summaryrefslogtreecommitdiff
path: root/libexec
AgeCommit message (Collapse)Author
2019-11-29Repurpose the "syscalls must be on a writeable page" mechanism toTheo de Raadt
enforce a new policy: system calls must be in pre-registered regions. We have discussed more strict checks than this, but none satisfy the cost/benefit based upon our understanding of attack methods, anyways let's see what the next iteration looks like. This is intended to harden (translation: attackers must put extra effort into attacking) against a mixture of W^X failures and JIT bugs which allow syscall misinterpretation, especially in environments with polymorphic-instruction/variable-sized instructions. It fits in a bit with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash behaviour, particularily for remote problems. Less effective once on-host since someone the libraries can be read. For static-executables the kernel registers the main program's PIE-mapped exec section valid, as well as the randomly-placed sigtramp page. For dynamic executables ELF ld.so's exec segment is also labelled valid; ld.so then has enough information to register libc's exec section as valid via call-once msyscall(2) For dynamic binaries, we continue to to permit the main program exec segment because "go" (and potentially a few other applications) have embedded system calls in the main program. Hopefully at least go gets fixed soon. We declare the concept of embedded syscalls a bad idea for numerous reasons, as we notice the ecosystem has many of static-syscall-in-base-binary which are dynamically linked against libraries which in turn use libc, which contains another set of syscall stubs. We've been concerned about adding even one additional syscall entry point... but go's approach tends to double the entry-point attack surface. This was started at a nano-hackathon in Bob Beck's basement 2 weeks ago during a long discussion with mortimer trying to hide from the SSL scream-conversations, and finished in more comfortable circumstances next to a wood-stove at Elk Lakes cabin with UVM scream-conversations. ok guenther kettenis mortimer, lots of feedback from others conversations about go with jsing tb sthen
2019-11-28Unrevert: this change was unrelatedPhilip Guenther
2019-11-28Revert yesterday's _dl_md_reloc() and _dl_md_reloc_got() changes:Philip Guenther
something's broken on at least i386.
2019-11-27Delete now obsolete commentsPhilip Guenther
2019-11-27unifdef: hppa does HAVE_JMPREL and does not have DT_PROCNUMPhilip Guenther
2019-11-27armv7 and aarch64 specify GLOB_DAT as having an addend, so treat itPhilip Guenther
exactly like the ABS{32,64} relocation there. noted by and ok kettenis@
2019-11-26Clean up _dl_md_reloc(): instead of having tables and piles of conditionalsPhilip Guenther
that handle a dozen relocation types for each, just have a nice little switch for the four specific relocations that actually occur. Besides being smaller and easier to understand, this fixes the COPY relocation handling to only do one symbol lookup, instead of looking up the symbol and then immediately looking it up again (with the correct flags to find the instance it needs). ok kettenis@
2019-11-26Make aarch64, amd64, arm, and i386 more like sparc64: move non-lazyPhilip Guenther
relocation from _dl_md_reloc() to _dl_md_reloc_all_plt() which has the minimal code to do it. Also, avoid division on PLTRELSZ; just use it to offset to the end. ok kettenis@
2019-11-10Simplify the handling of the explicit relocations based on ld.so onlyPhilip Guenther
have NONE and REL32_64 relocations w/o symbol. ok visa@
2019-11-10unifdef HAVE_JMPREL, delete dt_pltrelsz handling (which was only usedPhilip Guenther
in the HAVE_JMPREL case anyway), and reduce #includes to match boot.c ok visa@
2019-11-10Recommit CHECK_LDSO bits for mips64, verified on both loongson and octeon.Philip Guenther
ok visa@
2019-10-24Delete unused support for relocations that don't require alignment.Philip Guenther
ok mpi@ kettenis@
2019-10-23Prefer the size-independent ELF identifiers over the size-specific ones.Philip Guenther
Strip superfluous parens from return statements while here. Done programatically with two perl invocations idea ok kettenis@ drahn@ ok visa@
2019-10-21Whoops: backout mips64+hppa CHECK_LDSO bits: they weren't done and weren'tPhilip Guenther
part of the review. My fail for forgetting to diff my tree against what was reviewed problem noted by deraadt@
2019-10-20For more archs, ld.so itself only needs/uses the arch's "just add load offset"Philip Guenther
'relative' relocation. Take advantage of that to simplify ld.so's self-reloc code: * give the exceptional archs (hppa and mips64) copies of the current boot.c as boot_md.c * teach the Makefile to use boot_md.c when present * reduce boot.c down to the minimum necessary to handle just relative reloc * teach the Makefile to fail if the built ld.so has other types of relocs ok visa@ kettenis@
2019-10-05Tighten handling of pure relative DIR32 relocations and those referencingPhilip Guenther
sections; despite being a RELA arch, ld.so was making assumptions about the initialization of the targeted location. Add the relative relocation optimization, handling relocations covered by the DT_RELACOUNT value in a tight loop. ok mpi@ deraadt@
2019-10-05Delete some obsolete debugging #ifdefs blocksPhilip Guenther
ok mlarkin@, mpi@, krw@, deraadt@
2019-10-04Convert the child_list member from a linked list to a vector.Philip Guenther
ok mpi@
2019-10-03Use a better algorithm for calculating the grpsym library order.Philip Guenther
The existing code did a full recursive walk for O(horrible). Instead, keep a single list of nodes plus the index of the first node whose children haven't been scanned; lookup until that index catches the end, appending the unscanned children of the node at the index. This also makes the grpsym list order match that calculated by FreeBSD and glibc in dependency trees with inconsistent ordering of dependent libs. To make this easier and more cache friendly, convert grpsym_list to a vector: the size is bounded by the number of objects currently loaded. Other, related fixes: * increment the grpsym generation number _after_ pushing the loading object onto its grpsym list, to avoid double counting it * increment the grpsym generation number when building the grpsym list for an already loaded object that's being dlopen()ed, to avoid incomplete grpsym lists * use a more accurate test of whether an object already has a grpsym list Prompted by a diff from Nathanael Rensen (nathanael (at) list.polymorpheus.com) that pointed to _dl_cache_grpsym_list() as a performance bottleneck. Much proding from robert@, sthen@, aja@, jca@ no problem reports after being in snaps ok mpi@
2019-09-30Oops: the call to ofree() in orealloc() was misconverted into a call toPhilip Guenther
_dl_free(), which would trigger a "recursive call" assertion...if we had ever realloced in ld.so ok deraadt@
2019-09-28Add where missing and harmonize PATH to be _PATH_DEFPATH (without local norAntoine Jacoutot
X11R6). Suggested by tb@ ok deraadt@ tb@ millert@
2019-09-02Remove some duplicate symbol definitions.mortimer
ok visa@ guenther@
2019-08-31Delete the last argument to fit recent _dl_find_symbol change.Kenji Aoyama
ok guenther@
2019-08-23update tradcpp to 0.5.3Jonathan Gray
2019-08-09Use NULL for second gettimeofday(2) argument; ok deraadt@ kettenis@cheloha
2019-08-09Fix pointless cast: (struct timezone *)0 -> NULLcheloha
2019-08-06By now we are already confident that pledge(2) "just works(tm)" and that it canRicardo Mestre
be used to effectively remove filesystem access. That being said, in spamd(8) when I pledge(2)d it the main priv process got "stdio inet" which means there's no fs access at all so calling chroot(2)/chdir(2) here doesn't get us any additional protection. Just remove them. OK deraadt@ and no objections from schwarze@
2019-08-06Factor out TEXTREL mprotecting from the per-arch files into _dl_rtld(),Philip Guenther
hiding the actual grotty bits in inline functions ok mpi@
2019-08-04Simplify _dl_find_symbol(). Currently, it returns three values:Philip Guenther
- the symbol it found, returned via the second argument - the base offset of the the object it was found in, via the return value - optionally: the object it was found in, returned via the last argument Instead, return a struct with the symbol and object pointers and let the caller get the base offset from the object's obj_base member. On at least aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this is passed in registers. ok mpi@, kettenis@
2019-08-03The ABI says JUMP_SLOT relocations don't have an addend, so don't add it inPhilip Guenther
ok kettenis@
2019-08-03Suppress DWARF2 warnings on clang archs by building with -gdwarf-4Philip Guenther
ok deraadt@, kettenis@
2019-07-30shorten the failure message, it should not wrap a line.Theo de Raadt
2019-07-25Fix copy pasto, re-add missing goto in error path.Bryan Steele
2019-07-25Yet another workaround for crappy libpcap API designBryan Steele
Add an internal version of pcap_open_live that ensures bpf(4) devices are opened read-only before locking. Neither pflogd(8) or spamlogd(8) require write access to bpf(4). Inspired by similar solution in OpenBSD tcpdump(8). pflogd(8) was safe since being unveiled last year, but spamlogd(8) was having /dev/bpf opened O_RDWR. Issue discovered by bluhm@'s unveil(2) accounting commit. ok deraadt@, mestre@ (thanks for testing spamlogd!)
2019-07-24Ever since I introduced pledge(2) on spamd(8) the chroot'ed process, if runningRicardo Mestre
in default, cannot get anywhere near the filesystem since its only promises are "stdio inet". Furthermore, in blacklist mode this same codepath is not chroot'ed but once again it gets the same pledge(2). Therefore we can remove the BUGS section from spamd(8)'s manpage. OK millert@ deraadt@
2019-07-21In 2004, we upgraded to binutils 2.14 with did -zcombreloc by default.Philip Guenther
In 2013, I implemented the single-entry LRU cache that gets the maximal symbol reuse from combreloc. Since then, the ld.so generic relocation symcache has been a waste of CPU and memory with 0% hit-rate, so kill it. ok mpi@
2019-07-14ld.so's $ORIGIN handling when argv[0] is a relative path was broken byPhilip Guenther
the change in __getcwd(2)'s return value. Fix it by switching to the __realpath(2) syscall, eliminating the ld.so copy of realpath(). problem caught by regress and noted by bluhm@ ok deraadt@
2019-07-03snprintf/vsnprintf return < 0 on error, rather than -1.Theo de Raadt
2019-07-01Compile with -fno-jump-tables to avoid relocations in _dl_boot_bind() whenMark Kettenis
building with clang. ok deraadt@, visa@
2019-07-01Remove stray comma.Mark Kettenis
ok deraadt@, visa@
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-23Explicitly lock unveil. Noticed when testing the recent ps(1) commit exposingrob
the unveil state of running processes. ok deraadt@
2019-06-20after installing new kernel, do a sync(8) to encourage lazy buffers toTheo de Raadt
make it to disk (discussion with tedu)
2019-06-07make gc workaround compile on non-clangTheo de Raadt
2019-06-04Disable the unmapping of ld.so's boot data for now, as boehm-gc apparentlyPhilip Guenther
follows some pointer into the middle of it. Best to keep things working while tracking down the wonkiness. problem noted by naddy@
2019-05-12Indentation fixPhilip Guenther
2019-05-11Prune visited leaves when walking dependencies to call init functions inPhilip Guenther
topological sort order, reducing it to O(n) from O(2^n) (ouch!) diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com) Much testing and pleading by robert@ and ajacoutot@ ok drahn@ mpi@
2019-05-10ld.so boot cleanup support:Philip Guenther
- put functions and data which are only used before calling the executable's start function into their own page-aligned segments for unmapping (only done on amd64, arm64, armv7, powerpc, and sparc64 so far) - pass .init_array and .preinit_array functions an addition argument which is a callback to get a structure which includes a function that frees the boot text and data - sometimes delay doing RELRO processing: for a shared-object marked DF_1_INITFIRST do it after the object's .init_array, for the executable do it after the .preinit_array - improve test-ld.so to link against libpthread and trigger its initialization late libc changes to use this will come later ok kettenis@
2019-05-08rm dead code and simplify ftpd_popen. this code has only calledTed Unangst
its statically linked ls_main for some time now. from Jan Klemkow ok deraadt