With this change, randomization can be enabled for all non-fixed
mappings. It means that the base address for the mapping is selected
with a guaranteed amount of entropy (bits). If the mapping was
requested to be superpage aligned, the randomization honours the
superpage attributes.
Although the value of ASLR is diminshing over time as exploit authors
work out simple ASLR bypass techniques, it elimintates the trivial
exploitation of certain vulnerabilities, at least in theory. This
implementation is relatively small and happens at the correct
architectural level. Also, it is not expected to introduce
regressions in existing cases when turned off (default for now), or
cause any significant maintaince burden.
The randomization is done on a best-effort basis - that is, the
allocator falls back to a first fit strategy if fragmentation prevents
entropy injection. It is trivial to implement a strong mode where
failure to guarantee the requested amount of entropy results in
mapping request failure, but I do not consider that to be usable.
I have not fine-tuned the amount of entropy injected right now. It is
only a quantitive change that will not change the implementation. The
current amount is controlled by aslr_pages_rnd.
To not spoil coalescing optimizations, to reduce the page table
fragmentation inherent to ASLR, and to keep the transient superpage
promotion for the malloced memory, locality clustering is implemented
for anonymous private mappings, which are automatically grouped until
fragmentation kicks in. The initial location for the anon group range
is, of course, randomized. This is controlled by vm.cluster_anon,
enabled by default.
The default mode keeps the sbrk area unpopulated by other mappings,
but this can be turned off, which gives much more breathing bits on
architectures with small address space, such as i386. This is tied
with the question of following an application's hint about the mmap(2)
base address. Testing shows that ignoring the hint does not affect the
function of common applications, but I would expect more demanding
code could break. By default sbrk is preserved and mmap hints are
satisfied, which can be changed by using the
kern.elf{32,64}.aslr.honor_sbrk sysctl.
ASLR is enabled on per-ABI basis, and currently it is only allowed on
FreeBSD native i386 and amd64 (including compat 32bit) ABIs. Support
for additional architectures will be added after further testing.
Both per-process and per-image controls are implemented:
- procctl(2) adds PROC_ASLR_CTL/PROC_ASLR_STATUS;
- NT_FREEBSD_FCTL_ASLR_DISABLE feature control note bit makes it possible
to force ASLR off for the given binary. (A tool to edit the feature
control note is in development.)
Global controls are:
- kern.elf{32,64}.aslr.enable - for non-fixed mappings done by mmap(2);
- kern.elf{32,64}.aslr.pie_enable - for PIE image activation mappings;
- kern.elf{32,64}.aslr.honor_sbrk - allow to use sbrk area for mmap(2);
- vm.cluster_anon - enables anon mapping clustering.
PR: 208580 (exp runs)
Exp-runs done by: antoine
Reviewed by: markj (previous version)
Discussed with: emaste
Tested by: pho
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D5603
Avoid setting zero bytes beyond the length of the 'thisline' parameters
in i_process() and u_process(), and don't attempt to memset a negative
number of bytes.
MFC after: 1 week
Suggest using -a to egrep to properly see executed commands.
This is a minor improvement to the manpage. A better improvement
would be removal or gigantic warnings.
Sponsored by: Dell EMC
MFC after: 1 week
For example, from the referenced PR [1]:
$ mkdir /tmp/lib/ /tmp/libexec
$ touch /tmp/lib/foo.so
$ install -lrs /tmp/lib/foo.so /tmp/libexec/
The common path identification bits terminate src at /tmp/lib/ and the
destination at /tmp/libe. The subsequent backtracking is then incorrect, as
it traverses the destination and backtraces exactly one level while eating
the 'libexec' because it was previously (falsely) identified as common with
'lib'.
The obvious fix would be to make sure we've actually terminated just after
directory separators and rewind a character if we haven't. In the above
example, we would end up rewinding to /tmp/ and subsequently doing the right
thing.
Test case added.
PR: 235330 [1]
MFC after: 1 week
- Use "in" instead of "on" when referring to directory and UFS partition.
- Switch from hw.physmem to hw.realmem and add a description to
distinguish the two.
- Explain why the "df" command is having trouble displaying ZFS sizes
correctly. Add a bit more descriptive text to help why the output of
"zfs list -o space" should be used.
- Switch to vmstat instead of iostat display for systat(1) as it shows
more information on one screen. Describe what is displayed based on the
text of the man page. Change the list of the other values accordingly.
- Sort the flags to "zfs destroy" alphabetically.
Reviewed by: rgrimes
Approved by: rgrimes
MFC after: 8 days
Differential Revision: https://reviews.freebsd.org/D18993
find(1) ignores -type w passed to it. With this patch find(1) properly
identifies and prints whiteouts.
PR: 126384, 156703
Submitted by: oleg@mamontov.net
MFC after: 1 week
While these warnings are false positives, the use of strdup() instead of
malloc() and strcpy() simplifies and clarifies the code.
While checking the remaining uses of strcpy and strcat I noticed an
assignment of a strlen() to a variable "s", whose value needs to be
preserved for use in later output routines (where it is used to allocate
a buffer). I do not think that the value of "s" will come out lower than
its correct value and thus there is no risk of a buffer overflow, in the
general case, but a specially crafter argument might lead to an overflow.
The bogus assignment to "s" is removed since this value was only used a
single time in the following malloc() call, which has been removed.
MFC after: 2 weeks
Add a bunch of examples on how to use ZFS features like:
- listing available space,
- setting and displaying a userquota,
- displaying pool I/O statistics and pool history,
- displaying the compression ratio for a dataset,
- various list options (sorting, removing headers),
- performing a dry-run of a snapshot delete,
- removing a range of snapshots,
- setting a custom property,
- preventing removal of a snapshot with ZFS holds,
- permission sets for zfs send/receive.
Additionally, clarify the existing examples a bit when
it comes to displaying space by mentioning UFS explicitly.
Other examples include displaying I/O in top(1), querying
sysctl(8) for active CPUs and available RAM. Mention systat(1)
and its options, too.
While here, reformat the example to upload a dmesg(8) a bit
to wrap properly.
Thanks to Allan Jude for his help with some of the ZFS examples.
Reviewed by: dru,allanjude
Approved by: allanjude (earlier version)
MFC after: 3 days
Relnotes: yes (ZFS examples in freebsd-tips)
Differential Revision: https://reviews.freebsd.org/D18541
We already call setutxent() once during initialization. Furthermore,
the subsequent calls occur after the process has entered capability
mode, so they fail, and attempts to fetch database entries fail as
a result.
PR: 235096
Submitted by: fullermd@over-yonder.net
MFC after: 3 days
According to systat(1) :only option is supposed to accept multiple drives
but the parser for its arguments stops after first entry. Fix the parser
logic to accept multiple drives.
PR: 59220
Reported by: Andy Farkas <andyf@speednet.com.au>
MFC after: 1 week
Test failures don't seem to propagate up if atf_check is run in
a pipeline. Thus, the tests continued to pass despite the bug reverted
in r343245.
MFC after: 1 week
It breaks the special mode specified by passing "-" as one of the
input files. Revert for now while we discuss a fix.
PR: 234885
Reported by: delphij
MFC after: now
getopt_long(3) requires the long options be terminated by a NULL block.
Without the terminator, an invalid long option results in a segmentation
fault.
Reported by: Brandon Bergren
MFC after: 1 week
This is mostly a style fix since the code in question is not called multiple
times and doesn't have cummulative effect.
PR: 204953
Submitted by: David Binderman <dcb314@hotmail.com>
MFC after: 1 week
- Limit rights on stdio before opening input files. Otherwise, open()
may return one of the standard descriptors and we end up limiting
rights such that we cannot read from one of the input files.
- Use caph_limit_stdio(), which suppresses EBADF, to ensure that
we don't emit an error if one of the stdio streams is closed.
- Don't bother further limiting rights on stdin when stdin isn't going
to be used. Doing so correctly requires checking for a number of
edge cases, and it doesn't provide any significant benefit.
PR: 234885
Reviewed by: oshogbo
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18860
bc.y: Rev 1.50
- write parse errors to stderr, prompted by Martijn Dekker
- we're only interactive if stdout en stderr are a tty as well as stdin
PR: 234430
Obtained from: OpenBSD
MFC after: 1 week
The goal of this change is to make it easier to use getconf to query
the number of available processors.
Sadly it's unclear per POSIX, which form (with a preceding _ or
lacking it) is correct. I will bring this up on the Austin Group list so
this point is clarified for implementors that might rely on this getconf
variable in future POSIX spec versions.
This is something I noticed when trying to import GoogleTest to FreeBSD
as one of the CI scripts uses this variable on Linux.
MFC after: 2 weeks
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D18640
The default build should install bsdgrep(1) and grep(1), with the latter
being gnugrep(1). WITH_BSD_GREP flips this situation such that we have
gnugrep(1) and grep(1), with the latter being bsdgrep(1).
Changes to start installing the zgrep script out of usr.bin/grep
inadvertently altered the default build such that grep(1) was being
installed, and it was bsdgrep(1). Correct the typo.
Reported by: bcran
MFC after: 3 days
This merge brings in a couple new files, which needed to be attached to the
build; a new dependency on <limits.h>, which must be stubbed; and a name
change in the Context parameter constants, from ZSTD_p_foo to ZSTD_c_foo.
Significantly, it fixes a kernel build error with GCC where floating-point
functions were included in the kernel build, by hiding them under the same
compile-time #ifdef that already covered their invocation. That issue was
introduced to FreeBSD in the 1.3.7 update and tracked upstream here:
https://github.com/facebook/zstd/issues/1386
The full 1.3.8 release notes can be found on Github:
https://github.com/facebook/zstd/releases/tag/v1.3.8
Relnotes: yes
BSD ar currently does not support the /SYM64/ 64-bit symbol table, and
previously truncated to 32-bits, silently producing corrupted archives
larger than 4GB.
This is another overflow case in addtion to r342575.
PR: 234454
Reported by: Aijaz Baig, imp
MFC after: 2 weeks
MFC with: r342575
Sponsored by: The FreeBSD Foundation
BSD ar currently does not support the /SYM64/ 64-bit symbol table, and
previously truncated to 32-bits, silently producing corrupted archives
larger than 4GB.
Note that this is only a partial fix; additional checks will come.
PR: 234454
Reported by: Aijaz Baig, imp
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
- Add missing parameters to flags in the description of available options.
- Remove spaces between alternative parameters and "|".
- Align descriptions of options to the longest option.
- Use em dash instead of a hyphen.
Reviewed by: bcr
Approved by: doc (bcr)
Approved by: krion (mentor, implicit), mat (mentor, implicit)
Differential Revision: https://reviews.freebsd.org/D18608