Commit Graph

149 Commits

Author SHA1 Message Date
Konrad Witaszczyk
3c7ccf15c7 Fix bugs found by Coverity in decryptcore(8) and savecore(8):
- Perform final decryption and write decrypted data in case of non-block aligned
input data;
- Use strlcpy(3) instead of strncpy(3) to verify if paths aren't too long;
- Check errno after calling unlink(2) instead of calling stat(2) in order to
verify if a decrypted core was created by a child process;
- Free dumpkey.

Reported by:	Coverity, cem, pfg
Suggested by:	cem
CID:		1366936, 1366942, 1366951, 1366952
Approved by:	pjd (mentor)
2017-02-04 14:10:16 +00:00
Konrad Witaszczyk
480f31c214 Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.

A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.

dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable.  Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.

When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore

A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.

Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.

savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.

decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.

Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.

EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.

Designed by:	def, pjd
Reviewed by:	cem, oshogbo, pjd
Partial review:	delphij, emaste, jhb, kib
Approved by:	pjd (mentor)
Differential Revision:	https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
Conrad Meyer
8df555925a savecore(8): Fix buffer overrun inspecting disks with varying sector size
A premature optimization lead to caching a native-sector sized memory
allocation.  If the program examined a 512 byte sector disk, then a 4096
byte sector disk, the program would overrun the cached 512 byte buffer.

Just remove the optimization to fix the bug.  This was introduced with the 4Kn
dump support in r298076.

Reported by:	markj
Reviewed by:	markj, rpokala
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D8162
2016-10-06 05:16:44 +00:00
Enji Cooper
3ae587fde4 Don't leak fd on sectorsize malloc failure
Also, call endfsent after calling getfsent (i.e. when not explicitly called
with a swap device) for code cleanliness

CID: 1354785
Differential Revision: https://reviews.freebsd.org/D6014
X-MFC with: r298076
Reported by: Coverity
Reviewed by: cem
Sponsored by: EMC / Isilon Storage Division
2016-04-20 00:49:49 +00:00
Glen Barber
0edd2576c0 MFH
Sponsored by:	The FreeBSD Foundation
2016-04-16 02:32:12 +00:00
Conrad Meyer
fca8407655 savecore(8): Explicitly cast to fix i386 warning 2016-04-15 20:19:32 +00:00
Conrad Meyer
5dc5dab6eb Add 4Kn kernel dump support
(And 4Kn minidump support, but only for amd64.)

Make sure all I/O to the dump device is of the native sector size.  To
that end, we keep a native sector sized buffer associated with dump
devices (di->blockbuf) and use it to pad smaller objects as needed (e.g.
kerneldumpheader).

Add dump_write_pad() as a convenience API to dump smaller objects with
zero padding.  (Rather than pull in NPM leftpad, we wrote our own.)

Savecore(1) has been updated to deal with these dumps.  The format for
512-byte sector dumps should remain backwards compatible.

Minidumps for other architectures are left as an exercise for the
reader.

PR:		194279
Submitted by:	ambrisko@
Reviewed by:	cem (earlier version), rpokala
Tested by:	rpokala (4Kn/512 except 512 fulldump), cem (512 fulldump)
Relnotes:	yes
Sponsored by:	EMC / Isilon Storage Division
Differential Revision:	https://reviews.freebsd.org/D5848
2016-04-15 17:45:12 +00:00
Glen Barber
406d87b1c3 Explicitly add more files to the 'runtime' package.
Sponsored by:	The FreeBSD Foundation
2016-02-09 20:19:31 +00:00
Craig Rodrigues
06691045ba Add more text to explain --libxo flag. 2015-12-01 19:18:53 +00:00
Conrad Meyer
fc6f845ec5 savecore(8): Be quiet unless the user asks for verbose
Make savecore(8) more suitable for init-time scripts; be quiet by default.

Sponsored by:	EMC / Isilon Storage Division
Differential Revision:	https://reviews.freebsd.org/D3229
2015-11-07 23:27:03 +00:00
Alan Somers
49f1692b78 Always check the return value of lseek.
This is a follow-up to r289845, which only fixed one occurence of CID
1009429.

Coverity CID:	1009429
Reviewed by:	markj
MFC after:	2 weeks
X-MFC-With:	r289845
Sponsored by:	Spectra Logic
Differential Revision:	https://reviews.freebsd.org/D4096
2015-11-06 19:18:20 +00:00
Alan Somers
6123d3f697 Fix various Coverity issues in sbin/savecore/savecore.c:
CID1009429: Fix unchecked return value from lseek while clearing dump
CID1007781: Fix file descriptor leak in DoFile
CID1007261: Don't send potentially unterminated string to syslog(3)

Coverity CID:	1009429
Coverity CID:	1007781
Coverity CID:	1007261
MFC after:	2 weeks
Sponsored by:	Spectra Logic
Differential Revision:	https://reviews.freebsd.org/D3991
2015-10-23 19:28:24 +00:00
Enji Cooper
550d2b80ec Make libxo depend on libutil because it uses humanize_number after r287111
Remove overlinking in lib/libxo/tests, sbin/savecore, and
usr.bin/{iscsictl,wc,xo}

PR: 203673
Sponsored by: EMC / Isilon Storage Division
2015-10-18 07:30:50 +00:00
Bryan Drewery
42c4cf86d4 Update META_MODE dependencies. 2015-09-17 05:06:34 +00:00
Marcel Moolenaar
d1a0d267b7 Upgrade libxo to 0.4.5.
Local changes incorporated by 0.4.5: r284340
Local changes retained: r276260, r282117

Obtained from:	https://github.com/Juniper/libxo
2015-08-24 16:26:20 +00:00
Simon J. Gerraty
ccfb965433 Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
Simon J. Gerraty
44d314f704 dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
Simon J. Gerraty
98e0ffaefb Merge sync of head 2015-05-27 01:19:58 +00:00
Scott Long
d16528b2da Convert savecore to libxo. The 'verbose' paths still use printf since they're
meant for interactivity on the command line and contain a lot of redundant
information.

Obtained from:	Netflix, Inc.
2015-03-22 17:29:14 +00:00
Baptiste Daroussin
13eb765f2d Convert sbin/ to LIBADD
Reduce overlinking
2014-11-25 11:23:12 +00:00
Simon J. Gerraty
9268022b74 Merge from head@274682 2014-11-19 01:07:58 +00:00
Bryan Drewery
5e93a4b46b If fgets(3) fails in getbounds(), show strerror(3) if not an EOF. Also fix
a FILE* leak in getbounds().

Submitted by:	Conrad Meyer <conrad.meyer@isilon.com>
PR:		192032
Sponsored by:	EMC / Isilon Storage Division
MFC after:	1 week
2014-09-17 19:09:58 +00:00
Simon J. Gerraty
fae50821ae Updated dependencies 2014-05-16 14:09:51 +00:00
Simon J. Gerraty
76b28ad6ab Updated dependencies 2014-05-10 05:16:28 +00:00
Simon J. Gerraty
3b8f084595 Merge head 2014-04-28 07:50:45 +00:00
Christian Brueffer
27e21758b8 Fix double fclose() in an error case.
CID:		1006120
Found with:	Coverity Prevent(tm)
MFC after:	1 week
2014-04-14 21:44:34 +00:00
Mark Johnston
776f03d204 Log the name of the device that we failed to open rather than an
uninitialized buffer.

MFC after:	3 days
2014-03-05 04:15:17 +00:00
Simon J. Gerraty
7cf3a1c6b2 Updated dependencies 2013-03-11 17:21:52 +00:00
Simon J. Gerraty
f5f7c05209 Updated dependencies 2013-02-16 01:23:54 +00:00
David E. O'Brien
d9a447559b Sync with HEAD. 2013-02-08 16:10:16 +00:00
Pawel Jakub Dawidek
165557e269 With rotating kernel dumps the higest dump number is not necessarily the
last one. To make it easier to find the last one create symlinks with 'last'
suffix that will point to the files of the last coredump, eg.:

	info.last -> info.5
	textdump.tar.last.gz -> textdump.tar.5.gz

Reviewed by:	avg
Obtained from:	WHEEL Systems
2012-12-16 23:09:27 +00:00
Pawel Jakub Dawidek
eeff0b1b27 Implement -m option to savecore(8) that allows to limit number of kernel
dumps stored. Once the limit is reached it restarts from 0.

Reviewed by:	avg
Obtained from:	WHEEL Systems
2012-12-16 23:06:12 +00:00
Pawel Jakub Dawidek
30f6c389ae Make use of the fact that we changed working directory to the dump directory
earlier.

Obtained from:	WHEEL Systems
2012-12-16 23:04:31 +00:00
Pawel Jakub Dawidek
3a6e0febc2 Sort flags properly.
Obtained from:	WHEEL Systems
2012-12-16 22:59:58 +00:00
Pawel Jakub Dawidek
87c3930b34 Prefer snprintf() over sprintf().
Obtained from:	WHEEL Systems
2012-12-16 22:59:25 +00:00
Pawel Jakub Dawidek
349d039bdb - When checking if a dump exists on the given device there is no need to
provide dump directory. Eliminate this redundant argument. This changes
  the usage, but the only risk here is that a warning will be printed
  about directory given as device.

- Update usage of -C option.

- When clearing dump header from the given device there is also no need to
  provide dump directory, although additional arguments for -c were not
  documented.

- Document that -v can be used with -c and that list of devices can be given.

Obtained from:	WHEEL Systems
2012-12-14 15:12:08 +00:00
Pawel Jakub Dawidek
22374de9ca The clear option (-c) is not compatible with keep (-k) and compress (-z)
options.

Obtained from:	WHEEL Systems
2012-12-14 15:04:39 +00:00
Pawel Jakub Dawidek
410604696d If we are not going to clear the dump (we are either just checking if the dump
exists or we want to keep it), open device read-only.

Obtained from:	WHEEL Systems
2012-12-14 15:03:12 +00:00
Pawel Jakub Dawidek
26ef9e4a3f Whitespace cleanups. 2012-12-14 15:01:23 +00:00
Marcel Moolenaar
7750ad47a9 Sync FreeBSD's bmake branch with Juniper's internal bmake branch.
Requested by: Simon Gerraty <sjg@juniper.net>
2012-08-22 19:25:57 +00:00
Robert Millan
453856145c Include <signal.h> (for SIGINFO). 2012-04-09 20:55:23 +00:00
Kevin Lo
ecd9e552d0 Remove duplicated header files 2011-06-24 07:29:04 +00:00
Joel Dahl
f041f6a7b7 Remove the advertising clause from UCB copyrighted files in sbin. This
is in accordance with the information at
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
2010-12-12 21:26:12 +00:00
Ruslan Ermilov
106d839190 Switch the default WARNS level for sbin/ to 6.
Submitted by:	Ulrich Spörlein
2009-10-19 16:00:24 +00:00
Ruslan Ermilov
20ba6b0d61 Fixed markup. 2009-09-17 19:15:49 +00:00
Ulf Lilleengen
0d239eefe5 - Add a SIGINFO handler for savecore. 2009-08-25 06:21:45 +00:00
Christian Brueffer
2a72feb42b Correct the information about when the respective functionality first
appeared in FreeBSD.

PR:		133785
Submitted by:	Ulrich Spoerlein <uqs@spoerlein.net>
MFC after:	3 days
2009-04-23 08:37:56 +00:00
Tom Rhodes
138f7e4b30 Apply various fixes:
Silence mdoc(7) warnings;
Xref correct manual pages;
Point user to the ddb.8 manual page.

PR:		129398
Submitted by:	gavin
2008-12-24 11:12:21 +00:00
Robert Watson
df0b82f150 Compare kernel dump header magic with textdump magic using strncmp()
rather than the memcmp() which is used for regular dumps: the
textdump string is one character shorter, so we need to stop
comparing at the end of the string.

Use independent version checking logic for architecture-specific
version number vs. textdump version number, as the version sequences
may (someday) differ.

Run into by:	rrs
2007-12-27 21:28:48 +00:00
Robert Watson
10187cae6e Teach savecore(8) how to extract textdump(4) dumps.
Update savecore(8) man page to reflect textdump additions.

MFC after:	3 months
2007-12-26 11:42:10 +00:00