View | Details | Raw Unified | Return to bug 181497 | Differences between
and this patch

Collapse All | Expand All

(-)share/man/man4/Makefile (+1 lines)
Lines 51-56 Link Here
51
	${_aout.4} \
51
	${_aout.4} \
52
	${_apic.4} \
52
	${_apic.4} \
53
	arcmsr.4 \
53
	arcmsr.4 \
54
	aslr.4 \
54
	${_asmc.4} \
55
	${_asmc.4} \
55
	ata.4 \
56
	ata.4 \
56
	ath.4 \
57
	ath.4 \
(-)share/man/man4/aslr.4 (+276 lines)
Added Link Here
1
.\"-
2
.\" Copyright (c) 2014,2015 Shawn Webb <shawn.webb@hardenedbsd.org>
3
.\" All rights reserved.
4
.\"
5
.\" Redistribution and use in source and binary forms, with or without
6
.\" modification, are permitted provided that the following conditions
7
.\" are met:
8
.\" 1. Redistributions of source code must retain the above copyright
9
.\"    notice, this list of conditions and the following disclaimer.
10
.\" 2. Redistributions in binary form must reproduce the above copyright
11
.\"    notice, this list of conditions and the following disclaimer in the
12
.\"    documentation and/or other materials provided with the distribution.
13
.\"
14
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24
.\" SUCH DAMAGE.
25
.\"
26
.\" $FreeBSD$
27
.\"
28
.Dd February 21, 2015
29
.Dt ASLR 4
30
.Os
31
.Sh NAME
32
.Nm aslr
33
.Nd Address Space Layout Randomization
34
.Sh SYNOPSIS
35
.In sys/types.h
36
.In sys/pax.h
37
.Pp
38
In the kernel configuration file:
39
.Cd "options PAX_ASLR"
40
.Sh DESCRIPTION
41
.Ss Introduction
42
Security in
43
.Fx
44
is based primarily in policy-based technologies.
45
Existing tools such as
46
.Xr jail 4 ,
47
.Xr capsicum 4 ,
48
.Xr VNET 9 , and the
49
.Xr mac 4
50
framework can make
51
.Fx Ns -based systems quite resilient against
52
attacks.
53
FreeBSD lacks basic low-level exploit mitigation, such as Address
54
Space Layout Randomization (ASLR).
55
ASLR Randomizes the address space layout of an application, making
56
exploitation difficult for an attacker.
57
This manual page and the associated implementation aim to
58
provide a secure, robust, extensible, and easily-managed form of ASLR
59
fit for production use in
60
.Fx Ns .
61
.Ss General Overview
62
When compiled with the PAX_ASLR option, systems will have ASLR
63
enabled.
64
For systems with that kernel option enabled, if a user wants
65
to disable ASLR for a given application, the user must force that
66
application to opt-out.
67
HardenedBSD has a special application called secadm for opting
68
applications in to or out of exploit mitigation features such as ASLR.
69
.Pp
70
Another kernel option,
71
.Cd PAX_SYSCTLS ,
72
exposes additional
73
.Xr sysctl 8
74
tunables, allowing ASLR behavior control without requiring a reboot.
75
By default, the sysctl hardening.pax.aslr.status can only be changed
76
at boot time via /boot/loader.conf.
77
Enabling the PAX_SYSCTLS kernel option allows a root user to modify
78
hardening.pax.aslr.status.
79
See Appendix A for a list of all the tunables.
80
.Pp
81
ASLR tunables are per-jail and each jail inherits its parent jail's
82
settings.
83
Having per-jail tunables allows more flexibility in shared-hosting
84
environments.
85
This structure also allows a user to selectively disable ASLR for
86
applications that misbehave.
87
ASLR-disabled applications will still have policy-based security
88
applied to it by virtue of being jailed.
89
.Ss Implementation Details
90
A new sysinit subroutine ID, SI_SUB_PAX, initializes ASLR system
91
variables.
92
Upon system boot, tunables from /boot/loader.conf are checked for
93
validity.
94
Any invalid values generate a warning message to the console and the
95
tunable is set to a sensible default.
96
.Pp
97
For the sake of performance, the ASLR system relies on per-process
98
deltas rather than calling
99
.Xr arc4random 3
100
for each mapping.
101
When a process calls
102
.Xr execve 2
103
.Ns , the ASLR deltas are initialized.
104
Deltas are randomly generated for the execution base,
105
.Xr mmap 2
106
.Ns , and stack addresses.
107
Only the execution base of applications compiled as Position
108
Independent Executables (PIEs) is randomized.
109
The execution base of non-PIE applications is not modified.
110
The mappings of shared objects are randomized for both PIE and non-PIE
111
applications.
112
.Pp
113
The deltas are used as a hint to the Virtual Memory (VM) system.
114
The VM system may modify the hint to make a better fit for superpages
115
and other alignment constraints.
116
.Pp
117
The delta applied to the PIE execbase is different than the delta
118
applied to the base address of shared objects.
119
In the Executable and Linkable File (ELF) image handler, the
120
execution base of PIE applications is randomized by adding the delta
121
controlled by the hardening.pax.aslr.exec_len tunable to et_dyn_addr,
122
which is initialized to be ET_DYN_LOAD_ADDR (an architecture-
123
dependent macro).
124
The base address of shared objects loaded by the dynamic linker are
125
randomized by applying the delta controlled by the
126
hardening.pax.aslr.mmap_len tunable in
127
.Fn sys_mmap
128
.Ns .
129
Stack randomization is implemented using a stack gap.
130
On executable image activation, the stack delta is computed and
131
subtracted from the top of the stack.
132
.Ss APPENDIX A
133
NOTE: All tunables can only be changed during boot-time via
134
.Fa /boot/loader.conf
135
unless the kernel has been compiled with
136
.Cd PAX_SYSCTLS
137
.Ns .
138
.Bl -bullet
139
.It
140
hardening.pax.aslr.status
141
.Bl -dash -compact
142
.It
143
Type: integer
144
.It
145
Description: Toggle system-wide ASLR protection.
146
.It
147
Values:
148
.br
149
0 - ASLR disabled system-wide. Individual applications may
150
.Em NOT
151
opt in.
152
.br
153
1 - ASLR disabled but applications may opt in.
154
.br
155
2 - ASLR enabled and applications may opt out.
156
.br
157
3 - ASLR enabled for all applications. Applications may not opt out.
158
.It
159
Default: 2
160
.El
161
.It
162
hardening.pax.aslr.exec_len
163
.Bl -dash -compact
164
.It
165
Type: integer
166
.It
167
Description: Set the number of bits to be randomized for the PIE
168
execbase.
169
.It
170
Values:
171
.br
172
For 32-bit systems, minimum of 8, maximum of 21. For 64-bit systems,
173
minimum of 16, maximum of 42.
174
.It
175
Default: For 32-bit systems: 14. For 64-bit systems: 16.
176
.El
177
.It
178
hardening.pax.aslr.mmap_len
179
.Bl -dash -compact
180
.It
181
Type: integer
182
.It
183
Description: Set the number of bits to be randomized for
184
.Xr mmap 2
185
calls.
186
.It
187
Values:
188
.br
189
For 32-bit systems, minimum of 8, maximum of 21. For 64-bit systems,
190
minimum of 16, maximum of 42.
191
.It
192
Default: For 32-bit systems: 14. For 64-bit systems: 21.
193
.El
194
.It
195
hardening.pax.aslr.stack_len
196
.Bl -dash -compact
197
.It
198
Type: integer
199
.It
200
Description: Set the number of bits to be randomized for the stack.
201
.It
202
Values:
203
.br
204
For 32-bit systems, minimum of 8, maximum of 21. For 64-bit systems,
205
minimum of 16, maximum of 42.
206
.It
207
Default: For 32-bit systems: 8. For 64-bit systems: 16.
208
.El
209
.El
210
.Sh SEE ALSO
211
.Xr mmap 2 ,
212
.Xr elf 3 ,
213
.Xr mac 4
214
.Rs
215
.%T "PaX ASLR"
216
.%U http://pax.grsecurity.net/docs/aslr.txt
217
.Re
218
.Rs
219
.%T "FreeBSD ASLR Bug Report"
220
.%U https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=181497
221
.Re
222
.Rs
223
.%T "HardenedBSD"
224
.%U http://hardenedbsd.org/
225
.Re
226
.Rs
227
.%T "secadm"
228
.%U https://github.com/HardenedBSD/secadm
229
.Re
230
.Sh HISTORY
231
On 14 May 2013, Oliver Pinter published to GitHub an initial patch to
232
implement ASLR.
233
His work was inspired by Elad Efrat's work in NetBSD.
234
The patch was submitted to FreeBSD as a bug report on 24 Aug 2013.
235
Independenty of Oliver's work, Shawn Webb posted to his tech blog that
236
he was interested in implementing ASLR for FreeBSD.
237
Oliver found his post and suggested that he and Shawn work together.
238
On June 08, 2014, preparatory work was committed to FreeBSD, adding
239
Position-Independent Executable (PIE) support in base. PIE support
240
was removed sometime later.
241
On 07 Apr 2014, SoldierX agreed to sponsor the project and donated a
242
sparc64 machine and a BeagleBone Black to Shawn Webb. This hardware
243
is used for testing and debugging ASLR.
244
ASLR was first introduced in HardenedBSD and later upstreamed to
245
.Fx 11.0-CURRENT.
246
.Sh AUTHORS
247
This manual page was written by
248
.An -nosplit
249
.An Shawn Webb .
250
The ASLR implementation was written by
251
.An Oliver Pinter and
252
.An Shawn Webb .
253
.Sh BUGS
254
The existing gap-based stack randomization is not optimal.
255
Mapping-base stack randomization is more robust, but hard-coded kernel
256
structures and addresses, especially
257
.Va PS_STRINGS
258
, will need to be
259
modified.
260
The required changes to
261
.Va PS_STRINGS
262
are major and will likely touch
263
userland along with the kernel.
264
265
The original PaX implementation, from which the
266
.Fx
267
implementation is inspired, uses a special ELF process header which
268
requires modification of executable files.
269
The authors of the
270
.Fx
271
implementation have deliberately chosen to go a different route based
272
on the
273
.Xr mac 4
274
framework.
275
Support for filesystem extended attributes will be added at a later
276
time.
(-)sys/amd64/amd64/elf_machdep.c (+6 lines)
Lines 26-37 Link Here
26
#include <sys/cdefs.h>
26
#include <sys/cdefs.h>
27
__FBSDID("$FreeBSD$");
27
__FBSDID("$FreeBSD$");
28
28
29
#include "opt_pax.h"
30
29
#include <sys/param.h>
31
#include <sys/param.h>
30
#include <sys/kernel.h>
32
#include <sys/kernel.h>
31
#include <sys/systm.h>
33
#include <sys/systm.h>
32
#include <sys/exec.h>
34
#include <sys/exec.h>
33
#include <sys/imgact.h>
35
#include <sys/imgact.h>
34
#include <sys/linker.h>
36
#include <sys/linker.h>
37
#include <sys/pax.h>
35
#include <sys/proc.h>
38
#include <sys/proc.h>
36
#include <sys/sysent.h>
39
#include <sys/sysent.h>
37
#include <sys/imgact_elf.h>
40
#include <sys/imgact_elf.h>
Lines 82-87 Link Here
82
	.sv_shared_page_base = SHAREDPAGE,
85
	.sv_shared_page_base = SHAREDPAGE,
83
	.sv_shared_page_len = PAGE_SIZE,
86
	.sv_shared_page_len = PAGE_SIZE,
84
	.sv_schedtail	= NULL,
87
	.sv_schedtail	= NULL,
88
#ifdef PAX_ASLR
89
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
90
#endif
85
};
91
};
86
INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec);
92
INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec);
87
93
(-)sys/amd64/conf/GENERIC (+2 lines)
Lines 69-74 Link Here
69
options 	CAPABILITY_MODE		# Capsicum capability mode
69
options 	CAPABILITY_MODE		# Capsicum capability mode
70
options 	CAPABILITIES		# Capsicum capabilities
70
options 	CAPABILITIES		# Capsicum capabilities
71
options 	MAC			# TrustedBSD MAC Framework
71
options 	MAC			# TrustedBSD MAC Framework
72
#options 	PAX_ASLR		# Address Space Layout Randomization
73
#options 	PAX_SYSCTLS		# Run-time settings for PAX and Hardening
72
options 	KDTRACE_FRAME		# Ensure frames are compiled in
74
options 	KDTRACE_FRAME		# Ensure frames are compiled in
73
options 	KDTRACE_HOOKS		# Kernel DTrace hooks
75
options 	KDTRACE_HOOKS		# Kernel DTrace hooks
74
options 	DDB_CTF			# Kernel ELF linker loads CTF data
76
options 	DDB_CTF			# Kernel ELF linker loads CTF data
(-)sys/amd64/include/vmparam.h (-1 / +2 lines)
Lines 178-184 Link Here
178
#define	VM_MAXUSER_ADDRESS	UVADDR(NUPML4E, 0, 0, 0)
178
#define	VM_MAXUSER_ADDRESS	UVADDR(NUPML4E, 0, 0, 0)
179
179
180
#define	SHAREDPAGE		(VM_MAXUSER_ADDRESS - PAGE_SIZE)
180
#define	SHAREDPAGE		(VM_MAXUSER_ADDRESS - PAGE_SIZE)
181
#define	USRSTACK		SHAREDPAGE
181
#define	SHAREDPAGE_GUARD	(4 * PAGE_SIZE)
182
#define	USRSTACK		(SHAREDPAGE - SHAREDPAGE_GUARD)
182
183
183
#define	VM_MAX_ADDRESS		UPT_MAX_ADDRESS
184
#define	VM_MAX_ADDRESS		UPT_MAX_ADDRESS
184
#define	VM_MIN_ADDRESS		(0)
185
#define	VM_MIN_ADDRESS		(0)
(-)sys/amd64/linux32/linux32_sysvec.c (+5 lines)
Lines 33-38 Link Here
33
#include <sys/cdefs.h>
33
#include <sys/cdefs.h>
34
__FBSDID("$FreeBSD$");
34
__FBSDID("$FreeBSD$");
35
#include "opt_compat.h"
35
#include "opt_compat.h"
36
#include "opt_pax.h"
36
37
37
#ifndef COMPAT_FREEBSD32
38
#ifndef COMPAT_FREEBSD32
38
#error "Unable to compile Linux-emulator due to missing COMPAT_FREEBSD32 option!"
39
#error "Unable to compile Linux-emulator due to missing COMPAT_FREEBSD32 option!"
Lines 51-56 Link Here
51
#include <sys/malloc.h>
52
#include <sys/malloc.h>
52
#include <sys/module.h>
53
#include <sys/module.h>
53
#include <sys/mutex.h>
54
#include <sys/mutex.h>
55
#include <sys/pax.h>
54
#include <sys/proc.h>
56
#include <sys/proc.h>
55
#include <sys/resourcevar.h>
57
#include <sys/resourcevar.h>
56
#include <sys/signalvar.h>
58
#include <sys/signalvar.h>
Lines 1037-1042 Link Here
1037
	.sv_shared_page_base = LINUX32_SHAREDPAGE,
1039
	.sv_shared_page_base = LINUX32_SHAREDPAGE,
1038
	.sv_shared_page_len = PAGE_SIZE,
1040
	.sv_shared_page_len = PAGE_SIZE,
1039
	.sv_schedtail	= linux_schedtail,
1041
	.sv_schedtail	= linux_schedtail,
1042
#ifdef PAX_ASLR
1043
	.sv_pax_aslr_init = pax_aslr_init_vmspace32,
1044
#endif
1040
};
1045
};
1041
INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec);
1046
INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec);
1042
1047
(-)sys/arm/arm/elf_machdep.c (+6 lines)
Lines 26-39 Link Here
26
#include <sys/cdefs.h>
26
#include <sys/cdefs.h>
27
__FBSDID("$FreeBSD$");
27
__FBSDID("$FreeBSD$");
28
28
29
#include "opt_pax.h"
30
29
#include <sys/param.h>
31
#include <sys/param.h>
30
#include <sys/kernel.h>
32
#include <sys/kernel.h>
31
#include <sys/systm.h>
33
#include <sys/systm.h>
32
#include <sys/exec.h>
34
#include <sys/exec.h>
33
#include <sys/imgact.h>
35
#include <sys/imgact.h>
34
#include <sys/linker.h>
36
#include <sys/linker.h>
35
#include <sys/sysent.h>
37
#include <sys/sysent.h>
36
#include <sys/imgact_elf.h>
38
#include <sys/imgact_elf.h>
39
#include <sys/pax.h>
37
#include <sys/proc.h>
40
#include <sys/proc.h>
38
#include <sys/syscall.h>
41
#include <sys/syscall.h>
39
#include <sys/signalvar.h>
42
#include <sys/signalvar.h>
Lines 81-86 Link Here
81
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
84
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
82
	.sv_syscallnames = syscallnames,
85
	.sv_syscallnames = syscallnames,
83
	.sv_schedtail	= NULL,
86
	.sv_schedtail	= NULL,
87
#ifdef PAX_ASLR
88
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
89
#endif
84
};
90
};
85
91
86
static Elf32_Brandinfo freebsd_brand_info = {
92
static Elf32_Brandinfo freebsd_brand_info = {
(-)sys/arm/arm/machdep.c (+8 lines)
Lines 47-52 Link Here
47
#include "opt_platform.h"
47
#include "opt_platform.h"
48
#include "opt_sched.h"
48
#include "opt_sched.h"
49
#include "opt_timer.h"
49
#include "opt_timer.h"
50
#include "opt_pax.h"
50
51
51
#include <sys/cdefs.h>
52
#include <sys/cdefs.h>
52
__FBSDID("$FreeBSD$");
53
__FBSDID("$FreeBSD$");
Lines 116-121 Link Here
116
#include <ddb/ddb.h>
117
#include <ddb/ddb.h>
117
#endif
118
#endif
118
119
120
#ifdef PAX_ASLR
121
#include <sys/pax.h>
122
#endif
123
119
#ifdef DEBUG
124
#ifdef DEBUG
120
#define	debugf(fmt, args...) printf(fmt, ##args)
125
#define	debugf(fmt, args...) printf(fmt, ##args)
121
#else
126
#else
Lines 281-286 Link Here
281
	tf->tf_pc = (register_t)catcher;
286
	tf->tf_pc = (register_t)catcher;
282
	tf->tf_usr_sp = (register_t)fp;
287
	tf->tf_usr_sp = (register_t)fp;
283
	tf->tf_usr_lr = (register_t)(PS_STRINGS - *(p->p_sysent->sv_szsigcode));
288
	tf->tf_usr_lr = (register_t)(PS_STRINGS - *(p->p_sysent->sv_szsigcode));
289
#ifdef PAX_ASLR
290
	pax_aslr_stack(p, &tf->tf_usr_lr);
291
#endif
284
292
285
	CTR3(KTR_SIG, "sendsig: return td=%p pc=%#x sp=%#x", td, tf->tf_usr_lr,
293
	CTR3(KTR_SIG, "sendsig: return td=%p pc=%#x sp=%#x", td, tf->tf_usr_lr,
286
	    tf->tf_usr_sp);
294
	    tf->tf_usr_sp);
(-)sys/compat/freebsd32/freebsd32_misc.c (+6 lines)
Lines 30-35 Link Here
30
#include "opt_compat.h"
30
#include "opt_compat.h"
31
#include "opt_inet.h"
31
#include "opt_inet.h"
32
#include "opt_inet6.h"
32
#include "opt_inet6.h"
33
#include "opt_pax.h"
33
34
34
#define __ELF_WORD_SIZE 32
35
#define __ELF_WORD_SIZE 32
35
36
Lines 55-60 Link Here
55
#include <sys/mount.h>
56
#include <sys/mount.h>
56
#include <sys/mutex.h>
57
#include <sys/mutex.h>
57
#include <sys/namei.h>
58
#include <sys/namei.h>
59
#include <sys/pax.h>
58
#include <sys/proc.h>
60
#include <sys/proc.h>
59
#include <sys/procctl.h>
61
#include <sys/procctl.h>
60
#include <sys/reboot.h>
62
#include <sys/reboot.h>
Lines 2801-2806 Link Here
2801
		szsigcode = 0;
2803
		szsigcode = 0;
2802
	destp =	(uintptr_t)arginfo;
2804
	destp =	(uintptr_t)arginfo;
2803
2805
2806
#ifdef PAX_ASLR
2807
	pax_aslr_stack(imgp->proc, &destp);
2808
#endif
2809
2804
	/*
2810
	/*
2805
	 * install sigcode
2811
	 * install sigcode
2806
	 */
2812
	 */
(-)sys/compat/ia32/ia32_sysvec.c (+5 lines)
Lines 29-34 Link Here
29
__FBSDID("$FreeBSD$");
29
__FBSDID("$FreeBSD$");
30
30
31
#include "opt_compat.h"
31
#include "opt_compat.h"
32
#include "opt_pax.h"
32
33
33
#define __ELF_WORD_SIZE 32
34
#define __ELF_WORD_SIZE 32
34
35
Lines 43-48 Link Here
43
#include <sys/mman.h>
44
#include <sys/mman.h>
44
#include <sys/namei.h>
45
#include <sys/namei.h>
45
#include <sys/pioctl.h>
46
#include <sys/pioctl.h>
47
#include <sys/pax.h>
46
#include <sys/proc.h>
48
#include <sys/proc.h>
47
#include <sys/procfs.h>
49
#include <sys/procfs.h>
48
#include <sys/resourcevar.h>
50
#include <sys/resourcevar.h>
Lines 136-141 Link Here
136
	.sv_shared_page_base = FREEBSD32_SHAREDPAGE,
138
	.sv_shared_page_base = FREEBSD32_SHAREDPAGE,
137
	.sv_shared_page_len = PAGE_SIZE,
139
	.sv_shared_page_len = PAGE_SIZE,
138
	.sv_schedtail	= NULL,
140
	.sv_schedtail	= NULL,
141
#ifdef PAX_ASLR
142
	.sv_pax_aslr_init = pax_aslr_init_vmspace32,
143
#endif
139
};
144
};
140
INIT_SYSENTVEC(elf_ia32_sysvec, &ia32_freebsd_sysvec);
145
INIT_SYSENTVEC(elf_ia32_sysvec, &ia32_freebsd_sysvec);
141
146
(-)sys/conf/NOTES (+4 lines)
Lines 2983-2985 Link Here
2983
2983
2984
# Module to enable execution of application via emulators like QEMU
2984
# Module to enable execution of application via emulators like QEMU
2985
options         IMAGACT_BINMISC
2985
options         IMAGACT_BINMISC
2986
2987
# Address Space Layout Randomization (ASLR)
2988
options		PAX_ASLR	# Address Space Layout Randomization
2989
options		PAX_SYSCTLS	# Run-time settings for PAX and Hardening
(-)sys/conf/files (+2 lines)
Lines 3024-3029 Link Here
3024
kern/kern_mutex.c		standard
3024
kern/kern_mutex.c		standard
3025
kern/kern_ntptime.c		standard
3025
kern/kern_ntptime.c		standard
3026
kern/kern_osd.c			standard
3026
kern/kern_osd.c			standard
3027
kern/kern_pax.c			optional pax_aslr
3028
kern/kern_pax_aslr.c		optional pax_aslr
3027
kern/kern_physio.c		standard
3029
kern/kern_physio.c		standard
3028
kern/kern_pmc.c			standard
3030
kern/kern_pmc.c			standard
3029
kern/kern_poll.c		optional device_polling
3031
kern/kern_poll.c		optional device_polling
(-)sys/conf/options (+4 lines)
Lines 931-936 Link Here
931
# Resource Limits
931
# Resource Limits
932
RCTL		opt_global.h
932
RCTL		opt_global.h
933
933
934
# PaX - hardening options
935
PAX_ASLR	opt_pax.h
936
PAX_SYSCTLS	opt_pax.h
937
934
# Random number generator(s)
938
# Random number generator(s)
935
RANDOM_YARROW	opt_random.h
939
RANDOM_YARROW	opt_random.h
936
RANDOM_FORTUNA	opt_random.h
940
RANDOM_FORTUNA	opt_random.h
(-)sys/i386/i386/elf_machdep.c (+5 lines)
Lines 27-39 Link Here
27
__FBSDID("$FreeBSD$");
27
__FBSDID("$FreeBSD$");
28
28
29
#include "opt_cpu.h"
29
#include "opt_cpu.h"
30
#include "opt_pax.h"
30
31
31
#include <sys/param.h>
32
#include <sys/param.h>
32
#include <sys/kernel.h>
33
#include <sys/kernel.h>
33
#include <sys/systm.h>
34
#include <sys/systm.h>
34
#include <sys/exec.h>
35
#include <sys/exec.h>
35
#include <sys/imgact.h>
36
#include <sys/imgact.h>
36
#include <sys/linker.h>
37
#include <sys/linker.h>
38
#include <sys/pax.h>
37
#include <sys/proc.h>
39
#include <sys/proc.h>
38
#include <sys/sysent.h>
40
#include <sys/sysent.h>
39
#include <sys/imgact_elf.h>
41
#include <sys/imgact_elf.h>
Lines 88-93 Link Here
88
	.sv_shared_page_base = SHAREDPAGE,
90
	.sv_shared_page_base = SHAREDPAGE,
89
	.sv_shared_page_len = PAGE_SIZE,
91
	.sv_shared_page_len = PAGE_SIZE,
90
	.sv_schedtail	= NULL,
92
	.sv_schedtail	= NULL,
93
#ifdef PAX_ASLR
94
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
95
#endif
91
};
96
};
92
INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec);
97
INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec);
93
98
(-)sys/i386/ibcs2/ibcs2_sysvec.c (+6 lines)
Lines 31-36 Link Here
31
#include <sys/cdefs.h>
31
#include <sys/cdefs.h>
32
__FBSDID("$FreeBSD$");
32
__FBSDID("$FreeBSD$");
33
33
34
#include "opt_pax.h"
35
34
#include <sys/param.h>
36
#include <sys/param.h>
35
#include <sys/kernel.h>
37
#include <sys/kernel.h>
36
#include <sys/systm.h>
38
#include <sys/systm.h>
Lines 40-45 Link Here
40
#include <sys/module.h>
42
#include <sys/module.h>
41
#include <sys/sysent.h>
43
#include <sys/sysent.h>
42
#include <sys/signalvar.h>
44
#include <sys/signalvar.h>
45
#include <sys/pax.h>
43
#include <sys/proc.h>
46
#include <sys/proc.h>
44
#include <sys/sx.h>
47
#include <sys/sx.h>
45
48
Lines 89-94 Link Here
89
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
92
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
90
	.sv_syscallnames = NULL,
93
	.sv_syscallnames = NULL,
91
	.sv_schedtail	= NULL,
94
	.sv_schedtail	= NULL,
95
#ifdef PAX_ASLR
96
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
97
#endif
92
};
98
};
93
99
94
static int
100
static int
(-)sys/i386/linux/linux_sysvec.c (+9 lines)
Lines 29-34 Link Here
29
#include <sys/cdefs.h>
29
#include <sys/cdefs.h>
30
__FBSDID("$FreeBSD$");
30
__FBSDID("$FreeBSD$");
31
31
32
#include "opt_pax.h"
33
32
#include <sys/param.h>
34
#include <sys/param.h>
33
#include <sys/systm.h>
35
#include <sys/systm.h>
34
#include <sys/exec.h>
36
#include <sys/exec.h>
Lines 41-46 Link Here
41
#include <sys/malloc.h>
43
#include <sys/malloc.h>
42
#include <sys/module.h>
44
#include <sys/module.h>
43
#include <sys/mutex.h>
45
#include <sys/mutex.h>
46
#include <sys/pax.h>
44
#include <sys/proc.h>
47
#include <sys/proc.h>
45
#include <sys/signalvar.h>
48
#include <sys/signalvar.h>
46
#include <sys/syscallsubr.h>
49
#include <sys/syscallsubr.h>
Lines 973-978 Link Here
973
	.sv_shared_page_base = LINUX_SHAREDPAGE,
976
	.sv_shared_page_base = LINUX_SHAREDPAGE,
974
	.sv_shared_page_len = PAGE_SIZE,
977
	.sv_shared_page_len = PAGE_SIZE,
975
	.sv_schedtail	= linux_schedtail,
978
	.sv_schedtail	= linux_schedtail,
979
#ifdef PAX_ASLR
980
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
981
#endif
976
};
982
};
977
INIT_SYSENTVEC(aout_sysvec, &linux_sysvec);
983
INIT_SYSENTVEC(aout_sysvec, &linux_sysvec);
978
984
Lines 1011-1016 Link Here
1011
	.sv_shared_page_base = LINUX_SHAREDPAGE,
1017
	.sv_shared_page_base = LINUX_SHAREDPAGE,
1012
	.sv_shared_page_len = PAGE_SIZE,
1018
	.sv_shared_page_len = PAGE_SIZE,
1013
	.sv_schedtail	= linux_schedtail,
1019
	.sv_schedtail	= linux_schedtail,
1020
#ifdef PAX_ASLR
1021
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
1022
#endif
1014
};
1023
};
1015
INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec);
1024
INIT_SYSENTVEC(elf_sysvec, &elf_linux_sysvec);
1016
1025
(-)sys/kern/imgact_aout.c (+9 lines)
Lines 27-32 Link Here
27
#include <sys/cdefs.h>
27
#include <sys/cdefs.h>
28
__FBSDID("$FreeBSD$");
28
__FBSDID("$FreeBSD$");
29
29
30
#include "opt_pax.h"
31
30
#include <sys/param.h>
32
#include <sys/param.h>
31
#include <sys/exec.h>
33
#include <sys/exec.h>
32
#include <sys/imgact.h>
34
#include <sys/imgact.h>
Lines 36-41 Link Here
36
#include <sys/lock.h>
38
#include <sys/lock.h>
37
#include <sys/malloc.h>
39
#include <sys/malloc.h>
38
#include <sys/mutex.h>
40
#include <sys/mutex.h>
41
#include <sys/pax.h>
39
#include <sys/proc.h>
42
#include <sys/proc.h>
40
#include <sys/racct.h>
43
#include <sys/racct.h>
41
#include <sys/resourcevar.h>
44
#include <sys/resourcevar.h>
Lines 99-104 Link Here
99
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
102
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
100
	.sv_syscallnames = syscallnames,
103
	.sv_syscallnames = syscallnames,
101
	.sv_schedtail	= NULL,
104
	.sv_schedtail	= NULL,
105
#ifdef PAX_ASLR
106
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
107
#endif
102
};
108
};
103
109
104
#elif defined(__amd64__)
110
#elif defined(__amd64__)
Lines 143-148 Link Here
143
	.sv_set_syscall_retval = ia32_set_syscall_retval,
149
	.sv_set_syscall_retval = ia32_set_syscall_retval,
144
	.sv_fetch_syscall_args = ia32_fetch_syscall_args,
150
	.sv_fetch_syscall_args = ia32_fetch_syscall_args,
145
	.sv_syscallnames = freebsd32_syscallnames,
151
	.sv_syscallnames = freebsd32_syscallnames,
152
#ifdef PAX_ASLR
153
	.sv_pax_aslr_init = pax_aslr_init_vmspace32,
154
#endif
146
};
155
};
147
#else
156
#else
148
#error "Port me"
157
#error "Port me"
(-)sys/kern/imgact_elf.c (-10 / +17 lines)
Lines 34-39 Link Here
34
#include "opt_capsicum.h"
34
#include "opt_capsicum.h"
35
#include "opt_compat.h"
35
#include "opt_compat.h"
36
#include "opt_core.h"
36
#include "opt_core.h"
37
#include "opt_pax.h"
37
38
38
#include <sys/param.h>
39
#include <sys/param.h>
39
#include <sys/capsicum.h>
40
#include <sys/capsicum.h>
Lines 49-54 Link Here
49
#include <sys/mman.h>
50
#include <sys/mman.h>
50
#include <sys/namei.h>
51
#include <sys/namei.h>
51
#include <sys/pioctl.h>
52
#include <sys/pioctl.h>
53
#include <sys/pax.h>
52
#include <sys/proc.h>
54
#include <sys/proc.h>
53
#include <sys/procfs.h>
55
#include <sys/procfs.h>
54
#include <sys/racct.h>
56
#include <sys/racct.h>
Lines 801-816 Link Here
801
	if (hdr->e_type == ET_DYN) {
803
	if (hdr->e_type == ET_DYN) {
802
		if ((brand_info->flags & BI_CAN_EXEC_DYN) == 0)
804
		if ((brand_info->flags & BI_CAN_EXEC_DYN) == 0)
803
			return (ENOEXEC);
805
			return (ENOEXEC);
804
		/*
806
	}
805
		 * Honour the base load address from the dso if it is
806
		 * non-zero for some reason.
807
		 */
808
		if (baddr == 0)
809
			et_dyn_addr = ET_DYN_LOAD_ADDR;
810
		else
811
			et_dyn_addr = 0;
812
	} else
813
		et_dyn_addr = 0;
814
	sv = brand_info->sysvec;
807
	sv = brand_info->sysvec;
815
	if (interp != NULL && brand_info->interp_newpath != NULL)
808
	if (interp != NULL && brand_info->interp_newpath != NULL)
816
		newinterp = brand_info->interp_newpath;
809
		newinterp = brand_info->interp_newpath;
Lines 831-836 Link Here
831
	error = exec_new_vmspace(imgp, sv);
824
	error = exec_new_vmspace(imgp, sv);
832
	imgp->proc->p_sysent = sv;
825
	imgp->proc->p_sysent = sv;
833
826
827
	et_dyn_addr = 0;
828
	if (hdr->e_type == ET_DYN) {
829
		/*
830
		 * Honour the base load address from the dso if it is
831
		 * non-zero for some reason.
832
		 */
833
		if (baddr == 0) {
834
			et_dyn_addr = ET_DYN_LOAD_ADDR;
835
#ifdef PAX_ASLR
836
			pax_aslr_execbase(imgp->proc, &et_dyn_addr);
837
#endif
838
		}
839
	}
840
834
	vn_lock(imgp->vp, LK_EXCLUSIVE | LK_RETRY);
841
	vn_lock(imgp->vp, LK_EXCLUSIVE | LK_RETRY);
835
	if (error)
842
	if (error)
836
		return (error);
843
		return (error);
(-)sys/kern/init_main.c (+9 lines)
Lines 46-51 Link Here
46
46
47
#include "opt_ddb.h"
47
#include "opt_ddb.h"
48
#include "opt_init_path.h"
48
#include "opt_init_path.h"
49
#include "opt_pax.h"
49
#include "opt_verbose_sysinit.h"
50
#include "opt_verbose_sysinit.h"
50
51
51
#include <sys/param.h>
52
#include <sys/param.h>
Lines 61-66 Link Here
61
#include <sys/mutex.h>
62
#include <sys/mutex.h>
62
#include <sys/syscallsubr.h>
63
#include <sys/syscallsubr.h>
63
#include <sys/sysctl.h>
64
#include <sys/sysctl.h>
65
#include <sys/pax.h>
64
#include <sys/proc.h>
66
#include <sys/proc.h>
65
#include <sys/racct.h>
67
#include <sys/racct.h>
66
#include <sys/resourcevar.h>
68
#include <sys/resourcevar.h>
Lines 411-416 Link Here
411
	.sv_fetch_syscall_args = null_fetch_syscall_args,
413
	.sv_fetch_syscall_args = null_fetch_syscall_args,
412
	.sv_syscallnames = NULL,
414
	.sv_syscallnames = NULL,
413
	.sv_schedtail	= NULL,
415
	.sv_schedtail	= NULL,
416
	.sv_pax_aslr_init = NULL,
414
};
417
};
415
418
416
/*
419
/*
Lines 477-482 Link Here
477
	p->p_flag = P_SYSTEM | P_INMEM;
480
	p->p_flag = P_SYSTEM | P_INMEM;
478
	p->p_flag2 = 0;
481
	p->p_flag2 = 0;
479
	p->p_state = PRS_NORMAL;
482
	p->p_state = PRS_NORMAL;
483
#if defined(PAX_ASLR)
484
	p->p_pax = PAX_NOTE_ALL_DISABLED;
485
#endif
480
	knlist_init_mtx(&p->p_klist, &p->p_mtx);
486
	knlist_init_mtx(&p->p_klist, &p->p_mtx);
481
	STAILQ_INIT(&p->p_ktr);
487
	STAILQ_INIT(&p->p_ktr);
482
	p->p_nice = NZERO;
488
	p->p_nice = NZERO;
Lines 494-499 Link Here
494
	td->td_flags = TDF_INMEM;
500
	td->td_flags = TDF_INMEM;
495
	td->td_pflags = TDP_KTHREAD;
501
	td->td_pflags = TDP_KTHREAD;
496
	td->td_cpuset = cpuset_thread0();
502
	td->td_cpuset = cpuset_thread0();
503
#if defined(PAX_ASLR)
504
	td->td_pax = PAX_NOTE_ALL_DISABLED;
505
#endif
497
	prison0_init();
506
	prison0_init();
498
	p->p_peers = 0;
507
	p->p_peers = 0;
499
	p->p_leader = p;
508
	p->p_leader = p;
(-)sys/kern/kern_exec.c (+56 lines)
Lines 30-35 Link Here
30
#include "opt_capsicum.h"
30
#include "opt_capsicum.h"
31
#include "opt_hwpmc_hooks.h"
31
#include "opt_hwpmc_hooks.h"
32
#include "opt_ktrace.h"
32
#include "opt_ktrace.h"
33
#include "opt_pax.h"
33
#include "opt_vm.h"
34
#include "opt_vm.h"
34
35
35
#include <sys/param.h>
36
#include <sys/param.h>
Lines 50-55 Link Here
50
#include <sys/imgact_elf.h>
51
#include <sys/imgact_elf.h>
51
#include <sys/wait.h>
52
#include <sys/wait.h>
52
#include <sys/malloc.h>
53
#include <sys/malloc.h>
54
#include <sys/pax.h>
53
#include <sys/priv.h>
55
#include <sys/priv.h>
54
#include <sys/proc.h>
56
#include <sys/proc.h>
55
#include <sys/pioctl.h>
57
#include <sys/pioctl.h>
Lines 65-70 Link Here
65
#include <sys/sysctl.h>
67
#include <sys/sysctl.h>
66
#include <sys/vnode.h>
68
#include <sys/vnode.h>
67
#include <sys/stat.h>
69
#include <sys/stat.h>
70
#include <sys/jail.h>
68
#ifdef KTRACE
71
#ifdef KTRACE
69
#include <sys/ktrace.h>
72
#include <sys/ktrace.h>
70
#endif
73
#endif
Lines 130-135 Link Here
130
SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RWTUN, &map_at_zero, 0,
133
SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RWTUN, &map_at_zero, 0,
131
    "Permit processes to map an object at virtual address 0.");
134
    "Permit processes to map an object at virtual address 0.");
132
135
136
#ifdef PAX_ASLR
137
static int exec_check_aslr(struct image_params *imgp);
138
#endif
139
133
static int
140
static int
134
sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS)
141
sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS)
135
{
142
{
Lines 383-388 Link Here
383
	imgp->proc = p;
390
	imgp->proc = p;
384
	imgp->attr = &attr;
391
	imgp->attr = &attr;
385
	imgp->args = args;
392
	imgp->args = args;
393
	imgp->pax_flags = 0;
386
394
387
#ifdef MAC
395
#ifdef MAC
388
	error = mac_execve_enter(imgp, mac_p);
396
	error = mac_execve_enter(imgp, mac_p);
Lines 1045-1050 Link Here
1045
		map = &vmspace->vm_map;
1053
		map = &vmspace->vm_map;
1046
	}
1054
	}
1047
1055
1056
#ifdef PAX_ASLR
1057
	pax_aslr_init(imgp);
1058
#endif
1059
1048
	/* Map a shared page */
1060
	/* Map a shared page */
1049
	obj = sv->sv_shared_page_obj;
1061
	obj = sv->sv_shared_page_obj;
1050
	if (obj != NULL) {
1062
	if (obj != NULL) {
Lines 1079-1084 Link Here
1079
	 */
1091
	 */
1080
	vmspace->vm_ssize = sgrowsiz >> PAGE_SHIFT;
1092
	vmspace->vm_ssize = sgrowsiz >> PAGE_SHIFT;
1081
	vmspace->vm_maxsaddr = (char *)sv->sv_usrstack - ssiz;
1093
	vmspace->vm_maxsaddr = (char *)sv->sv_usrstack - ssiz;
1094
#ifdef PAX_ASLR
1095
	pax_aslr_stack_fixup(imgp->proc);
1096
#endif
1082
1097
1083
	return (0);
1098
	return (0);
1084
}
1099
}
Lines 1246-1251 Link Here
1246
			szsigcode = *(p->p_sysent->sv_szsigcode);
1261
			szsigcode = *(p->p_sysent->sv_szsigcode);
1247
	}
1262
	}
1248
	destp =	(uintptr_t)arginfo;
1263
	destp =	(uintptr_t)arginfo;
1264
#ifdef PAX_ASLR
1265
	pax_aslr_stack(p, &destp);
1266
#endif
1249
1267
1250
	/*
1268
	/*
1251
	 * install sigcode
1269
	 * install sigcode
Lines 1366-1371 Link Here
1366
	return (stack_base);
1384
	return (stack_base);
1367
}
1385
}
1368
1386
1387
#ifdef PAX_ASLR
1388
/*
1389
 * If we've disabled ASLR via ptrace, do not allow execution of
1390
 * setuid/setgid binaries.
1391
 */
1392
static int
1393
exec_check_aslr(struct image_params *imgp)
1394
{
1395
	struct proc *p = imgp->proc;
1396
	struct ucred *oldcred = p->p_ucred;
1397
	struct vattr *attr = imgp->attr;
1398
	int error, credential_changing;
1399
1400
	credential_changing = 0;
1401
	credential_changing |= (attr->va_mode & S_ISUID) && oldcred->cr_uid !=
1402
	    attr->va_uid;
1403
	credential_changing |= (attr->va_mode & S_ISGID) && oldcred->cr_gid !=
1404
	    attr->va_gid;
1405
1406
	if (credential_changing) {
1407
		if ((p->p_paxdebug & PAX_NOTE_NOASLR) == PAX_NOTE_NOASLR) {
1408
			if (pax_aslr_active(imgp->proc))
1409
				return (EPERM);
1410
		}
1411
	}
1412
1413
	error = pax_elf(imgp, p->p_paxdebug);
1414
	return (error);
1415
}
1416
#endif /* PAX_ASLR */
1417
1418
1369
/*
1419
/*
1370
 * Check permissions of file to execute.
1420
 * Check permissions of file to execute.
1371
 *	Called with imgp->vp locked.
1421
 *	Called with imgp->vp locked.
Lines 1387-1392 Link Here
1387
	if (error)
1437
	if (error)
1388
		return (error);
1438
		return (error);
1389
1439
1440
#if defined(PAX_ASLR)
1441
	error = exec_check_aslr(imgp);
1442
	if (error)
1443
		return (error);
1444
#endif
1445
1390
#ifdef MAC
1446
#ifdef MAC
1391
	error = mac_vnode_check_exec(td->td_ucred, imgp->vp, imgp);
1447
	error = mac_vnode_check_exec(td->td_ucred, imgp->vp, imgp);
1392
	if (error)
1448
	if (error)
(-)sys/kern/kern_fork.c (+1 lines)
Lines 473-478 Link Here
473
	    __rangeof(struct thread, td_startcopy, td_endcopy));
473
	    __rangeof(struct thread, td_startcopy, td_endcopy));
474
474
475
	bcopy(&p2->p_comm, &td2->td_name, sizeof(td2->td_name));
475
	bcopy(&p2->p_comm, &td2->td_name, sizeof(td2->td_name));
476
	td2->td_pax = p2->p_pax;
476
	td2->td_sigstk = td->td_sigstk;
477
	td2->td_sigstk = td->td_sigstk;
477
	td2->td_flags = TDF_INMEM;
478
	td2->td_flags = TDF_INMEM;
478
	td2->td_lend_user_pri = PRI_MAX;
479
	td2->td_lend_user_pri = PRI_MAX;
(-)sys/kern/kern_jail.c (+10 lines)
Lines 33-38 Link Here
33
#include "opt_ddb.h"
33
#include "opt_ddb.h"
34
#include "opt_inet.h"
34
#include "opt_inet.h"
35
#include "opt_inet6.h"
35
#include "opt_inet6.h"
36
#include "opt_pax.h"
36
37
37
#include <sys/param.h>
38
#include <sys/param.h>
38
#include <sys/types.h>
39
#include <sys/types.h>
Lines 42-47 Link Here
42
#include <sys/sysproto.h>
43
#include <sys/sysproto.h>
43
#include <sys/malloc.h>
44
#include <sys/malloc.h>
44
#include <sys/osd.h>
45
#include <sys/osd.h>
46
#include <sys/pax.h>
45
#include <sys/priv.h>
47
#include <sys/priv.h>
46
#include <sys/proc.h>
48
#include <sys/proc.h>
47
#include <sys/taskqueue.h>
49
#include <sys/taskqueue.h>
Lines 250-255 Link Here
250
	prison0.pr_cpuset = cpuset_ref(thread0.td_cpuset);
252
	prison0.pr_cpuset = cpuset_ref(thread0.td_cpuset);
251
	prison0.pr_osreldate = osreldate;
253
	prison0.pr_osreldate = osreldate;
252
	strlcpy(prison0.pr_osrelease, osrelease, sizeof(prison0.pr_osrelease));
254
	strlcpy(prison0.pr_osrelease, osrelease, sizeof(prison0.pr_osrelease));
255
256
#ifdef PAX_ASLR
257
	pax_init_prison(&prison0);
258
#endif
253
}
259
}
254
260
255
#ifdef INET
261
#ifdef INET
Lines 1362-1367 Link Here
1362
			goto done_releroot;
1368
			goto done_releroot;
1363
		}
1369
		}
1364
1370
1371
#ifdef PAX_ASLR
1372
		pax_init_prison(pr);
1373
#endif
1374
1365
		mtx_lock(&pr->pr_mtx);
1375
		mtx_lock(&pr->pr_mtx);
1366
		/*
1376
		/*
1367
		 * New prisons do not yet have a reference, because we do not
1377
		 * New prisons do not yet have a reference, because we do not
(-)sys/kern/kern_pax.c (+209 lines)
Added Link Here
1
/*-
2
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
3
 * Copyright (c) 2013-2015, by Oliver Pinter <oliver.pinter@hardenedbsd.org>
4
 * Copyright (c) 2014-2015, by Shawn Webb <shawn.webb@hardenedbsd.org>
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 * 3. The name of the author may not be used to endorse or promote products
16
 *    derived from this software without specific prior written permission.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
 *
29
 * $FreeBSD$
30
 *
31
 * HardenedBSD-version: 2fba75c32739bd7f7c80163ec88e3655c3130753
32
 * HardenedBSD-version: v16
33
 *
34
 */
35
36
#include <sys/cdefs.h>
37
__FBSDID("$FreeBSD$");
38
39
#include "opt_compat.h"
40
#include "opt_pax.h"
41
42
#include <sys/param.h>
43
#include <sys/systm.h>
44
#include <sys/kernel.h>
45
#include <sys/imgact.h>
46
#include <sys/imgact_elf.h>
47
#include <sys/lock.h>
48
#include <sys/mutex.h>
49
#include <sys/sx.h>
50
#include <sys/sysent.h>
51
#include <sys/stat.h>
52
#include <sys/proc.h>
53
#include <sys/elf_common.h>
54
#include <sys/mount.h>
55
#include <sys/sysctl.h>
56
#include <sys/vnode.h>
57
#include <sys/queue.h>
58
#include <sys/libkern.h>
59
#include <sys/jail.h>
60
61
#include <sys/mman.h>
62
#include <sys/libkern.h>
63
#include <sys/exec.h>
64
#include <sys/kthread.h>
65
66
#include <sys/syslimits.h>
67
#include <sys/param.h>
68
69
#include <vm/pmap.h>
70
#include <vm/vm_map.h>
71
#include <vm/vm_extern.h>
72
73
#include <machine/elf.h>
74
75
#include <sys/pax.h>
76
77
static int pax_validate_flags(uint32_t flags);
78
static int pax_check_conflicting_modes(uint32_t mode);
79
80
SYSCTL_NODE(_security, OID_AUTO, pax, CTLFLAG_RD, 0,
81
    "PaX (exploit mitigation) features.");
82
83
const char *pax_status_str[] = {
84
	[PAX_FEATURE_DISABLED] = "disabled",
85
	[PAX_FEATURE_OPTIN] = "opt-in",
86
	[PAX_FEATURE_OPTOUT] = "opt-out",
87
	[PAX_FEATURE_FORCE_ENABLED] = "force enabled",
88
	[PAX_FEATURE_UNKNOWN_STATUS] = "UNKNOWN -> changed to \"force enabled\""
89
};
90
91
const char *pax_status_simple_str[] = {
92
	[PAX_FEATURE_SIMPLE_DISABLED] = "disabled",
93
	[PAX_FEATURE_SIMPLE_ENABLED] = "enabled"
94
};
95
96
struct prison *
97
pax_get_prison(struct proc *p)
98
{
99
100
	/* p can be NULL with kernel threads, so use prison0 */
101
	if (p == NULL || p->p_ucred == NULL)
102
		return (&prison0);
103
104
	return (p->p_ucred->cr_prison);
105
}
106
107
struct prison *
108
pax_get_prison_td(struct thread *td)
109
{
110
111
	if (td == NULL || td->td_ucred == NULL)
112
		return (&prison0);
113
114
	return (td->td_ucred->cr_prison);
115
}
116
117
void
118
pax_get_flags(struct proc *p, uint32_t *flags)
119
{
120
121
	*flags = p->p_pax;
122
}
123
124
void
125
pax_get_flags_td(struct thread *td, uint32_t *flags)
126
{
127
128
	*flags = td->td_pax;
129
}
130
131
static int
132
pax_validate_flags(uint32_t flags)
133
{
134
135
	if ((flags & ~PAX_NOTE_ALL) != 0)
136
		return (1);
137
138
	return (0);
139
}
140
141
static int
142
pax_check_conflicting_modes(uint32_t mode)
143
{
144
145
	if (((mode & PAX_NOTE_ALL_ENABLED) & ((mode & PAX_NOTE_ALL_DISABLED) >> 1)) != 0)
146
		return (1);
147
148
	return (0);
149
}
150
151
int
152
pax_elf(struct image_params *imgp, uint32_t mode)
153
{
154
	uint32_t flags, flags_aslr;
155
156
	flags = mode;
157
	flags_aslr = 0;
158
159
	if (pax_validate_flags(flags) != 0) {
160
		printf("%s: unknown paxflags: %x\n", __func__, flags);
161
		return (ENOEXEC);
162
	}
163
164
	if (pax_check_conflicting_modes(mode) != 0) {
165
		/*
166
		 * indicate flags inconsistencies in dmesg and in user terminal
167
		 */
168
		printf("%s: inconsistent paxflags: %x\n", __func__, flags);
169
		return (ENOEXEC);
170
	}
171
172
#ifdef PAX_ASLR
173
	flags_aslr = pax_aslr_setup_flags(imgp, mode);
174
#endif
175
176
	flags = flags_aslr;
177
178
	CTR3(KTR_PAX, "%s : flags = %x mode = %x",
179
	    __func__, flags, mode);
180
181
	imgp->proc->p_pax = flags;
182
183
	return (0);
184
}
185
186
187
/*
188
 * print out PaX settings on boot time, and validate some of them
189
 */
190
static void
191
pax_sysinit(void)
192
{
193
	if (bootverbose)
194
		printf("pax: initialize and check PaX and HardeneBSD features.\n");
195
}
196
SYSINIT(pax, SI_SUB_PAX, SI_ORDER_FIRST, pax_sysinit, NULL);
197
198
void
199
pax_init_prison(struct prison *pr)
200
{
201
202
	CTR2(KTR_PAX, "%s: Setting prison %s PaX variables\n",
203
	    __func__, pr->pr_name);
204
205
	pax_aslr_init_prison(pr);
206
#ifdef COMPAT_FREEBSD32
207
	pax_aslr_init_prison32(pr);
208
#endif
209
}
(-)sys/kern/kern_pax_aslr.c (+878 lines)
Added Link Here
1
/*-
2
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
3
 * Copyright (c) 2013-2015, by Oliver Pinter <oliver.pinter@hardenedbsd.org>
4
 * Copyright (c) 2014-2015, by Shawn Webb <shawn.webb@hardenedbsd.org>
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 * 3. The name of the author may not be used to endorse or promote products
16
 *    derived from this software without specific prior written permission.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
 *
29
 * $FreeBSD$
30
 *
31
 * HardenedBSD-version: 2fba75c32739bd7f7c80163ec88e3655c3130753
32
 * HardenedBSD-version: v16
33
 *
34
 */
35
36
#include <sys/cdefs.h>
37
__FBSDID("$FreeBSD$");
38
39
#include "opt_compat.h"
40
#include "opt_pax.h"
41
42
#include <sys/param.h>
43
#include <sys/systm.h>
44
#include <sys/kernel.h>
45
#include <sys/ktr.h>
46
#include <sys/imgact.h>
47
#include <sys/imgact_elf.h>
48
#include <sys/sysent.h>
49
#include <sys/stat.h>
50
#include <sys/proc.h>
51
#include <sys/elf_common.h>
52
#include <sys/mount.h>
53
#include <sys/pax.h>
54
#include <sys/sysctl.h>
55
#include <sys/vnode.h>
56
#include <sys/queue.h>
57
#include <sys/libkern.h>
58
#include <sys/jail.h>
59
60
#include <sys/mman.h>
61
#include <sys/libkern.h>
62
#include <sys/exec.h>
63
#include <sys/kthread.h>
64
65
#include <vm/pmap.h>
66
#include <vm/vm_map.h>
67
#include <vm/vm_extern.h>
68
69
#include <machine/elf.h>
70
71
#ifndef PAX_ASLR_DELTA
72
#define	PAX_ASLR_DELTA(delta, lsb, len)	\
73
	(((delta) & ((1UL << (len)) - 1)) << (lsb))
74
#endif /* PAX_ASLR_DELTA */
75
76
/*
77
 * generic ASLR values
78
 *
79
 *  	MMAP	| 32 bit | 64 bit | compat |
80
 * 	+-------+--------+--------+--------+
81
 * 	| MIN	|  8 bit | 16 bit |  8 bit |
82
 * 	+-------+--------+--------+--------+
83
 * 	| DEF	| 14 bit | 21 bit | 14 bit |
84
 * 	+-------+--------+--------+--------+
85
 * 	| MAX   | 21 bit | 42 bit | 21 bit |
86
 * 	+-------+--------+--------+--------+
87
 *                                          
88
 *  	STACK	| 32 bit | 64 bit | 32 bit |
89
 * 	+-------+--------+--------+--------+
90
 * 	| MIN	|  8 bit | 16 bit |  8 bit |
91
 * 	+-------+--------+--------+--------+
92
 * 	| DEF	|  8 bit | 16 bit |  8 bit |
93
 * 	+-------+--------+--------+--------+
94
 * 	| MAX   | 21 bit | 42 bit | 21 bit |
95
 * 	+-------+--------+--------+--------+
96
 *                                          
97
 *  	EXEC	| 32 bit | 64 bit | 32 bit |
98
 * 	+-------+--------+--------+--------+
99
 * 	| MIN	|  8 bit | 16 bit |  8 bit |
100
 * 	+-------+--------+--------+--------+
101
 * 	| DEF	| 14 bit | 16 bit | 14 bit |
102
 * 	+-------+--------+--------+--------+
103
 * 	| MAX   | 21 bit | 42 bit | 21 bit |
104
 * 	+-------+--------+--------+--------+
105
 *
106
 */
107
#ifndef PAX_ASLR_DELTA_MMAP_LSB
108
#define PAX_ASLR_DELTA_MMAP_LSB		PAGE_SHIFT
109
#endif /* PAX_ASLR_DELTA_MMAP_LSB */
110
111
#ifndef PAX_ASLR_DELTA_MMAP_MIN_LEN
112
#define PAX_ASLR_DELTA_MMAP_MIN_LEN	((sizeof(void *) * NBBY) / 4)
113
#endif /* PAX_ASLR_DELTA_MMAP_MAX_LEN */
114
115
#ifndef PAX_ASLR_DELTA_MMAP_MAX_LEN
116
#define PAX_ASLR_DELTA_MMAP_MAX_LEN	(((sizeof(void *) * NBBY) * 2) / 3)
117
#endif /* PAX_ASLR_DELTA_MMAP_MAX_LEN */
118
119
#ifndef PAX_ASLR_DELTA_STACK_LSB
120
#define PAX_ASLR_DELTA_STACK_LSB	3
121
#endif /* PAX_ASLR_DELTA_STACK_LSB */
122
123
#ifndef PAX_ASLR_DELTA_STACK_MIN_LEN
124
#define PAX_ASLR_DELTA_STACK_MIN_LEN	((sizeof(void *) * NBBY) / 4)
125
#endif /* PAX_ASLR_DELTA_STACK_MAX_LEN */
126
127
#ifndef PAX_ASLR_DELTA_STACK_MAX_LEN
128
#define PAX_ASLR_DELTA_STACK_MAX_LEN	(((sizeof(void *) * NBBY) * 2) / 3)
129
#endif /* PAX_ASLR_DELTA_STACK_MAX_LEN */
130
131
#ifndef PAX_ASLR_DELTA_EXEC_LSB
132
#define PAX_ASLR_DELTA_EXEC_LSB		PAGE_SHIFT
133
#endif /* PAX_ASLR_DELTA_EXEC_LSB */
134
135
#ifndef PAX_ASLR_DELTA_EXEC_MIN_LEN
136
#define PAX_ASLR_DELTA_EXEC_MIN_LEN	((sizeof(void *) * NBBY) / 4)
137
#endif /* PAX_ASLR_DELTA_EXEC_MIN_LEN */
138
139
#ifndef PAX_ASLR_DELTA_EXEC_MAX_LEN
140
#define PAX_ASLR_DELTA_EXEC_MAX_LEN	(((sizeof(void *) * NBBY) * 2) / 3)
141
#endif /* PAX_ASLR_DELTA_EXEC_MAX_LEN */
142
143
/*
144
 * ASLR default values for native host
145
 */
146
#ifdef __LP64__
147
#ifndef PAX_ASLR_DELTA_MMAP_DEF_LEN
148
#define PAX_ASLR_DELTA_MMAP_DEF_LEN	21
149
#endif /* PAX_ASLR_DELTA_MMAP_DEF_LEN */
150
#ifndef PAX_ASLR_DELTA_STACK_DEF_LEN
151
#define PAX_ASLR_DELTA_STACK_DEF_LEN	16
152
#endif /* PAX_ASLR_DELTA_STACK_DEF_LEN */
153
#ifndef PAX_ASLR_DELTA_EXEC_DEF_LEN
154
#define PAX_ASLR_DELTA_EXEC_DEF_LEN	16
155
#endif /* PAX_ASLR_DELTA_EXEC_DEF_LEN */
156
#else /* ! __LP64__ */
157
#ifndef PAX_ASLR_DELTA_MMAP_DEF_LEN
158
#define PAX_ASLR_DELTA_MMAP_DEF_LEN	14
159
#endif /* PAX_ASLR_DELTA_MMAP_DEF_LEN */
160
#ifndef PAX_ASLR_DELTA_STACK_DEF_LEN
161
#define PAX_ASLR_DELTA_STACK_DEF_LEN	PAX_ASLR_DELTA_STACK_MIN_LEN
162
#endif /* PAX_ASLR_DELTA_STACK_DEF_LEN */
163
#ifndef PAX_ASLR_DELTA_EXEC_DEF_LEN
164
#define PAX_ASLR_DELTA_EXEC_DEF_LEN	14
165
#endif /* PAX_ASLR_DELTA_EXEC_DEF_LEN */
166
#endif /* __LP64__ */
167
168
/*
169
 * ASLR values for COMPAT_FREEBSD32, COMPAT_LINUX and MAP_32BIT
170
 */
171
#if defined(COMPAT_LINUX) || defined(COMPAT_FREEBSD32) || defined(MAP_32BIT)
172
#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_LSB
173
#define PAX_ASLR_COMPAT_DELTA_MMAP_LSB		PAGE_SHIFT
174
#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_LSB */
175
176
#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN
177
#define PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN	((sizeof(int) * NBBY) / 4)
178
#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN */
179
180
#ifndef PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN
181
#define PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN	(((sizeof(int) * NBBY) * 2) / 3)
182
#endif /* PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN */
183
184
#ifndef PAX_ASLR_COMPAT_DELTA_STACK_LSB
185
#define PAX_ASLR_COMPAT_DELTA_STACK_LSB		3
186
#endif /* PAX_ASLR_COMPAT_DELTA_STACK_LSB */
187
188
#ifndef PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN
189
#define PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN	((sizeof(int) * NBBY) / 4)
190
#endif /* PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN */
191
192
#ifndef PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN
193
#define PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN	(((sizeof(int) * NBBY) * 2) / 3)
194
#endif /* PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN */
195
196
#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_LSB
197
#define PAX_ASLR_COMPAT_DELTA_EXEC_LSB		PAGE_SHIFT
198
#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_LSB */
199
200
#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN
201
#define PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN	((sizeof(int) * NBBY) / 4)
202
#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN */
203
204
#ifndef PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN
205
#define PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN	(((sizeof(int) * NBBY) * 2) / 3)
206
#endif /* PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN */
207
#endif
208
209
FEATURE(aslr, "Address Space Layout Randomization.");
210
211
static int pax_aslr_status = PAX_FEATURE_OPTOUT;
212
static int pax_aslr_mmap_len = PAX_ASLR_DELTA_MMAP_DEF_LEN;
213
static int pax_aslr_stack_len = PAX_ASLR_DELTA_STACK_DEF_LEN;
214
static int pax_aslr_exec_len = PAX_ASLR_DELTA_EXEC_DEF_LEN;
215
216
#ifdef COMPAT_FREEBSD32
217
static int pax_aslr_compat_status = PAX_FEATURE_OPTOUT;
218
static int pax_aslr_compat_mmap_len = PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN;
219
static int pax_aslr_compat_stack_len = PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN;
220
static int pax_aslr_compat_exec_len = PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN;
221
#endif /* COMPAT_FREEBSD32 */
222
223
TUNABLE_INT("security.pax.aslr.status", &pax_aslr_status);
224
TUNABLE_INT("security.pax.aslr.mmap_len", &pax_aslr_mmap_len);
225
TUNABLE_INT("security.pax.aslr.stack_len", &pax_aslr_stack_len);
226
TUNABLE_INT("security.pax.aslr.exec_len", &pax_aslr_exec_len);
227
#ifdef COMPAT_FREEBSD32
228
TUNABLE_INT("security.pax.aslr.compat.status", &pax_aslr_compat_status);
229
TUNABLE_INT("security.pax.aslr.compat.mmap_len", &pax_aslr_compat_mmap_len);
230
TUNABLE_INT("security.pax.aslr.compat.stack_len", &pax_aslr_compat_stack_len);
231
TUNABLE_INT("security.pax.aslr.compat.exec_len", &pax_aslr_compat_exec_len);
232
#endif
233
234
#ifdef PAX_SYSCTLS
235
SYSCTL_DECL(_security_pax);
236
237
/*
238
 * sysctls
239
 */
240
static int sysctl_pax_aslr_status(SYSCTL_HANDLER_ARGS);
241
static int sysctl_pax_aslr_mmap(SYSCTL_HANDLER_ARGS);
242
static int sysctl_pax_aslr_stack(SYSCTL_HANDLER_ARGS);
243
static int sysctl_pax_aslr_exec(SYSCTL_HANDLER_ARGS);
244
245
246
SYSCTL_NODE(_security_pax, OID_AUTO, aslr, CTLFLAG_RD, 0,
247
    "Address Space Layout Randomization.");
248
249
SYSCTL_PROC(_security_pax_aslr, OID_AUTO, status,
250
    CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE,
251
    NULL, 0, sysctl_pax_aslr_status, "I",
252
    "Restrictions status. "
253
    "0 - disabled, "
254
    "1 - opt-in,  "
255
    "2 - opt-out, "
256
    "3 - force enabled");
257
258
SYSCTL_PROC(_security_pax_aslr, OID_AUTO, mmap_len,
259
    CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE,
260
    NULL, 0, sysctl_pax_aslr_mmap, "I",
261
    "Number of bits randomized for mmap(2) calls. "
262
    "32 bit: [8,21] 64 bit: [16,42]");
263
264
SYSCTL_PROC(_security_pax_aslr, OID_AUTO, stack_len,
265
    CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE,
266
    NULL, 0, sysctl_pax_aslr_stack, "I",
267
    "Number of bits randomized for the stack. "
268
    "32 bit: [8,21] 64 bit: [16,42]");
269
270
SYSCTL_PROC(_security_pax_aslr, OID_AUTO, exec_len,
271
    CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_SECURE,
272
    NULL, 0, sysctl_pax_aslr_exec, "I",
273
    "Number of bits randomized for the PIE exec base. "
274
    "32 bit: [8,21] 64 bit: [16,42]");
275
276
static int
277
sysctl_pax_aslr_status(SYSCTL_HANDLER_ARGS)
278
{
279
	struct prison *pr;
280
	int err, val;
281
282
	pr = pax_get_prison_td(req->td);
283
284
	val = pr->pr_hardening.hr_pax_aslr_status;
285
	err = sysctl_handle_int(oidp, &val, sizeof(int), req);
286
	if (err || (req->newptr == NULL))
287
		return (err);
288
289
	switch (val) {
290
	case PAX_FEATURE_DISABLED:
291
	case PAX_FEATURE_OPTIN:
292
	case PAX_FEATURE_OPTOUT:
293
	case PAX_FEATURE_FORCE_ENABLED:
294
		if (pr == &prison0)
295
			pax_aslr_status = val;
296
297
		pr->pr_hardening.hr_pax_aslr_status = val;
298
		break;
299
	default:
300
		return (EINVAL);
301
	}
302
303
	return (0);
304
}
305
306
static int
307
sysctl_pax_aslr_mmap(SYSCTL_HANDLER_ARGS)
308
{
309
	struct prison *pr;
310
	int err, val;
311
312
	pr = pax_get_prison_td(req->td);
313
314
	val = pr->pr_hardening.hr_pax_aslr_mmap_len;
315
	err = sysctl_handle_int(oidp, &val, sizeof(int), req);
316
	if (err || !req->newptr)
317
		return (err);
318
319
	if (val < PAX_ASLR_DELTA_MMAP_MIN_LEN ||
320
	    val > PAX_ASLR_DELTA_MMAP_MAX_LEN)
321
		return (EINVAL);
322
323
	if (pr == &prison0)
324
		pax_aslr_mmap_len = val;
325
326
	pr->pr_hardening.hr_pax_aslr_mmap_len = val;
327
328
	return (0);
329
}
330
331
static int
332
sysctl_pax_aslr_stack(SYSCTL_HANDLER_ARGS)
333
{
334
	struct prison *pr;
335
	int err, val;
336
337
	pr = pax_get_prison_td(req->td);
338
339
	val = pr->pr_hardening.hr_pax_aslr_stack_len;
340
	err = sysctl_handle_int(oidp, &val, sizeof(int), req);
341
	if (err || !req->newptr)
342
		return (err);
343
344
	if (val < PAX_ASLR_DELTA_STACK_MIN_LEN ||
345
	    val > PAX_ASLR_DELTA_STACK_MAX_LEN)
346
		return (EINVAL);
347
348
	if (pr == &prison0)
349
		pax_aslr_stack_len = val;
350
351
	pr->pr_hardening.hr_pax_aslr_stack_len = val;
352
353
	return (0);
354
}
355
356
static int
357
sysctl_pax_aslr_exec(SYSCTL_HANDLER_ARGS)
358
{
359
	struct prison *pr;
360
	int err, val;
361
362
	pr = pax_get_prison_td(req->td);
363
364
	val = pr->pr_hardening.hr_pax_aslr_exec_len;
365
	err = sysctl_handle_int(oidp, &val, sizeof(int), req);
366
	if (err || (req->newptr == NULL))
367
		return (err);
368
369
	if (val < PAX_ASLR_DELTA_EXEC_MIN_LEN ||
370
	    val > PAX_ASLR_DELTA_EXEC_MAX_LEN)
371
		return (EINVAL);
372
373
	if (pr == &prison0)
374
		pax_aslr_exec_len = val;
375
376
	pr->pr_hardening.hr_pax_aslr_exec_len = val;
377
378
	return (0);
379
}
380
381
/* COMPAT_FREEBSD32 and linuxulator. */
382
#ifdef COMPAT_FREEBSD32
383
static int sysctl_pax_aslr_compat_status(SYSCTL_HANDLER_ARGS);
384
static int sysctl_pax_aslr_compat_mmap(SYSCTL_HANDLER_ARGS);
385
static int sysctl_pax_aslr_compat_stack(SYSCTL_HANDLER_ARGS);
386
static int sysctl_pax_aslr_compat_exec(SYSCTL_HANDLER_ARGS);
387
388
SYSCTL_NODE(_security_pax_aslr, OID_AUTO, compat, CTLFLAG_RD, 0,
389
    "Setting for COMPAT_FREEBSD32 and linuxulator.");
390
391
SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, status,
392
    CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON,
393
    NULL, 0, sysctl_pax_aslr_compat_status, "I",
394
    "Restrictions status. "
395
    "0 - disabled, "
396
    "1 - enabled,  "
397
    "2 - global enabled, "
398
    "3 - force global enabled");
399
400
SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, mmap_len,
401
    CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON,
402
    NULL, 0, sysctl_pax_aslr_compat_mmap, "I",
403
    "Number of bits randomized for mmap(2) calls. "
404
    "32 bit: [8,16]");
405
406
SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, stack_len,
407
    CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON,
408
    NULL, 0, sysctl_pax_aslr_compat_stack, "I",
409
    "Number of bits randomized for the stack. "
410
    "32 bit: [8,16]");
411
412
SYSCTL_PROC(_security_pax_aslr_compat, OID_AUTO, exec_len,
413
    CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON,
414
    NULL, 0, sysctl_pax_aslr_compat_exec, "I",
415
    "Number of bits randomized for the PIE exec base. "
416
    "32 bit: [8,16]");
417
418
static int
419
sysctl_pax_aslr_compat_status(SYSCTL_HANDLER_ARGS)
420
{
421
	struct prison *pr;
422
	int err, val;
423
424
	pr = pax_get_prison_td(req->td);
425
426
	val = pr->pr_hardening.hr_pax_aslr_compat_status;
427
	err = sysctl_handle_int(oidp, &val, sizeof(int), req);
428
	if (err || (req->newptr == NULL))
429
		return (err);
430
431
	switch (val) {
432
	case PAX_FEATURE_DISABLED:
433
	case PAX_FEATURE_OPTIN:
434
	case PAX_FEATURE_OPTOUT:
435
	case PAX_FEATURE_FORCE_ENABLED:
436
		if (pr == &prison0)
437
			pax_aslr_compat_status = val;
438
439
		pr->pr_hardening.hr_pax_aslr_compat_status = val;
440
		break;
441
	default:
442
		return (EINVAL);
443
	}
444
445
	return (0);
446
}
447
448
static int
449
sysctl_pax_aslr_compat_mmap(SYSCTL_HANDLER_ARGS)
450
{
451
	struct prison *pr;
452
	int err, val;
453
454
	pr = pax_get_prison_td(req->td);
455
456
	val = pr->pr_hardening.hr_pax_aslr_compat_mmap_len;
457
	err = sysctl_handle_int(oidp, &val, sizeof(int), req);
458
	if (err || !req->newptr)
459
		return (err);
460
461
	if (val < PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN ||
462
	    val > PAX_ASLR_COMPAT_DELTA_MMAP_MAX_LEN)
463
		return (EINVAL);
464
465
	if (pr == &prison0)
466
		pax_aslr_compat_mmap_len = val;
467
468
	pr->pr_hardening.hr_pax_aslr_compat_mmap_len = val;
469
470
	return (0);
471
}
472
473
static int
474
sysctl_pax_aslr_compat_stack(SYSCTL_HANDLER_ARGS)
475
{
476
	struct prison *pr;
477
	int err, val;
478
479
	pr = pax_get_prison_td(req->td);
480
481
	val = pr->pr_hardening.hr_pax_aslr_compat_stack_len;
482
	err = sysctl_handle_int(oidp, &val, sizeof(int), req);
483
	if (err || !req->newptr)
484
		return (err);
485
486
	if (val < PAX_ASLR_COMPAT_DELTA_STACK_MIN_LEN ||
487
	    val > PAX_ASLR_COMPAT_DELTA_STACK_MAX_LEN)
488
		return (EINVAL);
489
490
	if (pr == &prison0)
491
		pax_aslr_compat_stack_len = val;
492
493
	pr->pr_hardening.hr_pax_aslr_compat_stack_len = val;
494
495
	return (0);
496
}
497
498
static int
499
sysctl_pax_aslr_compat_exec(SYSCTL_HANDLER_ARGS)
500
{
501
	struct prison *pr;
502
	int err, val;
503
504
	pr = pax_get_prison_td(req->td);
505
506
	val = pr->pr_hardening.hr_pax_aslr_compat_exec_len;
507
	err = sysctl_handle_int(oidp, &val, sizeof(int), req);
508
	if (err || !req->newptr)
509
		return (err);
510
511
	if (val < PAX_ASLR_COMPAT_DELTA_EXEC_MIN_LEN ||
512
	    val > PAX_ASLR_COMPAT_DELTA_EXEC_MAX_LEN)
513
		return (EINVAL);
514
515
	if (pr == &prison0)
516
		pax_aslr_compat_exec_len = val;
517
518
	pr->pr_hardening.hr_pax_aslr_compat_exec_len = val;
519
520
	return (0);
521
}
522
523
#endif /* COMPAT_FREEBSD32 */
524
#endif /* PAX_SYSCTLS */
525
526
527
/*
528
 * ASLR functions
529
 */
530
531
static void
532
pax_aslr_sysinit(void)
533
{
534
535
	switch (pax_aslr_status) {
536
	case PAX_FEATURE_DISABLED:
537
	case PAX_FEATURE_OPTIN:
538
	case PAX_FEATURE_OPTOUT:
539
	case PAX_FEATURE_FORCE_ENABLED:
540
		break;
541
	default:
542
		printf("warning: invalid settings in loader.conf:"
543
		    " (pax_aslr_status = %d)\n", pax_aslr_status);
544
		pax_aslr_status = PAX_FEATURE_FORCE_ENABLED;
545
		break;
546
	}
547
	if (bootverbose) {
548
		printf("PAX ASLR status: %s\n", pax_status_str[pax_aslr_status]);
549
		printf("PAX ASLR mmap: %d bit\n", pax_aslr_mmap_len);
550
		printf("PAX ASLR exec base: %d bit\n", pax_aslr_exec_len);
551
		printf("PAX ASLR stack: %d bit\n", pax_aslr_stack_len);
552
	}
553
}
554
SYSINIT(pax_aslr, SI_SUB_PAX, SI_ORDER_SECOND, pax_aslr_sysinit, NULL);
555
556
int
557
pax_aslr_active(struct proc *p)
558
{
559
	uint32_t flags;
560
561
	pax_get_flags(p, &flags);
562
563
	CTR3(KTR_PAX, "%s: pid = %d p_pax = %x",
564
	    __func__, p->p_pid, flags);
565
566
	if ((flags & PAX_NOTE_ASLR) == PAX_NOTE_ASLR)
567
		return (true);
568
569
	if ((flags & PAX_NOTE_NOASLR) == PAX_NOTE_NOASLR)
570
		return (false);
571
572
	return (true);
573
}
574
575
void
576
pax_aslr_init_vmspace(struct proc *p)
577
{
578
	struct prison *pr;
579
	struct vmspace *vm;
580
	unsigned long rand_buf;
581
582
	vm = p->p_vmspace;
583
584
	pr = pax_get_prison(p);
585
	arc4rand(&rand_buf, sizeof(rand_buf), 0);
586
	vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(rand_buf,
587
	    PAX_ASLR_DELTA_MMAP_LSB,
588
	    pr->pr_hardening.hr_pax_aslr_mmap_len);
589
590
	arc4rand(&rand_buf, sizeof(rand_buf), 0);
591
	vm->vm_aslr_delta_stack = PAX_ASLR_DELTA(rand_buf,
592
	    PAX_ASLR_DELTA_STACK_LSB,
593
	    pr->pr_hardening.hr_pax_aslr_stack_len);
594
	vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack);
595
596
	arc4rand(&rand_buf, sizeof(rand_buf), 0);
597
	vm->vm_aslr_delta_exec = PAX_ASLR_DELTA(rand_buf,
598
	    PAX_ASLR_DELTA_EXEC_LSB,
599
	    pr->pr_hardening.hr_pax_aslr_exec_len);
600
601
	CTR2(KTR_PAX, "%s: vm_aslr_delta_mmap=%p\n",
602
	    __func__, (void *)vm->vm_aslr_delta_mmap);
603
	CTR2(KTR_PAX, "%s: vm_aslr_delta_stack=%p\n",
604
	    __func__, (void *)vm->vm_aslr_delta_stack);
605
	CTR2(KTR_PAX, "%s: vm_aslr_delta_exec=%p\n",
606
	    __func__, (void *)vm->vm_aslr_delta_exec);
607
}
608
609
#ifdef COMPAT_FREEBSD32
610
static void
611
pax_compat_aslr_sysinit(void)
612
{
613
614
	switch (pax_aslr_compat_status) {
615
	case PAX_FEATURE_DISABLED:
616
	case PAX_FEATURE_OPTIN:
617
	case PAX_FEATURE_OPTOUT:
618
	case PAX_FEATURE_FORCE_ENABLED:
619
		break;
620
	default:
621
		printf("warning: invalid settings in loader.conf! "
622
		    "(pax_aslr_compat_status = %d)\n", pax_aslr_compat_status);
623
		pax_aslr_compat_status = PAX_FEATURE_FORCE_ENABLED;
624
		break;
625
	}
626
	if (bootverbose) {
627
		printf("PAX ASLR (compat) status: %s\n", pax_status_str[pax_aslr_compat_status]);
628
		printf("PAX ASLR (compat) mmap: %d bit\n", pax_aslr_compat_mmap_len);
629
		printf("PAX ASLR (compat) exec base: %d bit\n", pax_aslr_compat_exec_len);
630
		printf("PAX ASLR (compat) stack: %d bit\n", pax_aslr_compat_stack_len);
631
	}
632
}
633
SYSINIT(pax_compat_aslr, SI_SUB_PAX, SI_ORDER_SECOND, pax_compat_aslr_sysinit, NULL);
634
635
void
636
pax_aslr_init_vmspace32(struct proc *p)
637
{
638
	struct prison *pr;
639
	struct vmspace *vm;
640
	long rand_buf;
641
642
	vm = p->p_vmspace;
643
644
	pr = pax_get_prison(p);
645
	arc4rand(&rand_buf, sizeof(rand_buf), 0);
646
	vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(rand_buf,
647
	    PAX_ASLR_COMPAT_DELTA_MMAP_LSB,
648
	    pr->pr_hardening.hr_pax_aslr_compat_mmap_len);
649
650
	arc4rand(&rand_buf, sizeof(rand_buf), 0);
651
	vm->vm_aslr_delta_stack = PAX_ASLR_DELTA(rand_buf,
652
	    PAX_ASLR_COMPAT_DELTA_STACK_LSB,
653
	    pr->pr_hardening.hr_pax_aslr_compat_stack_len);
654
	vm->vm_aslr_delta_stack = ALIGN(vm->vm_aslr_delta_stack);
655
656
	arc4rand(&rand_buf, sizeof(rand_buf), 0);
657
	vm->vm_aslr_delta_exec = PAX_ASLR_DELTA(rand_buf,
658
	    PAX_ASLR_COMPAT_DELTA_EXEC_LSB,
659
	    pr->pr_hardening.hr_pax_aslr_compat_exec_len);
660
661
	CTR2(KTR_PAX, "%s: vm_aslr_delta_mmap=%p\n",
662
	    __func__, (void *)vm->vm_aslr_delta_mmap);
663
	CTR2(KTR_PAX, "%s: vm_aslr_delta_stack=%p\n",
664
	    __func__, (void *)vm->vm_aslr_delta_stack);
665
	CTR2(KTR_PAX, "%s: vm_aslr_delta_exec=%p\n",
666
	    __func__, (void *)vm->vm_aslr_delta_exec);
667
}
668
#endif
669
670
void
671
pax_aslr_init(struct image_params *imgp)
672
{
673
	struct proc *p;
674
675
	p = imgp->proc;
676
677
	if (!pax_aslr_active(p))
678
		return;
679
680
	if (imgp->sysent->sv_pax_aslr_init != NULL)
681
		imgp->sysent->sv_pax_aslr_init(p);
682
}
683
684
void
685
pax_aslr_init_prison(struct prison *pr)
686
{
687
	struct prison *pr_p;
688
689
	CTR2(KTR_PAX, "%s: Setting prison %s PaX variables\n",
690
	    __func__, pr->pr_name);
691
692
	if (pr == &prison0) {
693
		/* prison0 has no parent, use globals */
694
		pr->pr_hardening.hr_pax_aslr_status = pax_aslr_status;
695
		pr->pr_hardening.hr_pax_aslr_mmap_len =
696
		    pax_aslr_mmap_len;
697
		pr->pr_hardening.hr_pax_aslr_stack_len =
698
		    pax_aslr_stack_len;
699
		pr->pr_hardening.hr_pax_aslr_exec_len =
700
		    pax_aslr_exec_len;
701
	} else {
702
		KASSERT(pr->pr_parent != NULL,
703
		   ("%s: pr->pr_parent == NULL", __func__));
704
		pr_p = pr->pr_parent;
705
706
		pr->pr_hardening.hr_pax_aslr_status =
707
		    pr_p->pr_hardening.hr_pax_aslr_status;
708
		pr->pr_hardening.hr_pax_aslr_mmap_len =
709
		    pr_p->pr_hardening.hr_pax_aslr_mmap_len;
710
		pr->pr_hardening.hr_pax_aslr_stack_len =
711
		    pr_p->pr_hardening.hr_pax_aslr_stack_len;
712
		pr->pr_hardening.hr_pax_aslr_exec_len =
713
		    pr_p->pr_hardening.hr_pax_aslr_exec_len;
714
	}
715
}
716
717
#ifdef COMPAT_FREEBSD32
718
void
719
pax_aslr_init_prison32(struct prison *pr)
720
{
721
	struct prison *pr_p;
722
723
	CTR2(KTR_PAX, "%s: Setting prison %s PaX variables\n",
724
	    __func__, pr->pr_name);
725
726
	if (pr == &prison0) {
727
		/* prison0 has no parent, use globals */
728
729
		pr->pr_hardening.hr_pax_aslr_compat_status =
730
		    pax_aslr_compat_status;
731
		pr->pr_hardening.hr_pax_aslr_compat_mmap_len =
732
		    pax_aslr_compat_mmap_len;
733
		pr->pr_hardening.hr_pax_aslr_compat_stack_len =
734
		    pax_aslr_compat_stack_len;
735
		pr->pr_hardening.hr_pax_aslr_compat_exec_len =
736
		    pax_aslr_compat_exec_len;
737
	} else {
738
		KASSERT(pr->pr_parent != NULL,
739
		   ("%s: pr->pr_parent == NULL", __func__));
740
		pr_p = pr->pr_parent;
741
742
		pr->pr_hardening.hr_pax_aslr_compat_status =
743
		    pr_p->pr_hardening.hr_pax_aslr_compat_status;
744
		pr->pr_hardening.hr_pax_aslr_compat_mmap_len =
745
		    pr_p->pr_hardening.hr_pax_aslr_compat_mmap_len;
746
		pr->pr_hardening.hr_pax_aslr_compat_stack_len =
747
		    pr_p->pr_hardening.hr_pax_aslr_compat_stack_len;
748
		pr->pr_hardening.hr_pax_aslr_compat_exec_len =
749
		    pr_p->pr_hardening.hr_pax_aslr_compat_exec_len;
750
	}
751
}
752
#endif /* COMPAT_FREEBSD32 */
753
754
void
755
pax_aslr_mmap(struct proc *p, vm_offset_t *addr, vm_offset_t orig_addr, int flags)
756
{
757
758
	if (!pax_aslr_active(p))
759
		return;
760
761
	if (!(flags & MAP_FIXED) && ((orig_addr == 0) || !(flags & MAP_ANON))) {
762
		CTR4(KTR_PAX, "%s: applying to %p orig_addr=%p flags=%x\n",
763
		    __func__, (void *)*addr, (void *)orig_addr, flags);
764
765
#ifdef MAP_32BIT
766
		if (flags & MAP_32BIT) {
767
			int len_32bit;
768
769
#ifdef COMPAT_FREEBSD32
770
			len_32bit = pax_aslr_compat_mmap_len;
771
#else
772
			len_32bit = PAX_ASLR_COMPAT_DELTA_MMAP_MIN_LEN;
773
#endif
774
			*addr += PAX_ASLR_DELTA(arc4random(),
775
			    PAX_ASLR_COMPAT_DELTA_MMAP_LSB,
776
			    len_32bit);
777
		 } else
778
#endif /* MAP_32BIT */
779
			*addr += p->p_vmspace->vm_aslr_delta_mmap;
780
		CTR2(KTR_PAX, "%s: result %p\n", __func__, (void *)*addr);
781
	} else
782
		CTR4(KTR_PAX, "%s: not applying to %p orig_addr=%p flags=%x\n",
783
		    __func__, (void *)*addr, (void *)orig_addr, flags);
784
}
785
786
void
787
pax_aslr_stack(struct proc *p, uintptr_t *addr)
788
{
789
	uintptr_t orig_addr;
790
791
	if (!pax_aslr_active(p))
792
		return;
793
794
	orig_addr = *addr;
795
	*addr -= p->p_vmspace->vm_aslr_delta_stack;
796
	CTR3(KTR_PAX, "%s: orig_addr=%p, new_addr=%p\n",
797
	    __func__, (void *)orig_addr, (void *)*addr);
798
}
799
800
void
801
pax_aslr_stack_fixup(struct proc *p)
802
{
803
804
	if (!pax_aslr_active(p))
805
		return;
806
807
	p->p_vmspace->vm_maxsaddr -= p->p_vmspace->vm_aslr_delta_stack;
808
}
809
810
void
811
pax_aslr_execbase(struct proc *p, u_long *et_dyn_addr)
812
{
813
814
	if (!pax_aslr_active(p))
815
		return;
816
817
	*et_dyn_addr += p->p_vmspace->vm_aslr_delta_exec;
818
}
819
820
uint32_t
821
pax_aslr_setup_flags(struct image_params *imgp, uint32_t mode)
822
{
823
	struct prison *pr;
824
	uint32_t flags, status;
825
826
	flags = 0;
827
	status = 0;
828
829
	pr = pax_get_prison(imgp->proc);
830
	status = pr->pr_hardening.hr_pax_aslr_status;
831
832
	if (status == PAX_FEATURE_DISABLED) {
833
		flags &= ~PAX_NOTE_ASLR;
834
		flags |= PAX_NOTE_NOASLR;
835
836
		return (flags);
837
	}
838
839
	if (status == PAX_FEATURE_FORCE_ENABLED) {
840
		flags |= PAX_NOTE_ASLR;
841
		flags &= ~PAX_NOTE_NOASLR;
842
843
		return (flags);
844
	}
845
846
	if (status == PAX_FEATURE_OPTIN) {
847
		if (mode & PAX_NOTE_ASLR) {
848
			flags |= PAX_NOTE_ASLR;
849
			flags &= ~PAX_NOTE_NOASLR;
850
		} else {
851
			flags &= ~PAX_NOTE_ASLR;
852
			flags |= PAX_NOTE_NOASLR;
853
		}
854
855
		return (flags);
856
	}
857
858
	if (status == PAX_FEATURE_OPTOUT) {
859
		if (mode & PAX_NOTE_NOASLR) {
860
			flags &= ~PAX_NOTE_ASLR;
861
			flags |= PAX_NOTE_NOASLR;
862
		} else {
863
			flags |= PAX_NOTE_ASLR;
864
			flags &= ~PAX_NOTE_NOASLR;
865
		}
866
867
		return (flags);
868
	}
869
870
	/*
871
	 * unknown status, force ASLR
872
	 */
873
	flags |= PAX_NOTE_ASLR;
874
	flags &= ~PAX_NOTE_NOASLR;
875
876
	return (flags);
877
}
878
(-)sys/kern/kern_thr.c (+1 lines)
Lines 254-259 Link Here
254
	td->td_proc->p_flag |= P_HADTHREADS;
254
	td->td_proc->p_flag |= P_HADTHREADS;
255
	thread_link(newtd, p); 
255
	thread_link(newtd, p); 
256
	bcopy(p->p_comm, newtd->td_name, sizeof(newtd->td_name));
256
	bcopy(p->p_comm, newtd->td_name, sizeof(newtd->td_name));
257
	newtd->td_pax = p->p_pax;
257
	thread_lock(td);
258
	thread_lock(td);
258
	/* let the scheduler know about these things. */
259
	/* let the scheduler know about these things. */
259
	sched_fork_thread(td, newtd);
260
	sched_fork_thread(td, newtd);
(-)sys/kern/sys_process.c (-1 / +18 lines)
Lines 33-46 Link Here
33
__FBSDID("$FreeBSD$");
33
__FBSDID("$FreeBSD$");
34
34
35
#include "opt_compat.h"
35
#include "opt_compat.h"
36
#include "opt_pax.h"
36
37
37
#include <sys/param.h>
38
#include <sys/param.h>
38
#include <sys/systm.h>
39
#include <sys/systm.h>
39
#include <sys/lock.h>
40
#include <sys/lock.h>
40
#include <sys/mutex.h>
41
#include <sys/mutex.h>
41
#include <sys/syscallsubr.h>
42
#include <sys/syscallsubr.h>
42
#include <sys/sysent.h>
43
#include <sys/sysent.h>
43
#include <sys/sysproto.h>
44
#include <sys/sysproto.h>
45
#include <sys/pax.h>
44
#include <sys/priv.h>
46
#include <sys/priv.h>
45
#include <sys/proc.h>
47
#include <sys/proc.h>
46
#include <sys/vnode.h>
48
#include <sys/vnode.h>
Lines 651-656 Link Here
651
653
652
	/* Lock proctree before locking the process. */
654
	/* Lock proctree before locking the process. */
653
	switch (req) {
655
	switch (req) {
656
#ifdef PAX_ASLR
657
	case PT_PAX:
658
#endif
654
	case PT_TRACE_ME:
659
	case PT_TRACE_ME:
655
	case PT_ATTACH:
660
	case PT_ATTACH:
656
	case PT_STEP:
661
	case PT_STEP:
Lines 668-674 Link Here
668
	}
673
	}
669
674
670
	write = 0;
675
	write = 0;
671
	if (req == PT_TRACE_ME) {
676
	if (req == PT_TRACE_ME || req == PT_PAX) {
672
		p = td->td_proc;
677
		p = td->td_proc;
673
		PROC_LOCK(p);
678
		PROC_LOCK(p);
674
	} else {
679
	} else {
Lines 735-740 Link Here
735
	 * Permissions check
740
	 * Permissions check
736
	 */
741
	 */
737
	switch (req) {
742
	switch (req) {
743
	case PT_PAX:
744
		/* securelevel should be 0 to allow this */
745
		if ((data & PAX_NOTE_NOASLR) == PAX_NOTE_NOASLR) {
746
			if (securelevel_gt(p->p_ucred, 0) != 0) {
747
				error = EPERM;
748
				goto fail;
749
			}
750
		}
751
		break;
738
	case PT_TRACE_ME:
752
	case PT_TRACE_ME:
739
		/* Always legal. */
753
		/* Always legal. */
740
		break;
754
		break;
Lines 820-825 Link Here
820
	td->td_retval[0] = 0;
834
	td->td_retval[0] = 0;
821
835
822
	switch (req) {
836
	switch (req) {
837
	case PT_PAX:
838
		p->p_paxdebug = data;
839
		break;
823
	case PT_TRACE_ME:
840
	case PT_TRACE_ME:
824
		/* set my trace flag and "owner" so it can read/write me */
841
		/* set my trace flag and "owner" so it can read/write me */
825
		p->p_flag |= P_TRACED;
842
		p->p_flag |= P_TRACED;
(-)sys/mips/mips/elf_machdep.c (+9 lines)
Lines 28-41 Link Here
28
#include <sys/cdefs.h>
28
#include <sys/cdefs.h>
29
__FBSDID("$FreeBSD$");
29
__FBSDID("$FreeBSD$");
30
30
31
#include "opt_pax.h"
32
31
#include <sys/param.h>
33
#include <sys/param.h>
32
#include <sys/kernel.h>
34
#include <sys/kernel.h>
33
#include <sys/systm.h>
35
#include <sys/systm.h>
34
#include <sys/exec.h>
36
#include <sys/exec.h>
35
#include <sys/imgact.h>
37
#include <sys/imgact.h>
36
#include <sys/linker.h>
38
#include <sys/linker.h>
37
#include <sys/sysent.h>
39
#include <sys/sysent.h>
38
#include <sys/imgact_elf.h>
40
#include <sys/imgact_elf.h>
41
#include <sys/pax.h>
39
#include <sys/proc.h>
42
#include <sys/proc.h>
40
#include <sys/syscall.h>
43
#include <sys/syscall.h>
41
#include <sys/signalvar.h>
44
#include <sys/signalvar.h>
Lines 83-88 Link Here
83
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
86
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
84
	.sv_syscallnames = syscallnames,
87
	.sv_syscallnames = syscallnames,
85
	.sv_schedtail	= NULL,
88
	.sv_schedtail	= NULL,
89
#ifdef PAX_ASLR
90
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
91
#endif
86
};
92
};
87
93
88
static Elf64_Brandinfo freebsd_brand_info = {
94
static Elf64_Brandinfo freebsd_brand_info = {
Lines 139-144 Link Here
139
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
145
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
140
	.sv_syscallnames = syscallnames,
146
	.sv_syscallnames = syscallnames,
141
	.sv_schedtail	= NULL,
147
	.sv_schedtail	= NULL,
148
#ifdef PAX_ASLR
149
	.sv_pax_aslr_init = pax_aslr_init_vmspace32,
150
#endif
142
};
151
};
143
152
144
static Elf32_Brandinfo freebsd_brand_info = {
153
static Elf32_Brandinfo freebsd_brand_info = {
(-)sys/mips/mips/freebsd32_machdep.c (+5 lines)
Lines 31-36 Link Here
31
 */
31
 */
32
32
33
#include "opt_compat.h"
33
#include "opt_compat.h"
34
#include "opt_pax.h"
34
35
35
#define __ELF_WORD_SIZE 32
36
#define __ELF_WORD_SIZE 32
36
37
Lines 45-50 Link Here
45
#include <sys/proc.h>
46
#include <sys/proc.h>
46
#include <sys/namei.h>
47
#include <sys/namei.h>
47
#include <sys/fcntl.h>
48
#include <sys/fcntl.h>
49
#include <sys/pax.h>
48
#include <sys/sysent.h>
50
#include <sys/sysent.h>
49
#include <sys/imgact_elf.h>
51
#include <sys/imgact_elf.h>
50
#include <sys/syscall.h>
52
#include <sys/syscall.h>
Lines 106-111 Link Here
106
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
108
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
107
	.sv_syscallnames = freebsd32_syscallnames,
109
	.sv_syscallnames = freebsd32_syscallnames,
108
	.sv_schedtail	= NULL,
110
	.sv_schedtail	= NULL,
111
#ifdef PAX_ASLR
112
	.sv_pax_aslr_init = pax_aslr_init_vmspace32,
113
#endif
109
};
114
};
110
INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec);
115
INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec);
111
116
(-)sys/powerpc/powerpc/elf32_machdep.c (+6 lines)
Lines 25-30 Link Here
25
 * $FreeBSD$
25
 * $FreeBSD$
26
 */
26
 */
27
27
28
#include "opt_pax.h"
29
28
#include <sys/param.h>
30
#include <sys/param.h>
29
#include <sys/kernel.h>
31
#include <sys/kernel.h>
30
#include <sys/systm.h>
32
#include <sys/systm.h>
Lines 34-39 Link Here
34
#include <sys/exec.h>
36
#include <sys/exec.h>
35
#include <sys/imgact.h>
37
#include <sys/imgact.h>
36
#include <sys/malloc.h>
38
#include <sys/malloc.h>
39
#include <sys/pax.h>
37
#include <sys/proc.h>
40
#include <sys/proc.h>
38
#include <sys/namei.h>
41
#include <sys/namei.h>
39
#include <sys/fcntl.h>
42
#include <sys/fcntl.h>
Lines 108-113 Link Here
108
	.sv_shared_page_base = FREEBSD32_SHAREDPAGE,
111
	.sv_shared_page_base = FREEBSD32_SHAREDPAGE,
109
	.sv_shared_page_len = PAGE_SIZE,
112
	.sv_shared_page_len = PAGE_SIZE,
110
	.sv_schedtail	= NULL,
113
	.sv_schedtail	= NULL,
114
#ifdef PAX_ASLR
115
	.sv_pax_aslr_init = pax_aslr_init_vmspace32,
116
#endif
111
};
117
};
112
INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec);
118
INIT_SYSENTVEC(elf32_sysvec, &elf32_freebsd_sysvec);
113
119
(-)sys/powerpc/powerpc/elf64_machdep.c (+6 lines)
Lines 25-36 Link Here
25
 * $FreeBSD$
25
 * $FreeBSD$
26
 */
26
 */
27
27
28
#include "opt_pax.h"
29
28
#include <sys/param.h>
30
#include <sys/param.h>
29
#include <sys/kernel.h>
31
#include <sys/kernel.h>
30
#include <sys/systm.h>
32
#include <sys/systm.h>
31
#include <sys/exec.h>
33
#include <sys/exec.h>
32
#include <sys/imgact.h>
34
#include <sys/imgact.h>
33
#include <sys/malloc.h>
35
#include <sys/malloc.h>
36
#include <sys/pax.h>
34
#include <sys/proc.h>
37
#include <sys/proc.h>
35
#include <sys/namei.h>
38
#include <sys/namei.h>
36
#include <sys/fcntl.h>
39
#include <sys/fcntl.h>
Lines 84-89 Link Here
84
	.sv_shared_page_base = SHAREDPAGE,
87
	.sv_shared_page_base = SHAREDPAGE,
85
	.sv_shared_page_len = PAGE_SIZE,
88
	.sv_shared_page_len = PAGE_SIZE,
86
	.sv_schedtail	= NULL,
89
	.sv_schedtail	= NULL,
90
#ifdef PAX_ASLR
91
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
92
#endif
87
};
93
};
88
INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec);
94
INIT_SYSENTVEC(elf64_sysvec, &elf64_freebsd_sysvec);
89
95
(-)sys/sparc64/sparc64/elf_machdep.c (+6 lines)
Lines 34-45 Link Here
34
#include <sys/cdefs.h>
34
#include <sys/cdefs.h>
35
__FBSDID("$FreeBSD$");
35
__FBSDID("$FreeBSD$");
36
36
37
#include "opt_pax.h"
38
37
#include <sys/param.h>
39
#include <sys/param.h>
38
#include <sys/kernel.h>
40
#include <sys/kernel.h>
39
#include <sys/systm.h>
41
#include <sys/systm.h>
40
#include <sys/exec.h>
42
#include <sys/exec.h>
41
#include <sys/imgact.h>
43
#include <sys/imgact.h>
42
#include <sys/linker.h>
44
#include <sys/linker.h>
45
#include <sys/pax.h>
43
#include <sys/proc.h>
46
#include <sys/proc.h>
44
#include <sys/sysent.h>
47
#include <sys/sysent.h>
45
#include <sys/imgact_elf.h>
48
#include <sys/imgact_elf.h>
Lines 87-92 Link Here
87
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
90
	.sv_fetch_syscall_args = cpu_fetch_syscall_args,
88
	.sv_syscallnames = syscallnames,
91
	.sv_syscallnames = syscallnames,
89
	.sv_schedtail	= NULL,
92
	.sv_schedtail	= NULL,
93
#ifdef PAX_ASLR
94
	.sv_pax_aslr_init = pax_aslr_init_vmspace,
95
#endif
90
};
96
};
91
97
92
static Elf64_Brandinfo freebsd_brand_info = {
98
static Elf64_Brandinfo freebsd_brand_info = {
(-)sys/sys/imgact.h (+1 lines)
Lines 80-85 Link Here
80
	unsigned long pagesizes;
80
	unsigned long pagesizes;
81
	int pagesizeslen;
81
	int pagesizeslen;
82
	vm_prot_t stack_prot;
82
	vm_prot_t stack_prot;
83
	int pax_flags;
83
};
84
};
84
85
85
#ifdef _KERNEL
86
#ifdef _KERNEL
(-)sys/sys/jail.h (+5 lines)
Lines 30-35 Link Here
30
#ifndef _SYS_JAIL_H_
30
#ifndef _SYS_JAIL_H_
31
#define _SYS_JAIL_H_
31
#define _SYS_JAIL_H_
32
32
33
#if defined(_KERNEL) || defined(_WANT_PRISON)
34
#include <sys/pax.h>
35
#endif
36
33
#ifdef _KERNEL
37
#ifdef _KERNEL
34
struct jail_v0 {
38
struct jail_v0 {
35
	u_int32_t	version;
39
	u_int32_t	version;
Lines 186-191 Link Here
186
	char		 pr_hostname[MAXHOSTNAMELEN];	/* (p) jail hostname */
190
	char		 pr_hostname[MAXHOSTNAMELEN];	/* (p) jail hostname */
187
	char		 pr_domainname[MAXHOSTNAMELEN];	/* (p) jail domainname */
191
	char		 pr_domainname[MAXHOSTNAMELEN];	/* (p) jail domainname */
188
	char		 pr_hostuuid[HOSTUUIDLEN];	/* (p) jail hostuuid */
192
	char		 pr_hostuuid[HOSTUUIDLEN];	/* (p) jail hostuuid */
193
	struct hardening_features	pr_hardening;	/* (p) PaX-inspired hardening features */
189
	char		 pr_osrelease[OSRELEASELEN];	/* (c) kern.osrelease value */
194
	char		 pr_osrelease[OSRELEASELEN];	/* (c) kern.osrelease value */
190
};
195
};
191
196
(-)sys/sys/kernel.h (+1 lines)
Lines 102-107 Link Here
102
	SI_SUB_WITNESS		= 0x1A80000,	/* witness initialization */
102
	SI_SUB_WITNESS		= 0x1A80000,	/* witness initialization */
103
	SI_SUB_MTX_POOL_DYNAMIC	= 0x1AC0000,	/* dynamic mutex pool */
103
	SI_SUB_MTX_POOL_DYNAMIC	= 0x1AC0000,	/* dynamic mutex pool */
104
	SI_SUB_LOCK		= 0x1B00000,	/* various locks */
104
	SI_SUB_LOCK		= 0x1B00000,	/* various locks */
105
	SI_SUB_PAX		= 0x1B80000,	/* pax setup */
105
	SI_SUB_EVENTHANDLER	= 0x1C00000,	/* eventhandler init */
106
	SI_SUB_EVENTHANDLER	= 0x1C00000,	/* eventhandler init */
106
	SI_SUB_VNET_PRELINK	= 0x1E00000,	/* vnet init before modules */
107
	SI_SUB_VNET_PRELINK	= 0x1E00000,	/* vnet init before modules */
107
	SI_SUB_KLD		= 0x2000000,	/* KLD and module setup */
108
	SI_SUB_KLD		= 0x2000000,	/* KLD and module setup */
(-)sys/sys/ktr_class.h (-1 / +2 lines)
Lines 71-77 Link Here
71
#define	KTR_INET6	0x10000000		/* IPv6 stack */
71
#define	KTR_INET6	0x10000000		/* IPv6 stack */
72
#define	KTR_SCHED	0x20000000		/* Machine parsed sched info. */
72
#define	KTR_SCHED	0x20000000		/* Machine parsed sched info. */
73
#define	KTR_BUF		0x40000000		/* Buffer cache */
73
#define	KTR_BUF		0x40000000		/* Buffer cache */
74
#define	KTR_ALL		0x7fffffff
74
#define	KTR_PAX		0x80000000		/* PaX */
75
#define	KTR_ALL		0xffffffff
75
76
76
/* KTR trace classes to compile in */
77
/* KTR trace classes to compile in */
77
#ifdef KTR
78
#ifdef KTR
(-)sys/sys/pax.h (+118 lines)
Added Link Here
1
/*-
2
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
3
 * Copyright (c) 2013-2015, by Oliver Pinter <oliver.pinter@hardenedbsd.org>
4
 * Copyright (c) 2014-2015, by Shawn Webb <shawn.webb@hardenedbsd.org>
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 * 3. The name of the author may not be used to endorse or promote products
16
 *    derived from this software without specific prior written permission.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
 *
29
 * $FreeBSD$
30
 *
31
 * HardenedBSD-version: 2fba75c32739bd7f7c80163ec88e3655c3130753
32
 * HardenedBSD-version: v16
33
 *
34
 */
35
36
#ifndef	__SYS_PAX_H
37
#define	__SYS_PAX_H
38
39
#if defined(_KERNEL) || defined(_WANT_PRISON)
40
struct hardening_features {
41
	int	 hr_pax_aslr_status;		/* (p) PaX ASLR enabled */
42
	int	 hr_pax_aslr_mmap_len;		/* (p) Number of bits randomized with mmap */
43
	int	 hr_pax_aslr_stack_len;		/* (p) Number of bits randomized with stack */
44
	int	 hr_pax_aslr_exec_len;		/* (p) Number of bits randomized with the execbase */
45
	int	 hr_pax_aslr_compat_status;	/* (p) PaX ASLR enabled (compat32) */
46
	int	 hr_pax_aslr_compat_mmap_len;	/* (p) Number of bits randomized with mmap (compat32) */
47
	int	 hr_pax_aslr_compat_stack_len;	/* (p) Number of bits randomized with stack (compat32) */
48
	int	 hr_pax_aslr_compat_exec_len;	/* (p) Number of bits randomized with the execbase (compat32) */
49
};
50
#endif
51
52
#ifdef _KERNEL
53
struct image_params;
54
struct prison;
55
struct thread;
56
struct proc;
57
struct vnode;
58
struct vm_offset_t;
59
60
/*
61
 * used in sysctl handler
62
 */
63
#define	PAX_FEATURE_DISABLED		0
64
#define	PAX_FEATURE_OPTIN		1
65
#define	PAX_FEATURE_OPTOUT		2
66
#define	PAX_FEATURE_FORCE_ENABLED	3
67
#define	PAX_FEATURE_UNKNOWN_STATUS	4
68
69
extern const char *pax_status_str[];
70
71
#define PAX_FEATURE_SIMPLE_DISABLED	0
72
#define PAX_FEATURE_SIMPLE_ENABLED	1
73
74
extern const char *pax_status_simple_str[];
75
76
/*
77
 * generic pax functions
78
 */
79
int pax_elf(struct image_params *, uint32_t);
80
void pax_get_flags(struct proc *p, uint32_t *flags);
81
void pax_get_flags_td(struct thread *td, uint32_t *flags);
82
struct prison *pax_get_prison(struct proc *p);
83
struct prison *pax_get_prison_td(struct thread *td);
84
void pax_init_prison(struct prison *pr);
85
86
/*
87
 * ASLR related functions
88
 */
89
int pax_aslr_active(struct proc *p);
90
void pax_aslr_init_vmspace(struct proc *p);
91
void pax_aslr_init_vmspace32(struct proc *p);
92
#ifdef PAX_ASLR
93
void pax_aslr_init_prison(struct prison *pr);
94
void pax_aslr_init_prison32(struct prison *pr);
95
#else
96
#define	pax_aslr_init_prison(pr)	do {} while (0)
97
#define	pax_aslr_init_prison32(pr)	do {} while (0)
98
#endif
99
void pax_aslr_init(struct image_params *imgp);
100
void pax_aslr_execbase(struct proc *p, u_long *et_dyn_addr);
101
void pax_aslr_mmap(struct proc *p, vm_offset_t *addr, 
102
    vm_offset_t orig_addr, int flags);
103
uint32_t pax_aslr_setup_flags(struct image_params *imgp, uint32_t mode);
104
void pax_aslr_stack(struct proc *p, uintptr_t *addr);
105
void pax_aslr_stack_fixup(struct proc *p);
106
#endif /* _KERNEL */
107
108
/*
109
 * keep this values, to keep compatibility with HardenedBSD
110
 */
111
#define	PAX_NOTE_ASLR		0x00000040
112
#define	PAX_NOTE_NOASLR		0x00000080
113
114
#define	PAX_NOTE_ALL_ENABLED	(PAX_NOTE_ASLR)
115
#define	PAX_NOTE_ALL_DISABLED	(PAX_NOTE_NOASLR)
116
#define	PAX_NOTE_ALL	(PAX_NOTE_ALL_ENABLED | PAX_NOTE_ALL_DISABLED)
117
118
#endif /* __SYS_PAX_H */
(-)sys/sys/proc.h (+3 lines)
Lines 288-293 Link Here
288
	u_char		td_pri_class;	/* (t) Scheduling class. */
288
	u_char		td_pri_class;	/* (t) Scheduling class. */
289
	u_char		td_user_pri;	/* (t) User pri from estcpu and nice. */
289
	u_char		td_user_pri;	/* (t) User pri from estcpu and nice. */
290
	u_char		td_base_user_pri; /* (t) Base user pri */
290
	u_char		td_base_user_pri; /* (t) Base user pri */
291
	uint32_t	td_pax;		/* (b) cached PaX settings from process */
291
#define	td_endcopy td_pcb
292
#define	td_endcopy td_pcb
292
293
293
/*
294
/*
Lines 578-583 Link Here
578
	pid_t		p_reapsubtree;	/* (e) Pid of the direct child of the
579
	pid_t		p_reapsubtree;	/* (e) Pid of the direct child of the
579
					       reaper which spawned
580
					       reaper which spawned
580
					       our subtree. */
581
					       our subtree. */
582
	u_int		p_pax;		/* (b) PaX is enabled to this process */
583
	u_int		p_paxdebug;	/* (b) PaX flags set via PTrace */
581
/* End area that is copied on creation. */
584
/* End area that is copied on creation. */
582
#define	p_endcopy	p_xstat
585
#define	p_endcopy	p_xstat
583
586
(-)sys/sys/ptrace.h (+1 lines)
Lines 76-81 Link Here
76
#define	PT_VM_ENTRY	41	/* Get VM map (entry) */
76
#define	PT_VM_ENTRY	41	/* Get VM map (entry) */
77
77
78
#define PT_FIRSTMACH    64	/* for machine-specific requests */
78
#define PT_FIRSTMACH    64	/* for machine-specific requests */
79
#define PT_PAX		65	/* Toggle PaX-inspired hardening features */
79
#include <machine/ptrace.h>	/* machine-specific requests, if any */
80
#include <machine/ptrace.h>	/* machine-specific requests, if any */
80
81
81
struct ptrace_io_desc {
82
struct ptrace_io_desc {
(-)sys/sys/sysent.h (+2 lines)
Lines 38-43 Link Here
38
struct sysent;
38
struct sysent;
39
struct thread;
39
struct thread;
40
struct ksiginfo;
40
struct ksiginfo;
41
struct proc;
41
42
42
typedef	int	sy_call_t(struct thread *, void *);
43
typedef	int	sy_call_t(struct thread *, void *);
43
44
Lines 136-141 Link Here
136
	uint32_t	sv_timekeep_gen;
137
	uint32_t	sv_timekeep_gen;
137
	void		*sv_shared_page_obj;
138
	void		*sv_shared_page_obj;
138
	void		(*sv_schedtail)(struct thread *);
139
	void		(*sv_schedtail)(struct thread *);
140
	void		(*sv_pax_aslr_init)(struct proc *p);
139
};
141
};
140
142
141
#define	SV_ILP32	0x000100
143
#define	SV_ILP32	0x000100
(-)sys/vm/vm_map.h (+3 lines)
Lines 241-246 Link Here
241
	caddr_t vm_taddr;	/* (c) user virtual address of text */
241
	caddr_t vm_taddr;	/* (c) user virtual address of text */
242
	caddr_t vm_daddr;	/* (c) user virtual address of data */
242
	caddr_t vm_daddr;	/* (c) user virtual address of data */
243
	caddr_t vm_maxsaddr;	/* user VA at max stack growth */
243
	caddr_t vm_maxsaddr;	/* user VA at max stack growth */
244
	vm_offset_t vm_aslr_delta_mmap;	/* mmap() random delta for ASLR */
245
	vm_offset_t vm_aslr_delta_stack;	/* stack random delta for ASLR */
246
	vm_offset_t vm_aslr_delta_exec;	/* exec base random delta for ASLR */
244
	volatile int vm_refcnt;	/* number of references */
247
	volatile int vm_refcnt;	/* number of references */
245
	/*
248
	/*
246
	 * Keep the PMAP last, so that CPU-specific variations of that
249
	 * Keep the PMAP last, so that CPU-specific variations of that
(-)sys/vm/vm_map.c (+13 lines)
Lines 65-70 Link Here
65
#include <sys/cdefs.h>
65
#include <sys/cdefs.h>
66
__FBSDID("$FreeBSD$");
66
__FBSDID("$FreeBSD$");
67
67
68
#include "opt_pax.h"
69
68
#include <sys/param.h>
70
#include <sys/param.h>
69
#include <sys/systm.h>
71
#include <sys/systm.h>
70
#include <sys/kernel.h>
72
#include <sys/kernel.h>
Lines 297-302 Link Here
297
	vm->vm_taddr = 0;
299
	vm->vm_taddr = 0;
298
	vm->vm_daddr = 0;
300
	vm->vm_daddr = 0;
299
	vm->vm_maxsaddr = 0;
301
	vm->vm_maxsaddr = 0;
302
#ifdef PAX_ASLR
303
	vm->vm_aslr_delta_mmap = 0;
304
	vm->vm_aslr_delta_stack = 0;
305
	vm->vm_aslr_delta_exec = 0;
306
#endif
307
300
	return (vm);
308
	return (vm);
301
}
309
}
302
310
Lines 3260-3265 Link Here
3260
	vm2->vm_taddr = vm1->vm_taddr;
3268
	vm2->vm_taddr = vm1->vm_taddr;
3261
	vm2->vm_daddr = vm1->vm_daddr;
3269
	vm2->vm_daddr = vm1->vm_daddr;
3262
	vm2->vm_maxsaddr = vm1->vm_maxsaddr;
3270
	vm2->vm_maxsaddr = vm1->vm_maxsaddr;
3271
#ifdef PAX_ASLR
3272
	vm2->vm_aslr_delta_exec = vm1->vm_aslr_delta_exec;
3273
	vm2->vm_aslr_delta_mmap = vm1->vm_aslr_delta_mmap;
3274
	vm2->vm_aslr_delta_stack = vm1->vm_aslr_delta_stack;
3275
#endif
3263
	vm_map_lock(old_map);
3276
	vm_map_lock(old_map);
3264
	if (old_map->busy)
3277
	if (old_map->busy)
3265
		vm_map_wait_busy(old_map);
3278
		vm_map_wait_busy(old_map);
(-)sys/vm/vm_mmap.c (+5 lines)
Lines 45-50 Link Here
45
45
46
#include "opt_compat.h"
46
#include "opt_compat.h"
47
#include "opt_hwpmc_hooks.h"
47
#include "opt_hwpmc_hooks.h"
48
#include "opt_pax.h"
48
49
49
#include <sys/param.h>
50
#include <sys/param.h>
50
#include <sys/systm.h>
51
#include <sys/systm.h>
Lines 54-59 Link Here
54
#include <sys/mutex.h>
55
#include <sys/mutex.h>
55
#include <sys/sysproto.h>
56
#include <sys/sysproto.h>
56
#include <sys/filedesc.h>
57
#include <sys/filedesc.h>
58
#include <sys/pax.h>
57
#include <sys/priv.h>
59
#include <sys/priv.h>
58
#include <sys/proc.h>
60
#include <sys/proc.h>
59
#include <sys/procctl.h>
61
#include <sys/procctl.h>
Lines 439-444 Link Here
439
	td->td_fpop = fp;
441
	td->td_fpop = fp;
440
	maxprot &= cap_maxprot;
442
	maxprot &= cap_maxprot;
441
443
444
#ifdef PAX_ASLR
445
	pax_aslr_mmap(td->td_proc, &addr, (vm_offset_t)uap->addr, flags);
446
#endif
442
	/* This relies on VM_PROT_* matching PROT_*. */
447
	/* This relies on VM_PROT_* matching PROT_*. */
443
	error = vm_mmap(&vms->vm_map, &addr, size, prot, maxprot,
448
	error = vm_mmap(&vms->vm_map, &addr, size, prot, maxprot,
444
	    flags, handle_type, handle, pos);
449
	    flags, handle_type, handle, pos);

Return to bug 181497