| Age | Commit message (Collapse) | Author |
|---|
|
ok tb@
|
|
ok visa@, tb@
|
|
locking.
ok visa@, bluhm@
|
|
of calling sofree(), when its PCB is detached.
This is different from TCP which does not always detach `inpcb's from
sockets. In the pfkey & routing case caling sofree() there is a noop
whereas for TCP it's needed to free closed connections.
Having fewer sofree() makes it easier to understand the code and move
the locks down.
ok visa@
|
|
ok stsp@ claudio@ jca@
|
|
ok stsp@ claudio@ jca@
|
|
|
|
random cookies to protect access to function return instructions, with the
effect that the integrity of the return address is protected, and function
return instructions are harder to use in ROP gadgets.
On function entry the return address is combined with a per-function random
cookie and stored in the stack frame. The integrity of this value is verified
before function return, and if this check fails, the program aborts. In this way
RETGUARD is an improved stack protector, since the cookies are per-function. The
verification routine is constructed such that the binary space immediately
before each ret instruction is padded with int03 instructions, which makes these
return instructions difficult to use in ROP gadgets. In the kernel, this has the
effect of removing approximately 50% of total ROP gadgets, and 15% of unique
ROP gadgets compared to the 6.3 release kernel. Function epilogues are
essentially gadget free, leaving only the polymorphic gadgets that result from
jumping into the instruction stream partway through other instructions. Work to
remove these gadgets will continue through other mechanisms.
Remaining work includes adding this mechanism to assembly routines, which must
be done by hand. Many thanks to all those who helped test and provide feedback,
especially deaadt, tb, espie and naddy.
ok deraadt@
|
|
ok jsg@
|
|
"where is the kaboom?" deraadt@
|
|
|
|
ok hackroom@
|
|
ok jsg@
|
|
|
|
free-form text.
ok jmc@
|
|
ok gilles@
|
|
for EL0/userland. MIDR value from ATF.
ok kettenis@
|
|
closing a LARVAL file.
Found the hardway by sthen@.
|
|
curproc's xstate ("extended state") is loaded in the CPU or not.
- context switch, sendsig(), vmm, and doing CPU crypto in the kernel all
check the flag and, if set, save the old thread's state to the PCB,
clear the flag, and then load the _blank_ state
- when returning to userspace, if the flag is clear then set it and restore
the thread's state
This simpler tracking also fixes the restoring of FPU state after nested
signal handlers.
With this, %cr0's TS flag is never set, the FPU #DNA trap can no
longer happen, and IPIs are no longer necessary for flushing or
syncing FPU state; on the other hand, restoring xstate while returning
to userspace means we have to handle xrstor faulting if we could
be loading an altered state. If that happens, reset the state,
fake a #GP fault (SIGBUS), and recheck for ASTs.
While here, regularize fxsave/fxrstor vs xsave/xrstor handling, by
using codepatching to switch to xsave/xrstor when present in the
CPU. In addition, code patch in use of xsaveopt in most places
when the CPU supports that. Use the 64bit-wide variants of the
instructions in all cases so that x87 instruction fault IPs are
reported correctly.
This change has three motivations:
1) with modern clang, SSE registers are used even in rcrt0.o, making
lazy FPU switching a smaller benefit vs trap costs
2) the Intel SDM warns that lazy FPU switching may increase power costs
3) post-Spectre rumors suggest that the %cr0 TS flag might not block
speculation, permitting leaking of information about FPU state
(AES keys?) across protection boundaries.
tested by many in snaps; prodding from deraadt@
|
|
redundant references to termios and favor Po/Pc for parenthesis enclosing.
ok jmc@ schwarze@
|
|
|
|
Move AST handling from the bottom of alltraps and Xdoreti to the
top of the new routine.
syscall-return-via-iretq and the FPU #DNA trap jump into intr_user_exit after
the AST check (already performed for the former, skipped for the latter)
Delete a couple debugging hooks mlarkin@ and I used during Meltdown work
tested by many in snaps; thanks to brynet@ for spurious interrrupt testing
earlier reviews and comments kettenis@ mlarkin@; prodding from deraadt@
|
|
that OpenBSD runs on.
ok patrick@
|
|
to look up the mapping for the futex address.
ok visa@, mpi@
|
|
ok millert@
|
|
and that rules are evaluated sequentially, first match wins;
ok gilles
|
|
immediately above also uses this notation, it's shorter, and it keeps
two examples in the man page which claim to be the same as the default config
(but with exceptions) in sync;
ok gilles
|
|
Missed during the "Namecache revamp" in 2009.
Reported by Georg Bege <georg at bege dot email>, thanks.
OK visa jmc mpi jca
|
|
OK bluhm jca
|
|
OK bluhm mpi jca
|
|
OK bluhm deraadt jca
|
|
unused since v1.76, ca 5.3
ok kettenis@ deraadt@
|
|
Patch submitted by Nan Xiao, ok tb@ sthen@ millert@ deraadt@ jca@
|
|
|
|
that will be executed (with recipient privileges) before calling the users'
mail delivery agent
ok eric@
|
|
local variable dangling, so calculate the lock address by hand at invocation
ok kettenis
|
|
mode, so switch from 1-bit to 4-bit bus width if the host controller
supports it.
ok kettenis@
|
|
Most terminals have scrollback options, or can be achieved via tmux, so
it's not needed.
OK millert@
|
|
POSIX states: "An empty command list shall be equivalent to the p command",
so changing the behaviour of a null-command in any other case is a
violation of POSIX.
OK millert@
|
|
pf_state_insert(), so the state key has not been set. When inlining,
the compiler recognized the NULL pointer dereference in
s->key[PF_SK_STACK]->proto and optimized it away. But if pf.c was
compiled with -fno-inline, the system crashed during boot. Add a
NULL check in pf_set_protostate() to handle the situation when the
function is called.
OK sashan@ henning@
|
|
allows delivery as well as relaying (for authenticated users), and that
passing to an external mda is possible, but not required;
ok gilles
|
|
from markus@; OK mpi@
|
|
ok gilles
|
|
ok kettenis@
|
|
ok kettenis@
|
|
|
|
|
|
|
|
ok deraadt@
|
|
Use that in three places:
- vfs_stall()
- sys_mount()
- dounmount()'s MNT_FORCE-does-recursive-unmounts case
ok deraadt@ visa@
|
