Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
|
|
|
|
question during upgrade.
suggested by abieber
positive feedback deraadt krw
ok tb abieber
|
|
found by deraadt
|
|
Reminded by tb@
|
|
|
|
random cookies to protect access to function return instructions, with the
effect that the integrity of the return address is protected, and function
return instructions are harder to use in ROP gadgets.
On function entry the return address is combined with a per-function random
cookie and stored in the stack frame. The integrity of this value is verified
before function return, and if this check fails, the program aborts. In this way
RETGUARD is an improved stack protector, since the cookies are per-function. The
verification routine is constructed such that the binary space immediately
before each ret instruction is padded with int03 instructions, which makes these
return instructions difficult to use in ROP gadgets. In the kernel, this has the
effect of removing approximately 50% of total ROP gadgets, and 15% of unique
ROP gadgets compared to the 6.3 release kernel. Function epilogues are
essentially gadget free, leaving only the polymorphic gadgets that result from
jumping into the instruction stream partway through other instructions. Work to
remove these gadgets will continue through other mechanisms.
Remaining work includes adding this mechanism to assembly routines, which must
be done by hand. Many thanks to all those who helped test and provide feedback,
especially deaadt, tb, espie and naddy.
ok deraadt@
|
|
and /usr/libexec/cpp are supposed to be hardlinks of /usr/bin/clang. The move
of /usr/bin/cc to the base set to allow kernel relinking resulted in it being
a copy and not a hardlink. Move the other files to the base set too to ensure
all are hardlinks.
Noticed by Anthony Coulter
OK deraadt
|
|
|
|
ok deraadt@ millert@
|
|
adjust the speed of the 'console' ttys entry to reflect the speed of the
console being used to install.
Makes for a smoother install on Rockchip devices for which the SoC vendor
had the not so brilliant idea that 1500000 is a suitable default speed.
ok benno@, tb@
|
|
with a default speed of 115200 since that is what we have on armv7 and arm64.
ok benno@, tb@
|
|
|
|
|
|
ok tb@
|
|
|
|
|
|
made sticky.
Found and fix suggested by joshua megerman () iwco com, thanks!
Tested & ok rpe
|
|
|
|
|
|
Delete a bunch of unnecessary #includes and sort to match style(9)
while doing the above cleanup.
ok deraadt@ krw@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OK deraadt
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
script doesn't need support for the 3rd choice.
|