Date: Wed, 16 Nov 2011 01:09:18 +0100 From: Oliver Pinter <oliver.pntr@gmail.com> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: Kostik Belousov <kostikbel@gmail.com>, Garrett Cooper <yanegomi@gmail.com>, current@freebsd.org, Arnaud Lacombe <lacombar@gmail.com> Subject: Re: [RFC] Enable nxstack by default Message-ID: <CAPjTQNHiTKq2RTbg0%2BVoTDsdhjApXzNHTYrQxqvu%2BUXGLZ7aEg@mail.gmail.com> In-Reply-To: <20111115165756.GA11894@felucia.tataz.chchile.org> References: <CAPjTQNFCT5LBKwVQFf9FHk4aTzrJ243j2uN1nPmMeFp=cTdMUA@mail.gmail.com> <20111018090750.GG50300@deviant.kiev.zoral.com.ua> <CACqU3MWftO=FG4GbnKCFjTcKg1narJWuYnCwv-Mcu=WGriScwA@mail.gmail.com> <alpine.BSF.2.00.1110180838200.38610@toaster.local> <CACqU3MWOXTMfu0LySukcwAz=NGSzyN=ettiY0fQj3Ehp5MONug@mail.gmail.com> <CAPjTQNE5-kGJ%2BD2c3Z2y-e_h95i5VY0Yc=C26BJ_Oq0n2DNz6A@mail.gmail.com> <CACqU3MXm1P1P2FBMCKhYOC%2BeCn_3QyQmd98b%2B_Kiq98usuqiPA@mail.gmail.com> <20111018183219.GN50300@deviant.kiev.zoral.com.ua> <CACqU3MXNpmhwUM-incmeU_vUXZOKaZ=sZmGmUX5WCmdz6kfE7A@mail.gmail.com> <CAPjTQNFiqq9TEzTs812f7nVVY-74bMgvL9ujT-qXkMKnhux%2BtA@mail.gmail.com> <20111115165756.GA11894@felucia.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--14dae93b63ec57a2d904b1ceea11 Content-Type: text/plain; charset=ISO-8859-1 On 11/15/11, Jeremie Le Hen <jeremie@le-hen.org> wrote: > Hi, > > On Wed, Oct 19, 2011 at 12:37:44AM +0200, Oliver Pinter wrote: >> In NetBSD has been some PaX feature [0] implemented. (ASLR, W^X >> (~nxstack), mprotect restriction, veriexec, mmap randomization[2]...) >> >> [0] http://pax.grsecurity.net/docs/index.html >> [1] http://www.netbsd.org/~elad/recent/man/security.8.html >> [2] http://people.freebsd.org/~ssouhlal/testing/stackgap-20050527.diff > > Suleiman actually wrought two patches, one randomizing the stack (the > one you pointed out) and another one randomizing non-fixed mmap(2) > calls: > > http://people.freebsd.org/~ssouhlal/testing/mmap_random-20050528.diff > > > FYI, they do not apply cleanly on recent source trees (the patches were > made in 2005), but they can be applied with little fiddling. I'm > running multiple 8.x production machines with them without any problem. Yeah, I use thins patch in 7-STABLE and 9-STABLE too. Patch for 9-STABLE has attached. > > I've always wanted them to be committed as opt-in knobs, but I can't > remember why they hadn't at the time. > > Cheers, > -- > Jeremie Le Hen > > Men are born free and equal. Later on, they're on their own. > Jean Yanne > --14dae93b63ec57a2d904b1ceea11 Content-Type: text/x-diff; charset=US-ASCII; name="randomize-stack-and-mmap.diff" Content-Disposition: attachment; filename="randomize-stack-and-mmap.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: file0 Y29tbWl0IDc3OWE5NjI1MTllN2VhZDYzZGRhMjQzNDhiOThmNmNkZTgxNTY3NTIKQXV0aG9yOiBP bGl2ZXIgUGludGVyIDxvcG5Ab3BuLihub25lKT4KRGF0ZTogICBUdWUgT2N0IDQgMDA6MjQ6MDEg MjAxMSArMDIwMAoKICAgIGZvcndhcmRwb3J0IG1tYXAtcmFuZG9taXphdGlvbiBwYXRjaCBmcm9t IDctU1RBQkxFLW9wCiAgICAKICAgIFNpZ25lZC1vZmYtYnk6IE9saXZlciBQaW50ZXIgPG9saXZl ci5wbnRyQGdtYWlsLmNvbT4KCmRpZmYgLS1naXQgYS9zeXMva2Vybi9rZXJuX2V4ZWMuYyBiL3N5 cy9rZXJuL2tlcm5fZXhlYy5jCmluZGV4IGZlMDExNDIuLmRjNjZkYjYgMTAwNjQ0Ci0tLSBhL3N5 cy9rZXJuL2tlcm5fZXhlYy5jCisrKyBiL3N5cy9rZXJuL2tlcm5fZXhlYy5jCkBAIC0xMDYsNiAr MTA2LDcgQEAgTUFMTE9DX0RFRklORShNX1BBUkdTLCAicHJvYy1hcmdzIiwgIlByb2Nlc3MgYXJn dW1lbnRzIik7CiBzdGF0aWMgaW50IHN5c2N0bF9rZXJuX3BzX3N0cmluZ3MoU1lTQ1RMX0hBTkRM RVJfQVJHUyk7CiBzdGF0aWMgaW50IHN5c2N0bF9rZXJuX3VzcnN0YWNrKFNZU0NUTF9IQU5ETEVS X0FSR1MpOwogc3RhdGljIGludCBzeXNjdGxfa2Vybl9zdGFja3Byb3QoU1lTQ1RMX0hBTkRMRVJf QVJHUyk7CitzdGF0aWMgaW50IHN5c2N0bF9rZXJuX3N0YWNrZ2FwX3JhbmRvbShTWVNDVExfSEFO RExFUl9BUkdTKTsKIHN0YXRpYyBpbnQgZG9fZXhlY3ZlKHN0cnVjdCB0aHJlYWQgKnRkLCBzdHJ1 Y3QgaW1hZ2VfYXJncyAqYXJncywKICAgICBzdHJ1Y3QgbWFjICptYWNfcCk7CiAKQEAgLTEyMCw2 ICsxMjEsOSBAQCBTWVNDVExfUFJPQyhfa2VybiwgS0VSTl9VU1JTVEFDSywgdXNyc3RhY2ssIENU TFRZUEVfVUxPTkd8Q1RMRkxBR19SRHwKIFNZU0NUTF9QUk9DKF9rZXJuLCBPSURfQVVUTywgc3Rh Y2twcm90LCBDVExUWVBFX0lOVHxDVExGTEFHX1JELAogICAgIE5VTEwsIDAsIHN5c2N0bF9rZXJu X3N0YWNrcHJvdCwgIkkiLCAiIik7CiAKK1NZU0NUTF9QUk9DKF9rZXJuLCBPSURfQVVUTywgc3Rh Y2tnYXBfcmFuZG9tLCBDVExUWVBFX0lOVHxDVExGTEFHX1JXLAorICAgIE5VTEwsIDAsIHN5c2N0 bF9rZXJuX3N0YWNrZ2FwX3JhbmRvbSwgIkkiLCAic3RhY2tnYXAgbWF4aW11bSBvZmZzZXQiKTsK KwogdV9sb25nIHBzX2FyZ19jYWNoZV9saW1pdCA9IFBBR0VfU0laRSAvIDE2OwogU1lTQ1RMX1VM T05HKF9rZXJuLCBPSURfQVVUTywgcHNfYXJnX2NhY2hlX2xpbWl0LCBDVExGTEFHX1JXLCAKICAg ICAmcHNfYXJnX2NhY2hlX2xpbWl0LCAwLCAiIik7CkBAIC0xNzcsNiArMTgxLDMwIEBAIHN5c2N0 bF9rZXJuX3N0YWNrcHJvdChTWVNDVExfSEFORExFUl9BUkdTKQogCSAgICBzaXplb2YocC0+cF9z eXNlbnQtPnN2X3N0YWNrcHJvdCkpKTsKIH0KIAorc3RhdGljIGludAlzdGFja2dhcF9yYW5kb20g PSA2NCAqIDEwMjQ7CisKK3N0YXRpYyBpbnQKK3N5c2N0bF9rZXJuX3N0YWNrZ2FwX3JhbmRvbShT WVNDVExfSEFORExFUl9BUkdTKQoreworCWludAllcnI7CisJaW50CXZhbDsKKworCXZhbD1zdGFj a2dhcF9yYW5kb207CisJZXJyPXN5c2N0bF9oYW5kbGVfaW50KG9pZHAsICZ2YWwsIHNpemVvZihp bnQpLCByZXEpOworCWlmIChlcnIgfHwgIXJlcS0+bmV3cHRyKSB7CisJCXJldHVybiAoZXJyKTsK Kwl9CisKKwlpZiAoKHZhbDxBTElHTkJZVEVTICYmICh2YWwhPTApKQorCSAgICB8fCAhcG93ZXJv ZjIodmFsKSB8fCB2YWw+NjQqMTAyNCoxMDI0KSB7CisJCXJldHVybiAoRUlOVkFMKTsKKwl9CisK KwlzdGFja2dhcF9yYW5kb209dmFsOworCisJcmV0dXJuICgwKTsKK30KKwogLyoKICAqIEVhY2gg b2YgdGhlIGl0ZW1zIGlzIGEgcG9pbnRlciB0byBhIGBjb25zdCBzdHJ1Y3QgZXhlY3N3JywgaGVu Y2UgdGhlCiAgKiBkb3VibGUgcG9pbnRlciBoZXJlLgpAQCAtMTI0OCw2ICsxMjc2LDcgQEAgZXhl Y19jb3B5b3V0X3N0cmluZ3MoaW1ncCkKIAlzaXplX3QgZXhlY3BhdGhfbGVuOwogCWludCBzenNp Z2NvZGUsIHN6cHM7CiAJY2hhciBjYW5hcnlbc2l6ZW9mKGxvbmcpICogOF07CisJaW50IHNnYXA7 CiAKIAlzenBzID0gc2l6ZW9mKHBhZ2VzaXplc1swXSkgKiBNQVhQQUdFU0laRVM7CiAJLyoKQEAg LTEyNjUsNyArMTI5NCwxMSBAQCBleGVjX2NvcHlvdXRfc3RyaW5ncyhpbWdwKQogCQlpZiAocC0+ cF9zeXNlbnQtPnN2X3N6c2lnY29kZSAhPSBOVUxMKQogCQkJc3pzaWdjb2RlID0gKihwLT5wX3N5 c2VudC0+c3Zfc3pzaWdjb2RlKTsKIAl9Ci0JZGVzdHAgPQkoY2FkZHJfdClhcmdpbmZvIC0gc3pz aWdjb2RlIC0gU1BBUkVfVVNSU1BBQ0UgLQorCXNnYXA9MDsKKwlpZiAoc3RhY2tnYXBfcmFuZG9t IT0wKSB7CisJCXNnYXA9QUxJR04oYXJjNHJhbmRvbSgpJihzdGFja2dhcF9yYW5kb20tMSkpOwor CX0KKwlkZXN0cCA9CShjYWRkcl90KWFyZ2luZm8gLSBzenNpZ2NvZGUgLSBTUEFSRV9VU1JTUEFD RSAtIHNnYXAgLQogCSAgICByb3VuZHVwKGV4ZWNwYXRoX2xlbiwgc2l6ZW9mKGNoYXIgKikpIC0K IAkgICAgcm91bmR1cChzaXplb2YoY2FuYXJ5KSwgc2l6ZW9mKGNoYXIgKikpIC0KIAkgICAgcm91 bmR1cChzenBzLCBzaXplb2YoY2hhciAqKSkgLQpkaWZmIC0tZ2l0IGEvc3lzL3ZtL3ZtX21tYXAu YyBiL3N5cy92bS92bV9tbWFwLmMKaW5kZXggZTg1YjY4MS4uOTkxYTM3ZCAxMDA2NDQKLS0tIGEv c3lzL3ZtL3ZtX21tYXAuYworKysgYi9zeXMvdm0vdm1fbW1hcC5jCkBAIC02OCw2ICs2OCw3IEBA IF9fRkJTRElEKCIkRnJlZUJTRCQiKTsKICNpbmNsdWRlIDxzeXMvc3RhdC5oPgogI2luY2x1ZGUg PHN5cy9zeXNlbnQuaD4KICNpbmNsdWRlIDxzeXMvdm1tZXRlci5oPgorI2luY2x1ZGUgPHN5cy9z eXNjdGwuaD4KIAogI2luY2x1ZGUgPHNlY3VyaXR5L21hYy9tYWNfZnJhbWV3b3JrLmg+CiAKQEAg LTk5LDYgKzEwMCwxMCBAQCBzdGF0aWMgaW50IHZtX21tYXBfY2RldihzdHJ1Y3QgdGhyZWFkICos IHZtX3NpemVfdCwgdm1fcHJvdF90LCB2bV9wcm90X3QgKiwKIHN0YXRpYyBpbnQgdm1fbW1hcF9z aG0oc3RydWN0IHRocmVhZCAqLCB2bV9zaXplX3QsIHZtX3Byb3RfdCwgdm1fcHJvdF90ICosCiAg ICAgaW50ICosIHN0cnVjdCBzaG1mZCAqLCB2bV9vb2Zmc2V0X3QsIHZtX29iamVjdF90ICopOwog CitzdGF0aWMgaW50IG1tYXBfcmFuZG9tPTE7CitTWVNDVExfSU5UKF92bSwgT0lEX0FVVE8sIG1t YXBfcmFuZG9tLCBDVExGTEFHX1JXLCAmbW1hcF9yYW5kb20sIDAsCisJCSJyYW5kb20gbW1hcCBv ZmZzZXQiKTsKKwogLyoKICAqIE1QU0FGRQogICovCkBAIC0yNTYsNyArMjYxLDggQEAgc3lzX21t YXAodGQsIHVhcCkKIAkJLyoKIAkJICogWFhYIGZvciBub24tZml4ZWQgbWFwcGluZ3Mgd2hlcmUg bm8gaGludCBpcyBwcm92aWRlZCBvcgogCQkgKiB0aGUgaGludCB3b3VsZCBmYWxsIGluIHRoZSBw b3RlbnRpYWwgaGVhcCBzcGFjZSwKLQkJICogcGxhY2UgaXQgYWZ0ZXIgdGhlIGVuZCBvZiB0aGUg bGFyZ2VzdCBwb3NzaWJsZSBoZWFwLgorCQkgKiBwbGFjZSBpdCBhZnRlciB0aGUgZW5kIG9mIHRo ZSBsYXJnZXN0IHBvc3NpYmxlIGhlYXAsCisJCSAqIHBsdXMgYSByYW5kb20gb2Zmc2V0LCBpZiBt bWFwX3JhbmRvbSBpcyBzZXQuCiAJCSAqCiAJCSAqIFRoZXJlIHNob3VsZCByZWFsbHkgYmUgYSBw bWFwIGNhbGwgdG8gZGV0ZXJtaW5lIGEgcmVhc29uYWJsZQogCQkgKiBsb2NhdGlvbi4KQEAgLTI2 NSw5ICsyNzEsMTMgQEAgc3lzX21tYXAodGQsIHVhcCkKIAkJaWYgKGFkZHIgPT0gMCB8fAogCQkg ICAgKGFkZHIgPj0gcm91bmRfcGFnZSgodm1fb2Zmc2V0X3Qpdm1zLT52bV90YWRkcikgJiYKIAkJ ICAgIGFkZHIgPCByb3VuZF9wYWdlKCh2bV9vZmZzZXRfdCl2bXMtPnZtX2RhZGRyICsKLQkJICAg IGxpbV9tYXgodGQtPnRkX3Byb2MsIFJMSU1JVF9EQVRBKSkpKQorCQkgICAgbGltX21heCh0ZC0+ dGRfcHJvYywgUkxJTUlUX0RBVEEpKSkpIHsKIAkJCWFkZHIgPSByb3VuZF9wYWdlKCh2bV9vZmZz ZXRfdCl2bXMtPnZtX2RhZGRyICsKIAkJCSAgICBsaW1fbWF4KHRkLT50ZF9wcm9jLCBSTElNSVRf REFUQSkpOworCQkJaWYgKG1tYXBfcmFuZG9tKSB7CisJCQkJYWRkcis9YXJjNHJhbmRvbSgpJigy NTYqMTAyNCoxMDI0LTEpOworCQkJfQorCQl9CiAJCVBST0NfVU5MT0NLKHRkLT50ZF9wcm9jKTsK IAl9CiAJaWYgKGZsYWdzICYgTUFQX0FOT04pIHsK --14dae93b63ec57a2d904b1ceea11--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPjTQNHiTKq2RTbg0%2BVoTDsdhjApXzNHTYrQxqvu%2BUXGLZ7aEg>