diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-10-15 16:30:24 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-10-15 16:30:24 +0000 |
commit | d402f1d56e6d2ea8abaaa77b10a6906a2302ec05 (patch) | |
tree | 15c27ec4387a19543ea80e0fab7ee704cff884ac | |
parent | ffcf7a30721e2587f44570e470827189426c8999 (diff) |
crt0 MD _dl_exit() performs syscall to SYS_exit directly, but then
some of these functions were returning. That makes the +1word address
a fairly strong and easily located gadget. Put a hard-trap
instruction after the syscall. This remains a gadget for 'terminal
system' calls (such as execve), but hey that's why we have pledge w/o
"exec" throughout the tree.
Quite surprisingly, hppa's delay-slot load of SYS_exit makes it the
safest of the bunch, not that this helps anyone.
ok kettenis
-rw-r--r-- | lib/csu/aarch64/md_init.h | 3 | ||||
-rw-r--r-- | lib/csu/alpha/md_init.h | 4 | ||||
-rw-r--r-- | lib/csu/amd64/md_init.h | 8 | ||||
-rw-r--r-- | lib/csu/arm/md_init.h | 3 | ||||
-rw-r--r-- | lib/csu/hppa/md_init.h | 9 | ||||
-rw-r--r-- | lib/csu/i386/md_init.h | 4 | ||||
-rw-r--r-- | lib/csu/m88k/md_init.h | 3 | ||||
-rw-r--r-- | lib/csu/mips64/md_init.h | 4 | ||||
-rw-r--r-- | lib/csu/powerpc/md_init.h | 4 | ||||
-rw-r--r-- | lib/csu/powerpc64/md_init.h | 4 | ||||
-rw-r--r-- | lib/csu/sh/md_init.h | 3 | ||||
-rw-r--r-- | lib/csu/sparc64/md_init.h | 5 |
12 files changed, 24 insertions, 30 deletions
diff --git a/lib/csu/aarch64/md_init.h b/lib/csu/aarch64/md_init.h index aa015293f10..de8b2512c0c 100644 --- a/lib/csu/aarch64/md_init.h +++ b/lib/csu/aarch64/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.8 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.9 2020/10/15 16:30:21 deraadt Exp $ */ /*- * Copyright (c) 2001 Ross Harvey @@ -115,4 +115,5 @@ " svc #0 \n" \ " dsb nsh \n" \ " isb \n" \ + " .word 0xa000f7f0 /* illegal */ \n" \ ".previous"); diff --git a/lib/csu/alpha/md_init.h b/lib/csu/alpha/md_init.h index ee71a702058..d503c751913 100644 --- a/lib/csu/alpha/md_init.h +++ b/lib/csu/alpha/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.11 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.12 2020/10/15 16:30:23 deraadt Exp $ */ /*- * Copyright (c) 2001 Ross Harvey * All rights reserved. @@ -100,7 +100,7 @@ "_dl_exit: \n" \ " lda $0, " STR(SYS_exit) " \n" \ " callsys \n" \ - " ret") + " halt ") #define MD_START_ARGS char **sp, void (*cleanup)(void) #define MD_START_SETUP \ diff --git a/lib/csu/amd64/md_init.h b/lib/csu/amd64/md_init.h index f136328eada..83365c3ea8d 100644 --- a/lib/csu/amd64/md_init.h +++ b/lib/csu/amd64/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.7 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.8 2020/10/15 16:30:23 deraadt Exp $ */ /*- * Copyright (c) 2001 Ross Harvey @@ -115,9 +115,5 @@ "_dl_exit: \n" \ " movl $ " STR(SYS_exit) ", %eax \n" \ " syscall \n" \ - " jb 1f \n" \ - " ret \n" \ - "1: \n" \ - " neg %rax \n" \ - " ret \n" \ + " int3 \n" \ " .previous") diff --git a/lib/csu/arm/md_init.h b/lib/csu/arm/md_init.h index c8026dfde56..d80c0cccbb5 100644 --- a/lib/csu/arm/md_init.h +++ b/lib/csu/arm/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.15 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.16 2020/10/15 16:30:23 deraadt Exp $ */ /*- * Copyright (c) 2001 Ross Harvey @@ -159,4 +159,5 @@ " swi #0 \n" \ " dsb nsh \n" \ " isb \n" \ + " .word 0xa000f7f0 /* illegal */ \n" \ ".previous"); diff --git a/lib/csu/hppa/md_init.h b/lib/csu/hppa/md_init.h index a7a502e2428..5abe6daff30 100644 --- a/lib/csu/hppa/md_init.h +++ b/lib/csu/hppa/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.14 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.15 2020/10/15 16:30:23 deraadt Exp $ */ /* * Copyright (c) 2003 Dale Rahn. All rights reserved. @@ -148,12 +148,7 @@ " ldil L%0xc0000000, %r1 \n" \ " ble 4(%sr7, %r1) \n" \ " ldi " STR(SYS_exit) ", %t1 \n" \ - " comb,<> %r0, %t1, 1f \n" \ - " ldw -24(%sp), %rp \n" \ - " bv %r0(%rp) \n" \ - " nop \n" \ - "1: bv %r0(%rp) \n" \ - " sub %r0, %ret0, %ret0 \n" \ + " break 0,0 \n" \ " .exit \n" \ " .procend") diff --git a/lib/csu/i386/md_init.h b/lib/csu/i386/md_init.h index 6f286ea8fc7..64d7aeb94aa 100644 --- a/lib/csu/i386/md_init.h +++ b/lib/csu/i386/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.10 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.11 2020/10/15 16:30:23 deraadt Exp $ */ /*- * Copyright (c) 2001 Ross Harvey @@ -124,5 +124,5 @@ "_dl_exit: \n" \ " mov $" STR(SYS_exit) ", %eax\n" \ " int $0x80 \n" \ - " ret \n" \ + " int3 \n" \ " .previous") diff --git a/lib/csu/m88k/md_init.h b/lib/csu/m88k/md_init.h index 5732c3c3caf..f73ed3e23bf 100644 --- a/lib/csu/m88k/md_init.h +++ b/lib/csu/m88k/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.8 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.9 2020/10/15 16:30:23 deraadt Exp $ */ /* * Copyright (c) 2012 Miodrag Vallat. @@ -103,4 +103,5 @@ " or %r13, %r0, " STR(SYS_exit) " \n" \ " tb0 0, %r0, 450 \n" \ " or %r0, %r0, %r0 \n" \ + " tb0 0, %r0, 130 /* breakpoint */ \n" \ " .previous"); diff --git a/lib/csu/mips64/md_init.h b/lib/csu/mips64/md_init.h index 7328965c8ea..c5ed64c295f 100644 --- a/lib/csu/mips64/md_init.h +++ b/lib/csu/mips64/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.18 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.19 2020/10/15 16:30:23 deraadt Exp $ */ /*- * Copyright (c) 2001 Ross Harvey @@ -146,7 +146,7 @@ "_dl_exit: \n" \ " li $v0, " STR(SYS_exit) " \n" \ " syscall \n" \ - " j $ra \n" \ + " break 0 \n" \ " .end _dl_exit \n" \ " .previous") diff --git a/lib/csu/powerpc/md_init.h b/lib/csu/powerpc/md_init.h index 811262a9e24..fa4a3f514fb 100644 --- a/lib/csu/powerpc/md_init.h +++ b/lib/csu/powerpc/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.10 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.11 2020/10/15 16:30:23 deraadt Exp $ */ /*- * Copyright (c) 2001 Ross Harvey @@ -124,5 +124,5 @@ __asm( \ "_dl_exit: \n" \ " li %r0, " STR(SYS_exit) " \n" \ " sc \n" \ -" blr \n" \ +" .long 0 # illegal \n" \ ) diff --git a/lib/csu/powerpc64/md_init.h b/lib/csu/powerpc64/md_init.h index 3fa2ab118e6..e2054bd5754 100644 --- a/lib/csu/powerpc64/md_init.h +++ b/lib/csu/powerpc64/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.3 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.4 2020/10/15 16:30:23 deraadt Exp $ */ /* * Copyright (c) 2020 Dale Rahn <drahn@openbsd.org> @@ -116,5 +116,5 @@ __asm( \ "_dl_exit: \n" \ " li %r0, " STR(SYS_exit) " \n" \ " sc \n" \ -" blr \n" \ +" .long 0 # illegal \n" \ ) diff --git a/lib/csu/sh/md_init.h b/lib/csu/sh/md_init.h index e98b6044d96..f2940122c4a 100644 --- a/lib/csu/sh/md_init.h +++ b/lib/csu/sh/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.9 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.10 2020/10/15 16:30:23 deraadt Exp $ */ /* $NetBSD: dot_init.h,v 1.3 2005/12/24 22:02:10 perry Exp $ */ /*- @@ -136,4 +136,5 @@ __asm(".section " #section "\n" \ "_dl_exit: \n" \ " mov #" STR(SYS_exit) ", r0 \n" \ " .word 0xc380 /* trapa #0x80 */ \n" \ + " sleep /* illegal */ \n" \ ".previous") diff --git a/lib/csu/sparc64/md_init.h b/lib/csu/sparc64/md_init.h index a8dc3e6e857..09f0f0cc1ec 100644 --- a/lib/csu/sparc64/md_init.h +++ b/lib/csu/sparc64/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.8 2020/10/14 22:11:52 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.9 2020/10/15 16:30:23 deraadt Exp $ */ /*- * Copyright (c) 2001 Ross Harvey @@ -104,8 +104,7 @@ "_dl_exit: \n" \ " mov " STR(SYS_exit) ", %g1 \n" \ " t 0 \n" \ - " retl \n" \ - " sub %g0, %o0, %o0 \n" \ + " unimp \n" \ " .previous") |