_compat_mmap_len); + vm->vm_aslr_delta_stack =3D PAX_ASLR_DELTA(arc4random(), + PAX_ASLR_COMPAT_DELTA_STACK_LSB, (pr !=3D NULL) ? = pr->pr_pax_aslr_compat_stack_len : pax_aslr_compat_stack_len); + vm->vm_aslr_delta_stack =3D ALIGN(vm->vm_aslr_delta_stack); + } +#endif /* !COMPAT_FREEBSD32 */ +} + +void +pax_aslr_mmap(struct thread *td, vm_offset_t *addr, vm_offset_t = orig_addr, int flags) +{ + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(td, NULL); + + if (!pax_aslr_active(td, NULL)) + return; + + if (!(flags & MAP_FIXED) && ((orig_addr =3D=3D 0) || !(flags & = MAP_ANON))) { + if (pax_aslr_debug) + uprintf("[PaX ASLR] applying to %p orig_addr=3D%p f=3D%x\n", + (void *)*addr, (void *)orig_addr, flags); + if (!(td->td_proc->p_vmspace->vm_map.flags & = MAP_ENTRY_GROWS_DOWN)) + *addr +=3D td->td_proc->p_vmspace->vm_aslr_delta_mmap; + else + *addr -=3D td->td_proc->p_vmspace->vm_aslr_delta_mmap; + if (pax_aslr_debug) + uprintf("[PaX ASLR] result %p\n", (void *)*addr); + } + else if (pax_aslr_debug) + uprintf("[PaX ASLR] not applying to %p orig_addr=3D%p f=3D%x\n", + (void *)*addr, (void *)orig_addr, flags); +} + +void +pax_aslr_stack(struct thread *td, char **addr, char *orig_addr) +{ + struct prison *pr=3DNULL; + + pr =3D pax_aslr_get_prison(td, NULL); + + if (!pax_aslr_active(td, NULL)) + return; + + *addr -=3D td->td_proc->p_vmspace->vm_aslr_delta_stack; + if ((pr) && pr->pr_pax_aslr_debug) + uprintf("[PaX ASLR] orig_addr=3D%p, addr=3D%p\n", + (void *)orig_addr, (void *)*addr); +} diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index f99e053..e575aa7 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1612,9 +1612,42 @@ p_cansched(struct thread *td, struct proc *p) * XXX: data declarations should be together near the beginning of the = file. */ static int unprivileged_proc_debug =3D 1; +#if 0 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, = CTLFLAG_RW, &unprivileged_proc_debug, 0, "Unprivileged processes may use process debugging facilities"); +#endif + +int +sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS); + +SYSCTL_PROC(_security_bsd, OID_AUTO, unprivileged_proc_debug, + CTLTYPE_INT | CTLFLAG_RW, &unprivileged_proc_debug, 0, + sysctl_unprivileged_proc_debug, "I", + "Unprivileged processes may use process debugging facilities"); + +int +sysctl_unprivileged_proc_debug(SYSCTL_HANDLER_ARGS) +{ + static int set=3D0; + int error =3D 0; + int debug=3Dunprivileged_proc_debug; + + error =3D sysctl_handle_int(oidp, &debug, 0, req); + if (error =3D=3D 0 && req->newptr) { + if (debug < 0 || debug > 1) + return (EPERM); + + if (debug !=3D unprivileged_proc_debug && set =3D=3D 0) { + unprivileged_proc_debug =3D debug; + set++; + } else { + return (EPERM); + } + } + + return (error); +} =20 /*- * Determine whether td may debug p. @@ -1631,11 +1664,9 @@ p_candebug(struct thread *td, struct proc *p) =20 KASSERT(td =3D=3D curthread, ("%s: td not curthread", = __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); - if (!unprivileged_proc_debug) { - error =3D priv_check(td, PRIV_DEBUG_UNPRIV); - if (error) - return (error); - } + if (!unprivileged_proc_debug) + return (EPERM); + if (td->td_proc =3D=3D p) return (0); if ((error =3D prison_check(td->td_ucred, p->p_ucred))) diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 59d791c..f2bb97c 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -184,6 +184,20 @@ struct prison { char pr_hostname[MAXHOSTNAMELEN]; /* (p) jail = hostname */ char pr_domainname[MAXHOSTNAMELEN]; /* (p) jail = domainname */ char pr_hostuuid[HOSTUUIDLEN]; /* (p) jail = hostuuid */ +#ifdef PAX_ASLR + int pr_pax_set; + int pr_pax_aslr_status; + int pr_pax_aslr_debug; + int pr_pax_aslr_mmap_len; + int pr_pax_aslr_stack_len; + int pr_pax_aslr_exec_len; +#endif /* PAX_ASLR */ +#if defined(PAX_ASLR) && defined(COMPAT_FREEBSD32) + int pr_pax_aslr_compat_status; + int pr_pax_aslr_compat_mmap_len; + int pr_pax_aslr_compat_stack_len; + int pr_pax_aslr_compat_exec_len; +#endif /* COMPAT_FREEBSD32 */ }; =20 struct prison_racct { diff --git a/sys/sys/pax.h b/sys/sys/pax.h new file mode 100644 index 0000000..9c36894 --- /dev/null +++ b/sys/sys/pax.h @@ -0,0 +1,166 @@ +/*- + * Copyright (c) 2013, by Oliver Pinter <oliver.pntr at gmail.com> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. The name of the developer may NOT be used to endorse or promote = products + * derived from this software without specific prior written = permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' = AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, = THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR = PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE = LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR = CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE = GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS = INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, = STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN = ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY = OF + * SUCH DAMAGE. + * + * $FreeBSD$ + * + * Enhancements made by Shawn "lattera" Webb under the direction of = SoldierX. + */ + +#ifndef __SYS_PAX_H +#define __SYS_PAX_H + +struct image_params; +struct thread; +struct vmspace; +struct vm_offset_t; + +/* + * used in sysctl handler + */ +#define PAX_ASLR_DISABLED 0 +#define PAX_ASLR_ENABLED 1 +#define PAX_ASLR_GLOBAL_ENABLED 2 +#define PAX_ASLR_FORCE_GLOBAL_ENABLED 3 + +#ifndef PAX_ASLR_DELTA +#define PAX_ASLR_DELTA(delta, lsb, len) \ + (((delta) & ((1UL << (len)) - 1)) << (lsb)) +#endif /* PAX_ASLR_DELTA */ + +#ifdef PAX_ASLR +/* + * generic ASLR values + * + * MMAP | 32 bit | 64 bit | + * +-------+--------+--------+ + * | MIN | 8 bit | 16 bit | + * +-------+--------+--------+ + * | MAX | 16 bit | 32 bit | + * +-------+--------+--------+ + * + * STACK | 32 bit | 64 bit | + * +-------+--------+--------+ + * | MIN | 6 bit | 12 bit | + * +-------+--------+--------+ + * | MAX | 10 bit | 21 bit | + * +-------+--------+--------+ + * + * EXEC | 32 bit | 64 bit | + * +-------+--------+--------+ + * | MIN | 6 bit | 12 bit | + * +-------+--------+--------+ + * | MAX | 10 bit | 21 bit | + * +-------+--------+--------+ + * + */ +#ifndef PAX_ASLR_DELTA_MMAP_LSB +#define PAX_ASLR_DELTA_MMAP_LSB PAGE_SHIFT +#endif /* PAX_ASLR_DELTA_MMAP_LSB */ + +#ifndef PAX_ASLR_DELTA_MMAP_MIN_LEN +#define PAX_ASLR_DELTA_MMAP_MIN_LEN ((sizeof(void *) * NBBY) / 4) +#endif /* PAX_ASLR_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_MMAP_MAX_LEN +#define PAX_ASLR_DELTA_MMAP_MAX_LEN ((sizeof(void *) * NBBY) / 2) +#endif /* PAX_ASLR_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_STACK_LSB +#define PAX_ASLR_DELTA_STACK_LSB 3 +#endif /* PAX_ASLR_DELTA_STACK_LSB */ + +#ifndef PAX_ASLR_DELTA_STACK_MIN_LEN +#define PAX_ASLR_DELTA_STACK_MIN_LEN ((sizeof(void *) * NBBY) / 5) +#endif /* PAX_ASLR_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_STACK_MAX_LEN +#define PAX_ASLR_DELTA_STACK_MAX_LEN ((sizeof(void *) * NBBY) / 3) +#endif /* PAX_ASLR_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_EXEC_LSB +#define PAX_ASLR_DELTA_EXEC_LSB PAGE_SHIFT +#endif /* PAX_ASLR_DELTA_EXEC_LSB */ + +#ifndef PAX_ASLR_DELTA_EXEC_MIN_LEN +#define PAX_ASLR_DELTA_EXEC_MIN_LEN ((sizeof(void *) * NBBY) / 5) +#endif /* PAX_ASLR_DELTA_EXEC_MAX_LEN */ + +#ifndef PAX_ASLR_DELTA_EXEC_MAX_LEN +#define PAX_ASLR_DELTA_EXEC_MAX_LEN ((sizeof(void *) * NBBY) / 3) +#endif /* PAX_ASLR_DELTA_EXEC_MAX_LEN */ + +/* + * ASLR values for COMPAT_FREEBSD32 and COMPAT_LINUX + */ +#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_LSB +#define PAX_ASLR_COMPAT_DELTA_MMAP_LSB PAGE_SHIFT +#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_LSB */ + +#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN +#define PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN ((sizeof(int) * NBBY) / = 4) +#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN +#define PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN ((sizeof(int) * NBBY) / = 2) +#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_STACK_LSB +#define PAX_ASLR_COMPAT_DELTA_STACK_LSB 3 +#endif /* PAX_ASLR_COMPAT_DELTA_STACK_LSB */ + +#ifndef PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN +#define PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN ((sizeof(int) * NBBY) / = 5) +#endif /* PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN +#define PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN ((sizeof(int) * NBBY) / = 3) +#endif /* PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN +#define PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN ((sizeof(int) * NBBY) / = 5) +#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN */ + +#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN +#define PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN ((sizeof(int) * NBBY) / = 3) +#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN */ + +extern int pax_aslr_status; +extern int pax_aslr_debug; +extern int pax_aslr_compat_status; + +extern int pax_aslr_mmap_len; +extern int pax_aslr_stack_len; +extern int pax_aslr_exec_len; +#endif /* PAX_ASLR */ + +void pax_init(void); +void pax_aslr_init_prison(struct prison *pr); +bool pax_aslr_active(struct thread *td, struct proc *proc); +void pax_aslr_init(struct thread *td, struct image_params *imgp); +void pax_aslr_mmap(struct thread *td, vm_offset_t *addr, + vm_offset_t orig_addr, int flags); +void pax_aslr_stack(struct thread *td, char **addr, char *orig_addr); +struct prison *pax_aslr_get_prison(struct thread *td, struct proc = *proc); + +#endif /* __SYS_PAX_H */ --Apple-Mail=_B6453ACB-0EC9-4C80-B575-87E00F273BCF--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402030040.s130e0iB062296>