Bug 181497 - [kernel] [patch] Add ASLR feature to kernel
Summary: [kernel] [patch] Add ASLR feature to kernel
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2013-08-24 03:20 UTC by Steven Lee
Modified: 2018-12-04 16:19 UTC (History)
7 users (show)

See Also:

file.txt (4.09 KB, text/plain)
2013-08-24 03:20 UTC, Steven Lee
no flags Details
fbsd_aslr_11-current-2014-02-02.patch.txt (31.62 KB, text/plain)
2014-02-03 00:34 UTC, Shawn Webb
no flags Details
2014-02-04_aslr.patch (34.36 KB, patch)
2014-02-04 19:57 UTC, Shawn Webb
no flags Details | Diff
aslr-2014-02-09.patch.txt (2.25 KB, text/plain; x-unix-mode=0644)
2014-02-10 00:37 UTC, Shawn Webb
no flags Details
aslr-2014-03-16.patch.txt (35.48 KB, text/plain; x-unix-mode=0644)
2014-03-16 19:19 UTC, Shawn Webb
no flags Details
aslr-2014-03-21_01.patch.txt (35.62 KB, text/plain; x-unix-mode=0644)
2014-03-21 11:52 UTC, Shawn Webb
no flags Details
aslr-2014-03-21_02.patch.txt (35.48 KB, text/plain)
2014-03-22 00:49 UTC, Shawn Webb
no flags Details
New ASLR Patch (72.29 KB, patch)
2015-03-03 21:11 UTC, Shawn Webb
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Steven Lee 2013-08-24 03:20:00 UTC
Most modern operating systems have ASLR to help mitigate yet-unknown vulnerabilities.

It would be very nice if FreeBSD shipped with ASLR features in the kernel (default off), that could be easily switched on with a sysctl variable.

I understand that in some production environments ASLR may make a system slower through memory fragmentation, but at least give people the option to turn ASLR on for those who actually want it. :)

Fix: This patch has been circulating the internet since FreeBSD 7.0-RELEASE at least. It looks like parts of it are from OpenBSD? (I could be wrong.) I've used it in production for many many years and it works like a champ.

The patch will just need the sysctl defaults inverted and the variable names possibly renamed for clarity.

Patch attached with submission follows:
How-To-Repeat: N/A
Comment 1 Oliver Pinter 2013-08-24 14:48:49 UTC
new version of the patchset:
Comment 2 Steven Lee 2013-08-24 21:49:03 UTC
Wow... very nice. :)

Steven Lee
Comment 3 Mark Linimon 2013-08-25 03:59:17 UTC
----- Forwarded message from Oliver Pinter <oliver.pntr@gmail.com> -----

Date: Sat, 24 Aug 2013 23:40:15 +0200
From: Oliver Pinter <oliver.pntr@gmail.com>
To: Steven Lee <steven@roothosts.com>
Cc: freebsd-bugs@freebsd.org
Subject: Re: kern/181497: ASLR Feature Request - patch included

performance test on HEAD from Juni + ASLR patches:

----- End forwarded message -----
Comment 4 Shawn Webb 2014-02-03 00:34:40 UTC
Over the past few months, I've had the pleasure of enhancing Oliver's original patch. I've added support for randomizing the address of the RTLD and changing the behavior of ASLR to be set on a per-jail basis. This means that if a user requires an application that doesn't support ASLR (crashes, exhibits bugs, etc.), then the affected application can simply be placed in a jail with ASLR turned off. The rest of the system and the rest of the jails would still have ASLR turned on.

Oliver had ported over PaX's ASLR to NetBSD a few years back, and these patches brings FreeBSD feature-for-feature complete with NetBSD's ASLR implementation. What's lacking, along with NetBSD's implementation, is exec base randomization. This needs to be done on a per-binary basis, for binaries compiled with -fPIE. Additionally, we might want to specifically mark executables with an ELF note, specifying that it's safe to relocate the exec base.

One known bug is that applications compiled with clang with -fPIC -fPIE -static combined could segfault. I can provide a sample binary (with sample code) if needed for a simple five-line test application.

I will continue to research exec base randomization, but this task might be a bit over my head skill-wise.

Attached is the patch against 11-current as of 02 Feb 2014. If I make more progress on exec base randomization, you can follow my GitHub repo at https://github.com/lattera/freebsd, branch soldierx/lattera/aslr.


Shawn Webb
Comment 5 olivier 2014-02-03 15:46:47 UTC
I've try to patch 10.0 with the last attached patch, but it complains
because it didn't find file opt_pax.h (and I didn't see this file in the
Comment 6 Shawn Webb 2014-02-04 19:57:44 UTC
I'm sorry, my patch actually wasn't right. It included other fixes I had in my branch for other features and didn't include some of the other ASLR bits. Attached is the right patch.


Comment 7 Shawn Webb 2014-02-10 00:37:03 UTC
Attached is a patch that applies on top of the existing patch to fix a few minor bugs.


Comment 8 Shawn Webb 2014-03-16 19:19:11 UTC
Attached is a combined patch.
Comment 9 Shawn Webb 2014-03-21 11:52:58 UTC
Attached is a new patch with integrates ASLR into loading Position-Independent Executables (PIEs).
Comment 10 Shawn Webb 2014-03-22 00:49:01 UTC
The attached patch provides better stability to the new PIE feature.
Comment 11 Shawn Webb 2015-03-03 21:11:10 UTC
Created attachment 153731 [details]
New ASLR Patch

This is the same patch that was uploaded to Phabricator D473 on 01 March 2015.
Comment 12 Chris Collins 2015-08-25 17:44:17 UTC
any chance this can be backported to 9.x?
Comment 13 Shawn Webb 2015-12-19 13:24:15 UTC
This bug report can be closed.
Comment 14 Eitan Adler freebsd_committer freebsd_triage 2018-05-20 23:52:06 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

- Set Status to "Open"
Comment 15 Ed Maste freebsd_committer 2018-12-04 16:19:07 UTC
Feature request for AS*R is tracked in PR 228964.

Patches for review / testing are best handled in Phabricator (see D473 and D5603).