Date: Sat, 24 Aug 2013 23:40:15 +0200 From: Oliver Pinter <oliver.pntr@gmail.com> To: Steven Lee <steven@roothosts.com> Cc: freebsd-bugs@freebsd.org Subject: Re: kern/181497: ASLR Feature Request - patch included Message-ID: <CAPjTQNFp85iUzFJFse=vMe5DC-GWU5_qBMURLmozccb%2BM5B9Bw@mail.gmail.com> In-Reply-To: <201308242100.r7OL01EV073106@freefall.freebsd.org> References: <201308242100.r7OL01EV073106@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
performance test on HEAD from Juni + ASLR patches: http://centaur.sch.bme.hu/~oliverp/hunger/new/ On 8/24/13, Steven Lee <steven@roothosts.com> wrote: > The following reply was made to PR kern/181497; it has been noted by GNATS. > > From: Steven Lee <steven@roothosts.com> > To: Oliver Pinter <oliver.pntr@gmail.com>, > freebsd-gnats-submit@freebsd.org > Cc: > Subject: Re: kern/181497: ASLR Feature Request - patch included > Date: Sat, 24 Aug 2013 14:49:03 -0600 > > Wow... very nice. :) > > On 13-08-24 07:48 AM, Oliver Pinter wrote: > > new version of the patchset: > > > https://github.com/opntr/freebsd-patches-2013-tavasz/tree/master/r249952+ASLR > > > > On 8/24/13, Steven Lee <steven@roothosts.com> wrote: > >> > >>> Number: 181497 > >>> Category: kern > >>> Synopsis: ASLR Feature Request - patch included > >>> Confidential: no > >>> Severity: non-critical > >>> Priority: low > >>> Responsible: freebsd-bugs > >>> State: open > >>> Quarter: > >>> Keywords: > >>> Date-Required: > >>> Class: change-request > >>> Submitter-Id: current-users > >>> Arrival-Date: Sat Aug 24 02:20:00 UTC 2013 > >>> Closed-Date: > >>> Last-Modified: > >>> Originator: Steven Lee > >>> Release: releng/9.2 > >>> Organization: > >> Root Hosts > >>> Environment: > >> N/A > >>> Description: > >> Most modern operating systems have ASLR to help mitigate yet-unknown > >> vulnerabilities. > >> > >> It would be very nice if FreeBSD shipped with ASLR features in the > kernel > >> (default off), that could be easily switched on with a sysctl variable. > >> > >> I understand that in some production environments ASLR may make a > system > >> slower through memory fragmentation, but at least give people the option > to > >> turn ASLR on for those who actually want it. :) > >> > >>> How-To-Repeat: > >> N/A > >>> Fix: > >> This patch has been circulating the internet since FreeBSD 7.0-RELEASE > at > >> least. It looks like parts of it are from OpenBSD? (I could be wrong.) > I've > >> used it in production for many many years and it works like a champ. > >> > >> The patch will just need the sysctl defaults inverted and the variable > names > >> possibly renamed for clarity. > >> > >> > >> Patch attached with submission follows: > >> > >> commit 779a962519e7ead63dda24348b98f6cde8156752 > >> Author: Oliver Pinter <opn@opn.(none)> > >> Date: Tue Oct 4 00:24:01 2011 +0200 > >> > >> forwardport mmap-randomization patch from 7-STABLE-op > >> > >> Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com> > >> > >> diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c > >> index fe01142..dc66db6 100644 > >> --- a/sys/kern/kern_exec.c > >> +++ b/sys/kern/kern_exec.c > >> @@ -106,6 +106,7 @@ MALLOC_DEFINE(M_PARGS, "proc-args", "Process > >> arguments"); > >> static int sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS); > >> static int sysctl_kern_usrstack(SYSCTL_HANDLER_ARGS); > >> static int sysctl_kern_stackprot(SYSCTL_HANDLER_ARGS); > >> +static int sysctl_kern_stackgap_random(SYSCTL_HANDLER_ARGS); > >> static int do_execve(struct thread *td, struct image_args *args, > >> struct mac *mac_p); > >> > >> @@ -120,6 +121,9 @@ SYSCTL_PROC(_kern, KERN_USRSTACK, usrstack, > >> CTLTYPE_ULONG|CTLFLAG_RD| > >> SYSCTL_PROC(_kern, OID_AUTO, stackprot, CTLTYPE_INT|CTLFLAG_RD, > >> NULL, 0, sysctl_kern_stackprot, "I", ""); > >> > >> +SYSCTL_PROC(_kern, OID_AUTO, stackgap_random, CTLTYPE_INT|CTLFLAG_RW, > >> + NULL, 0, sysctl_kern_stackgap_random, "I", "stackgap maximum > offset"); > >> + > >> u_long ps_arg_cache_limit = PAGE_SIZE / 16; > >> SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, > >> &ps_arg_cache_limit, 0, ""); > >> @@ -177,6 +181,30 @@ sysctl_kern_stackprot(SYSCTL_HANDLER_ARGS) > >> sizeof(p->p_sysent->sv_stackprot))); > >> } > >> > >> +static int stackgap_random = 64 * 1024; > >> + > >> +static int > >> +sysctl_kern_stackgap_random(SYSCTL_HANDLER_ARGS) > >> +{ > >> + int err; > >> + int val; > >> + > >> + val=stackgap_random; > >> + err=sysctl_handle_int(oidp, &val, sizeof(int), req); > >> + if (err || !req->newptr) { > >> + return (err); > >> + } > >> + > >> + if ((val<ALIGNBYTES && (val!=0)) > >> + || !powerof2(val) || val>64*1024*1024) { > >> + return (EINVAL); > >> + } > >> + > >> + stackgap_random=val; > >> + > >> + return (0); > >> +} > >> + > >> /* > >> * Each of the items is a pointer to a `const struct execsw', hence > the > >> * double pointer here. > >> @@ -1248,6 +1276,7 @@ exec_copyout_strings(imgp) > >> size_t execpath_len; > >> int szsigcode, szps; > >> char canary[sizeof(long) * 8]; > >> + int sgap; > >> > >> szps = sizeof(pagesizes[0]) * MAXPAGESIZES; > >> /* > >> @@ -1265,7 +1294,11 @@ exec_copyout_strings(imgp) > >> if (p->p_sysent->sv_szsigcode != NULL) > >> szsigcode = *(p->p_sysent->sv_szsigcode); > >> } > >> - destp = (caddr_t)arginfo - szsigcode - SPARE_USRSPACE - > >> + sgap=0; > >> + if (stackgap_random!=0) { > >> + sgap=ALIGN(arc4random()&(stackgap_random-1)); > >> + } > >> + destp = (caddr_t)arginfo - szsigcode - SPARE_USRSPACE - sgap - > >> roundup(execpath_len, sizeof(char *)) - > >> roundup(sizeof(canary), sizeof(char *)) - > >> roundup(szps, sizeof(char *)) - > >> diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c > >> index e85b681..991a37d 100644 > >> --- a/sys/vm/vm_mmap.c > >> +++ b/sys/vm/vm_mmap.c > >> @@ -68,6 +68,7 @@ __FBSDID("$FreeBSD$"); > >> #include <sys/stat.h> > >> #include <sys/sysent.h> > >> #include <sys/vmmeter.h> > >> +#include <sys/sysctl.h> > >> > >> #include <security/mac/mac_framework.h> > >> > >> @@ -99,6 +100,10 @@ static int vm_mmap_cdev(struct thread *, vm_size_t, > >> vm_prot_t, vm_prot_t *, > >> static int vm_mmap_shm(struct thread *, vm_size_t, vm_prot_t, vm_prot_t > *, > >> int *, struct shmfd *, vm_ooffset_t, vm_object_t *); > >> > >> +static int mmap_random=1; > >> +SYSCTL_INT(_vm, OID_AUTO, mmap_random, CTLFLAG_RW, &mmap_random, 0, > >> + "random mmap offset"); > >> + > >> /* > >> * MPSAFE > >> */ > >> @@ -256,7 +261,8 @@ sys_mmap(td, uap) > >> /* > >> * XXX for non-fixed mappings where no hint is provided or > >> * the hint would fall in the potential heap space, > >> - * place it after the end of the largest possible heap. > >> + * place it after the end of the largest possible heap, > >> + * plus a random offset, if mmap_random is set. > >> * > >> * There should really be a pmap call to determine a reasonable > >> * location. > >> @@ -265,9 +271,13 @@ sys_mmap(td, uap) > >> if (addr == 0 || > >> (addr >= round_page((vm_offset_t)vms->vm_taddr) && > >> addr < round_page((vm_offset_t)vms->vm_daddr + > >> - lim_max(td->td_proc, RLIMIT_DATA)))) > >> + lim_max(td->td_proc, RLIMIT_DATA)))) { > >> addr = round_page((vm_offset_t)vms->vm_daddr + > >> lim_max(td->td_proc, RLIMIT_DATA)); > >> + if (mmap_random) { > >> + addr+=arc4random()&(256*1024*1024-1); > >> + } > >> + } > >> PROC_UNLOCK(td->td_proc); > >> } > >> if (flags & MAP_ANON) { > >> > >>> Release-Note: > >>> Audit-Trail: > >>> Unformatted: > >> _______________________________________________ > >> freebsd-bugs@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs > >> To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org" > >> > > -- > Regards, > Steven Lee > > _______________________________________________ > freebsd-bugs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs > To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPjTQNFp85iUzFJFse=vMe5DC-GWU5_qBMURLmozccb%2BM5B9Bw>