ASLR, W^X, and guard pages trigger processor traps that result in

SIGILL, SIGBUS, SIGSEGV signals.  Make such memory violations visible
in lastcomm(1).  This also works if a programm tries to hide them
with a signal handler.  Manual kill -SEGV does not generate false
positives.
OK deraadt@

5 files changed, 24 insertions, 9 deletions

diff --git a/share/man/man5/acct.5 b/share/man/man5/acct.5
index ec5fb0bff3e..f76943df1bd 100644
--- a/share/man/man5/acct.5
+++ b/share/man/man5/acct.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: acct.5,v 1.15 2015/09/10 17:55:21 schwarze Exp $
+.\"	$OpenBSD: acct.5,v 1.16 2017/06/08 17:14:02 bluhm Exp $
 .\"	$NetBSD: acct.5,v 1.4 1995/10/22 01:40:10 ghudson Exp $
 .\"
 .\" Copyright (c) 1991, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"     @(#)acct.5	8.1 (Berkeley) 6/5/93
 .\"
-.Dd $Mdocdate: September 10 2015 $
+.Dd $Mdocdate: June 8 2017 $
 .Dt ACCT 5
 .Os
 .Sh NAME
@@ -72,6 +72,8 @@ struct acct {
 #define	ACOMPAT	0x04		/* used compatibility mode */
 #define	ACORE	0x08		/* dumped core */
 #define	AXSIG	0x10		/* killed by a signal */
+#define	APLEDGE	0x20		/* killed due to pledge violation */
+#define	ATRAP	0x40		/* memory access violation */
 	u_int8_t  ac_flag;	/* accounting flags */
 };
 
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index 9d80487026d..067b188b624 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sig.c,v 1.211 2017/04/20 12:59:36 visa Exp $	*/
+/*	$OpenBSD: kern_sig.c,v 1.212 2017/06/08 17:14:02 bluhm Exp $	*/
 /*	$NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $	*/
 
 /*
@@ -759,6 +759,14 @@ trapsignal(struct proc *p, int signum, u_long trapno, int code,
 	struct sigacts *ps = pr->ps_sigacts;
 	int mask;
 
+	switch (signum) {
+	case SIGILL:
+	case SIGBUS:
+	case SIGSEGV:
+		pr->ps_acflag |= ATRAP;
+		break;
+	}
+
 	mask = sigmask(signum);
 	if ((pr->ps_flags & PS_TRACED) == 0 &&
 	    (ps->ps_sigcatch & mask) != 0 &&
diff --git a/sys/sys/acct.h b/sys/sys/acct.h
index efcb03e2411..4e17b45c03b 100644
--- a/sys/sys/acct.h
+++ b/sys/sys/acct.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: acct.h,v 1.6 2017/06/07 20:53:59 bluhm Exp $	*/
+/*	$OpenBSD: acct.h,v 1.7 2017/06/08 17:14:02 bluhm Exp $	*/
 /*	$NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $	*/
 
 /*-
@@ -62,6 +62,7 @@ struct acct {
 #define	ACORE	0x08		/* dumped core */
 #define	AXSIG	0x10		/* killed by a signal */
 #define	APLEDGE	0x20		/* killed due to pledge violation */
+#define	ATRAP	0x40		/* memory access violation */
 	u_int8_t  ac_flag;	/* accounting flags */
 };
 
diff --git a/usr.bin/lastcomm/lastcomm.1 b/usr.bin/lastcomm/lastcomm.1
index 12b0156e648..0fca39005b7 100644
--- a/usr.bin/lastcomm/lastcomm.1
+++ b/usr.bin/lastcomm/lastcomm.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: lastcomm.1,v 1.17 2017/06/07 20:53:59 bluhm Exp $
+.\"	$OpenBSD: lastcomm.1,v 1.18 2017/06/08 17:14:02 bluhm Exp $
 .\"	$NetBSD: lastcomm.1,v 1.5 1995/10/22 01:43:41 ghudson Exp $
 .\"
 .\" Copyright (c) 1980, 1990, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"	@(#)lastcomm.1	8.1 (Berkeley) 6/6/93
 .\"
-.Dd $Mdocdate: June 7 2017 $
+.Dd $Mdocdate: June 8 2017 $
 .Dt LASTCOMM 1
 .Os
 .Sh NAME
@@ -114,11 +114,14 @@ indicates the command terminated with the generation of a
 .Pa core
 file,
 .Sq X
-indicates the command was terminated with a signal, and
+indicates the command was terminated with a signal,
 .Sq P
 indicates the command was terminated due to a
 .Xr pledge 2
-violation.
+violation, and
+.Sq T
+indicates the command did a memory access violation detected by a
+processor trap.
 .Sh FILES
 .Bl -tag -width /var/account/acct -compact
 .It Pa /var/account/acct
diff --git a/usr.bin/lastcomm/lastcomm.c b/usr.bin/lastcomm/lastcomm.c
index 155b270d7b3..5d12ad76a6e 100644
--- a/usr.bin/lastcomm/lastcomm.c
+++ b/usr.bin/lastcomm/lastcomm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lastcomm.c,v 1.25 2017/06/07 20:53:59 bluhm Exp $	*/
+/*	$OpenBSD: lastcomm.c,v 1.26 2017/06/08 17:14:02 bluhm Exp $	*/
 /*	$NetBSD: lastcomm.c,v 1.9 1995/10/22 01:43:42 ghudson Exp $	*/
 
 /*
@@ -174,6 +174,7 @@ flagbits(int f)
 	BIT(ACORE, 'D');
 	BIT(AXSIG, 'X');
 	BIT(APLEDGE, 'P');
+	BIT(ATRAP, 'T');
 	*p = '\0';
 	return (flags);
 }