From owner-freebsd-stable@FreeBSD.ORG  Fri May 23 23:24:31 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 7371E5FE;
 Fri, 23 May 2014 23:24:31 +0000 (UTC)
Received: from mail-oa0-x22e.google.com (mail-oa0-x22e.google.com
 [IPv6:2607:f8b0:4003:c02::22e])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 2675B208B;
 Fri, 23 May 2014 23:24:31 +0000 (UTC)
Received: by mail-oa0-f46.google.com with SMTP id i4so6360099oah.33
 for <multiple recipients>; Fri, 23 May 2014 16:24:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=u95dhOhVt7zFBDnwHenhVMslCnIQ5lxkJHJsROfKxTM=;
 b=hCBX6+rxJzjCtdsB6NYgpT3aBSwmHT0u3bzzJ74k8Q6WSAS6kwIqx5u6fbNP/Y4av9
 0q5ZfgQpk1+aOjpbPzl2hduGfsrPQp0ZDI+vxWLw+IM/vrD8Y/J7KWeUNZZa9o9v10y/
 EsQ4jkzXYDnkzMxSICMLC5q2DDqVRF+jhIOMebDE7GMKGGFwtmodDOuYb/S5SpXTrcD1
 RYADQp05IomTCUMW8BinkoTCsqVItP26VFn6j5n9MPc9Pqhd9czFbWKfm9g0FDVdy666
 gMa+DFlUEdwIf+wIWFqt1Cl7uxMpuskqGEso5z1s5Dc4ADT/+N61IhuiwBvBchaLvlfA
 pPFw==
MIME-Version: 1.0
X-Received: by 10.182.229.101 with SMTP id sp5mr8673093obc.52.1400887470143;
 Fri, 23 May 2014 16:24:30 -0700 (PDT)
Received: by 10.182.216.197 with HTTP; Fri, 23 May 2014 16:24:30 -0700 (PDT)
In-Reply-To: <20140514135852.GC3063@pwnie.vrt.sourcefire.com>
References: <20140514135852.GC3063@pwnie.vrt.sourcefire.com>
Date: Sat, 24 May 2014 01:24:30 +0200
Message-ID: <CAPjTQNG9pGLbDF7a8b+9s_NRD3Rq-sLnj7AXczjB=Ko_S44C3A@mail.gmail.com>
Subject: Re: [CFT] ASLR, PIE, and segvguard on 11-current and 10-stable
From: Oliver Pinter <oliver.pntr@gmail.com>
To: Shawn Webb <lattera@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org,
 freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2014 23:24:31 -0000

On 5/14/14, Shawn Webb <lattera@gmail.com> wrote:
> Hey All,
>
> [NOTE: crossposting between freebsd-current@, freebsd-security@, and
> freebsd-stable@. Please forgive me if crossposting is frowned upon.]
>
> Address Space Layout Randomization, or ASLR for short, is an exploit
> mitigation technology. It helps secure applications against low-level
> exploits. A popular secure implementation is known as PaX ASLR, which is
> a third-party patch for Linux. Our implementation is based off of PaX's.
>
> Oliver Pinter, Danilo Egea, and I have been working hard to bring more
> features and robust stability to our ASLR patches. We've done extensive
> testing on amd64. We'd like to get as many people testing these patches.
> Given the nature of them, we'd also like as many eyeballs reviewing the
> code as well.
>
> I have a Raspberry Pi and have noticed a few bugs. On ARM (at least, on
> the RPI), when a parent forks a child, and the child gracefully exits,
> the parent segfaults with the pc register pointing to 0xc0000000. That
> address is always the same, no matter the application. If anyone knows
> the ARM architecture well, and how FreeBSD ties into it, I'd like a
> little guidance.
>
> I also have a sparc64 box, but I'm having trouble getting a vanilla
> 11-current system to be stable on it. I ought to file a few PRs.
>
> You can find links to the patches below.
>
> Patch for 11-current:
> http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-current-aslr-segvguard-SNAPSHOT.diff
>
> Patch for 10-stable:
> http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff
>
> Thanks,
>
> Shawn Webb
>

New round of patches are there:

11-CURRENT: http://www.crysys.hu/~op/freebsd/patches/20140524011327-freebsd-current-aslr-segvguard-SNAPSHOT.diff

10-STABLE: http://www.crysys.hu/~op/freebsd/patches/20140524011327-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff



What's changed related to previous tag:
11-CURRENT:
Oliver Pinter (17):
      PAX ASLR: update license in kern_pax_aslr.c
      PAX: update license in kern_pax.c
      PAX SEGVGUARD: update license in kern_pax_segvguard.c
      PAX: update license in pax.h
      PAX ASLR: remove unneeded parameter from pax_aslr_stack function
      PAX LOG: implement new logging subsystem
      PAX LOG: fix pax_ulog_segvguard
      PAX LOG: added sysctl's and tunables
      PAX ASLR: use PAX LOG
      PAX LOG: fix pax_ulog_##name()
      PAX LOG: fix prison init
      PAX LOG: fixed log and ulog sysctl
      PAX ASLR: fixed debug sysctl
      PAX: blacklist clang and related binaries from PIE support
      PAX ASLR: make ASLR by default opt-out
      Merge remote-tracking branch 'freebsd/master' into hardened/current/aslr
      Merge branch 'hardened/current/aslr' of
github.com:HardenedBSD/hardenedBSD into hardened/current/aslr

Shawn Webb (10):
      Remove CAN_PIE in preparation for NO_PIE
      Merge remote-tracking branch 'upstream/master' into hardened/current/aslr
      PAX ASLR: Blacklist the applications that don't support being
built as a position-independent executable
      Merge remote-tracking branch 'upstream/master' into hardened/current/aslr
      Disable PAX_SEGVGUARD in LATT-ASLR kernel
      PAX ASLR: Lock the jail when initializing PAX per-jail PAX settings
      PAX ASLR: Fix bug with pax_aslr_active()
      PAX ASLR: Use a full kernel config for LATT-ASLR
      Revert "PAX: blacklist clang and related binaries from PIE support"
      Revert "Revert "PAX: blacklist clang and related binaries from
PIE support""


10-STABLE:
Oliver Pinter (20):
      PAX ASLR: update license in kern_pax_aslr.c
      PAX: update license in kern_pax.c
      PAX SEGVGUARD: update license in kern_pax_segvguard.c
      PAX: update license in pax.h
      PAX ASLR: remove unneeded parameter from pax_aslr_stack function
      PAX LOG: implement new logging subsystem
      PAX LOG: fix pax_ulog_segvguard
      PAX LOG: added sysctl's and tunables
      PAX ASLR: use PAX LOG
      PAX LOG: fix pax_ulog_##name()
      PAX LOG: fix prison init
      PAX LOG: fixed log and ulog sysctl
      PAX ASLR: fixed debug sysctl
      Merge remote-tracking branch 'freebsd/stable/10' into hardened/10/aslr
      Merge remote-tracking branch 'freebsd/stable/10' into hardened/10/aslr
      added OPN-ASLR kernel config
      PAX: Remove CAN_PIE in preparation for NO_PIE from /bin/sh
      PAX: blacklist clang and related binaries from PIE support
      PAX ASLR: make ASLR by default opt-out
      Merge remote-tracking branch 'freebsd/stable/10' into hardened/10/aslr

Shawn Webb (4):
      PAX: Remove CAN_PIE in preparation for NO_PIE
      PAX ASLR: Blacklist the applications that don't support being
built as a position-independent executable
      PAX ASLR: Lock the jail when initializing PAX per-jail PAX settings
      PAX ASLR: Fix bug with pax_aslr_active()