Commit Graph

967 Commits

Author SHA1 Message Date
dchagin
43c7490c64 Prevent double free of control in common sendmsg path as sosend
already freeing it.
2016-01-17 19:28:13 +00:00
glebius
796cbcc738 Call crextend() before copying old credentials to the new credentials
and replace crcopysafe by crcopy as crcopysafe is is not intended to be
safe in a threaded environment, it drops PROC_LOCK() in while() that
can lead to unexpected results, such as overwrite kernel memory.

In my POV crcopysafe() needs special attention. For now I do not see
any problems with this function, but who knows.

Submitted by:	dchagin
Found by:	trinity
Security:	SA-16:04.linux
2016-01-14 10:16:25 +00:00
glebius
d87c627c80 Change linux get_robust_list system call to match actual linux one.
The set_robust_list system call request the kernel to record the head
of the list of robust futexes owned by the calling thread. The head
argument is the list head to record.
The get_robust_list system call should return the head of the robust
list of the thread whose thread id is specified in pid argument.
The list head should be stored in the location pointed to by head
argument.

In contrast, our implemenattion of get_robust_list system call copies
the known portion of memory pointed by recorded in set_robust_list
system call pointer to the head of the robust list to the location
pointed by head argument.

So, it is possible for a local attacker to read portions of kernel
memory, which may result in a privilege escalation.

Submitted by:	mjg
Security:	SA-16:03.linux
2016-01-14 10:13:58 +00:00
dchagin
04d7fe6b9b Unlock process lock when return error from getrobustlist call and add
an forgotten dtrace probe when return the same error.

MFC after:	3 days
XMFC with:	r292743
2016-01-10 07:36:43 +00:00
dchagin
4d7095f5fe Return EINVAL in case of incorrect sigev_signo value specified instead of panicing. 2015-12-26 09:09:49 +00:00
dchagin
4beab3b762 Do not allow access to emuldata for non Linux processes.
Pointed out by:	mjg@
Security:	https://admbugs.freebsd.org/show_bug.cgi?id=679
2015-12-26 09:04:47 +00:00
markj
fa1b8e9a4f Fix style issues around existing SDT probes.
- Use SDT_PROBE<N>() instead of SDT_PROBE(). This has no functional effect
  at the moment, but will be needed for some future changes.
- Don't hardcode the module component of the probe identifier. This is
  set automatically by the SDT framework.

MFC after:	1 week
2015-12-16 23:39:27 +00:00
kib
05c74cb918 Fix build for the KTR-enabled kernels.
Sponsored by:	The FreeBSD Foundation
2015-10-23 11:41:55 +00:00
bdrewery
923a85693e Remove redundant RFFPWAIT/vfork(2) handling in Linux fork(2) and clone(2) wrappers.
r161611 added some of the code from sys_vfork() directly into the Linux
module wrappers since they use RFSTOPPED.  In r232240, the RFFPWAIT handling
was moved to syscallret(), thus this code in the Linux module is no longer
needed as it will be called later.

This also allows the Linux wrappers to benefit from the fix in r275616 for
threads not getting suspended if their vforked child is stopped while they
wait on them.

Reviewed by:	jhb, kib
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D3828
2015-10-07 19:10:38 +00:00
avg
425c0bb088 save some bytes by using more concise SDT_PROBE<n> instead of SDT_PROBE
SDT_PROBE requires 5 parameters whereas SDT_PROBE<n> requires n parameters
where n is typically smaller than 5.

Perhaps SDT_PROBE should be made a private implementation detail.

MFC after:	20 days
2015-09-28 12:14:16 +00:00
trasz
e6a94eac4e Fixes a panic triggered by threaded Linux applications when running
with RACCT/RCTL enabled.

Reviewed by:	ngie@, ed@
Tested by:	Larry Rosenman <ler@lerctr.org>
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D3470
2015-09-02 14:04:13 +00:00
ed
0698a33dea Allow the creation of kqueues with a restricted set of Capsicum rights.
On CloudABI we want to create file descriptors with just the minimal set
of Capsicum rights in place. The reason for this is that it makes it
easier to obtain uniform behaviour across different operating systems.

By explicitly whitelisting the operations, we can return consistent
error codes, but also prevent applications from depending OS-specific
behaviour.

Extend kern_kqueue() to take an additional struct filecaps that is
passed on to falloc_caps(). Update the existing consumers to pass in
NULL.

Differential Revision:	https://reviews.freebsd.org/D3259
2015-08-05 07:36:50 +00:00
ed
4495c37125 Limit rights on process descriptors.
On CloudABI, the rights bits returned by cap_rights_get() match up with
the operations that you can actually perform on the file descriptor.

Limiting the rights is good, because it makes it easier to get uniform
behaviour across different operating systems. If process descriptors on
FreeBSD would suddenly gain support for any new file operation, this
wouldn't become exposed to CloudABI processes without first extending
the rights.

Extend fork1() to gain a 'struct filecaps' argument that allows you to
construct process descriptors with custom rights. Use this in
cloudabi_sys_proc_fork() to limit the rights to just fstat() and
pdwait().

Obtained from:	https://github.com/NuxiNL/freebsd
2015-07-31 10:21:58 +00:00
ed
2aaddce9ba Make pipes in CloudABI work.
Summary:
Pipes in CloudABI are unidirectional. The reason for this is that
CloudABI attempts to provide a uniform runtime environment across
different flavours of UNIX.

Instead of implementing a custom pipe that is unidirectional, we can
simply reuse Capsicum permission bits to support this. This is nice,
because CloudABI already attempts to restrict permission bits to
correspond with the operations that apply to a certain file descriptor.

Replace kern_pipe() and kern_pipe2() by a single kern_pipe() that takes
a pair of filecaps. These filecaps are passed to the newly introduced
falloc_caps() function that creates the descriptors with rights in
place.

Test Plan:
CloudABI pipes seem to be created with proper rights in place:

https://github.com/NuxiNL/cloudlibc/blob/master/src/libc/unistd/pipe_test.c#L44

Reviewers: jilles, mjg

Reviewed By: mjg

Subscribers: imp

Differential Revision: https://reviews.freebsd.org/D3236
2015-07-29 17:18:27 +00:00
kib
48ccbdea81 The si_status field of the siginfo_t, provided by the waitid(2) and
SIGCHLD signal, should keep full 32 bits of the status passed to the
_exit(2).

Split the combined p_xstat of the struct proc into the separate exit
status p_xexit for normal process exit, and signalled termination
information p_xsig.  Kernel-visible macro KW_EXITCODE() reconstructs
old p_xstat from p_xexit and p_xsig.  p_xexit contains complete status
and copied out into si_status.

Requested by:	Joerg Schilling
Reviewed by:	jilles (previous version), pho
Tested by:	pho
Sponsored by:	The FreeBSD Foundation
2015-07-18 09:02:50 +00:00
mjg
feeee4c707 fd: make 'rights' a manadatory argument to fget* functions 2015-07-05 19:05:16 +00:00
dchagin
e3f0cc21bd Add EPOLLRDHUP support.
Tested by:	abi at abinet dot ru
2015-06-20 05:40:35 +00:00
mjg
1a3e7a935e Replace struct filedesc argument in getvnode with struct thread
This is is a step towards removal of spurious arguments.
2015-06-16 13:09:18 +00:00
mjg
e196159c32 linux: make sure to grab all cow structs when creating a thread
This is a fixup for r284214.

Reported and tested by: Ivan Klymenko <fidaj ukr.net>
2015-06-10 15:34:43 +00:00
mjg
d7bc9285a6 Implement lockless resource limits.
Use the same scheme implemented to manage credentials.

Code needing to look at process's credentials (as opposed to thred's) is
provided with *_proc variants of relevant functions.

Places which possibly had to take the proc lock anyway still use the proc
pointer to access limits.
2015-06-10 10:48:12 +00:00
jkim
4fefd3d137 Properly initialize flags for accept4(2) not to return spurious EINVAL.
Note this fixes a Linuxulator regression introduced in r283490.

PR:		200662
2015-06-08 20:03:15 +00:00
dchagin
61fe1f4a99 Finish r283544. In exec case properly detach threads from user space
before suicide.
2015-06-06 06:12:14 +00:00
dchagin
50f49b7240 When I merged the lemul branch I missied kib@'s r282708 commit.
This is not the final fix as I need properly cleanup thread resources
before other threads suicide.

Tested by:	Ruslan Makhmatkhanov
2015-05-25 20:44:46 +00:00
dchagin
859a8ae821 Linux nanosleep() and clock_nanosleep() system calls always
writes the remaining time into the structure pointed to by rmtp
unless rmtp is NULL. The value of *rmtp can then be used to call
nanosleep() again and complete the specified pause if the previous
call was interrupted.

Note. clock_nanosleep() with an absolute time value does not write
the remaining time.

While here fix whitespaces and typo in SDT_PROBE.
2015-05-24 18:14:38 +00:00
dchagin
a71dbd5ba1 Convert SCM_TIMESTAMP in recvmsg(). 2015-05-24 18:13:21 +00:00
dchagin
bff1d8cd6f The latest cp tool is trying to use the btrfs clone operation that is
implemented via ioctl interface. First of all return ENOTSUP for this
operation as a cp fallback to usual method in that case. Secondly, do
not print out the message about unimplemented operation.
2015-05-24 18:12:04 +00:00
dchagin
706fa727d7 Fix an mbuf(9) leak in sendmsg() under failure condition and
remove unneeded check for failed M_WAITOK allocation.

Found by: Brainy Code Scanner
Reported by: Maxime Villard
2015-05-24 18:10:07 +00:00
dchagin
5cd0d07723 Implement Linux specific syncfs() system call. 2015-05-24 18:08:01 +00:00
dchagin
d57ed24e49 Properly check tv_nsec value. The tv_nsec field can also be one
of the special value UTIME_NOW or UTIME_OMIT.
2015-05-24 18:06:46 +00:00
dchagin
796d34d09c Since FreeBSD supports SOCK_CLOEXEC & SOCK_NONBLOCK options
remove its emulation via fcntl call from Linuxulator.
2015-05-24 18:06:12 +00:00
dchagin
ea835975de Implement recvmmsg() and sendmmsg() system calls. 2015-05-24 18:04:04 +00:00
dchagin
8164e61122 Reduce duplication between MD Linux code by moving msg related
struct definitions out into the compat/linux/linux_socket.h
2015-05-24 18:03:14 +00:00
dchagin
8e85763052 Implement epoll_pwait() system call. 2015-05-24 18:00:14 +00:00
dchagin
0dfca1d9b3 Convert signal number to native for VT_SETMODE ioctl and remove
strange and invalid ISSIGVALID macro.
The code has not been tested right way but it was originally broken.
2015-05-24 17:59:17 +00:00
dchagin
5361a6bf58 Add utimensat() system call.
The patch developed by Jilles Tjoelker and Andrew Wilcox and
adopted for lemul branch by me.
2015-05-24 17:57:07 +00:00
dchagin
f39b4d2991 Convert Linux signal number to the FreeBSD. 2015-05-24 17:49:09 +00:00
dchagin
fc55d94b46 Rework signal code to allow using it by other modules, like linprocfs:
1. Linux sigset always 64 bit on all platforms. In order to move Linux
sigset code to the linux_common module define it as 64 bit int. Move
Linux sigset manipulation routines to the MI path.

2. Move Linux signal number definitions to the MI path. In general, they
are the same on all platforms except for a few signals.

3. Map Linux RT signals to the FreeBSD RT signals and hide signal conversion
tables to avoid conversion errors.

4. Emulate Linux SIGPWR signal via FreeBSD SIGRTMIN signal which is outside
of allowed on Linux signal numbers.

PR:		197216
2015-05-24 17:47:20 +00:00
dchagin
cace25f46d According to Linux man sigaltstack(3) shall return EINVAL if the ss
argument is not a null pointer, and the ss_flags member pointed to by ss
contains flags other than SS_DISABLE. However, in fact, Linux also
allows SS_ONSTACK flag which is simply ignored.

For buggy apps (at least mono) ignore other than SS_DISABLE
flags as a Linux do.

While here move MI part of sigaltstack code to the appropriate place.

Reported by:	abi at abinet dot ru
2015-05-24 17:44:08 +00:00
dchagin
73fcf6f585 Add EPOLLERR flag handling to epoll.
Tested by:	abi at abinet dot ru
2015-05-24 17:42:45 +00:00
dchagin
65a010b8d9 As fo_fill_kinfo() does not check fo_fill_kinfo to NULL
add a fo_fill_kinfo op to eventfdops.

Reported by:	trinity
2015-05-24 17:40:14 +00:00
dchagin
a346bc7dc8 Add preliminary fallocate system call implementation
to emulate posix_fallocate() function.

Differential Revision:	https://reviews.freebsd.org/D1523
Reviewed by:	emaste
2015-05-24 17:33:21 +00:00
dchagin
34bea3bccb Delete the duplicate of linux_to_native_clockid() function.
Differential Revision:	https://reviews.freebsd.org/D1521
Reviewed by:	trasz
2015-05-24 17:30:31 +00:00
dchagin
0a71d3c7fa Do not use struct l_timespec without conversion. While here move
args->timeout handling before acquiring the futex key at FUTEX_WAIT path.

Differential Revision:	https://reviews.freebsd.org/D1520
Reviewed by:	trasz
2015-05-24 17:29:18 +00:00
dchagin
a97ef012ca Add prototypes for static futex functions.
Differential Revision:	https://reviews.freebsd.org/D1519
Reviewed by:	trasz
2015-05-24 17:27:59 +00:00
dchagin
12e0f2e21b As for now our tmpfs is no longer being considered
"highly experimental" remove /dev/shm magic commited
in r218497 and convert tmpfs type to an expected magic number.

Differential Revision:	https://reviews.freebsd.org/D1497
Reviewed by:	emaste, trasz
2015-05-24 17:26:58 +00:00
dchagin
5a13ec4c64 Print out unsupported futex operation message only once for the process.
Differential Revision:	https://reviews.freebsd.org/D1498
2015-05-24 17:25:57 +00:00
dchagin
8cc36a7686 Add some clock mappings used in glibc 2.20.
Differential Revision:	https://reviews.freebsd.org/D1465
Reviewd by:	trasz
2015-05-24 17:23:08 +00:00
dchagin
e05fc818bd Improve ktr(9) records in thread managment code.
Differential Revision:	https://reviews.freebsd.org/D1464
Reviewed by:	trasz
2015-05-24 17:09:07 +00:00
dchagin
b71a54d0db Use local struct proc * varable instead of dereferencing td->td_proc.
Differential Revision:	https://reviews.freebsd.org/D1463
Reviewed by:	emaste
2015-05-24 17:08:25 +00:00
dchagin
ce8b8e15a8 Avoid unnecessary em zeroing in non-exec path
as it already zeroed by malloc with M_ZERO flag
and move zeroing to the proper place in exec path.

Differential Revision:	https://reviews.freebsd.org/D1462
Reviewed by:	trasz
2015-05-24 17:07:10 +00:00