Commit Graph

14030 Commits

Author SHA1 Message Date
Konstantin Belousov
fa50a3552d Implement Address Space Layout Randomization (ASLR)
With this change, randomization can be enabled for all non-fixed
mappings.  It means that the base address for the mapping is selected
with a guaranteed amount of entropy (bits). If the mapping was
requested to be superpage aligned, the randomization honours the
superpage attributes.

Although the value of ASLR is diminshing over time as exploit authors
work out simple ASLR bypass techniques, it elimintates the trivial
exploitation of certain vulnerabilities, at least in theory.  This
implementation is relatively small and happens at the correct
architectural level.  Also, it is not expected to introduce
regressions in existing cases when turned off (default for now), or
cause any significant maintaince burden.

The randomization is done on a best-effort basis - that is, the
allocator falls back to a first fit strategy if fragmentation prevents
entropy injection.  It is trivial to implement a strong mode where
failure to guarantee the requested amount of entropy results in
mapping request failure, but I do not consider that to be usable.

I have not fine-tuned the amount of entropy injected right now. It is
only a quantitive change that will not change the implementation.  The
current amount is controlled by aslr_pages_rnd.

To not spoil coalescing optimizations, to reduce the page table
fragmentation inherent to ASLR, and to keep the transient superpage
promotion for the malloced memory, locality clustering is implemented
for anonymous private mappings, which are automatically grouped until
fragmentation kicks in.  The initial location for the anon group range
is, of course, randomized.  This is controlled by vm.cluster_anon,
enabled by default.

The default mode keeps the sbrk area unpopulated by other mappings,
but this can be turned off, which gives much more breathing bits on
architectures with small address space, such as i386.  This is tied
with the question of following an application's hint about the mmap(2)
base address. Testing shows that ignoring the hint does not affect the
function of common applications, but I would expect more demanding
code could break. By default sbrk is preserved and mmap hints are
satisfied, which can be changed by using the
kern.elf{32,64}.aslr.honor_sbrk sysctl.

ASLR is enabled on per-ABI basis, and currently it is only allowed on
FreeBSD native i386 and amd64 (including compat 32bit) ABIs.  Support
for additional architectures will be added after further testing.

Both per-process and per-image controls are implemented:
- procctl(2) adds PROC_ASLR_CTL/PROC_ASLR_STATUS;
- NT_FREEBSD_FCTL_ASLR_DISABLE feature control note bit makes it possible
  to force ASLR off for the given binary.  (A tool to edit the feature
  control note is in development.)
Global controls are:
- kern.elf{32,64}.aslr.enable - for non-fixed mappings done by mmap(2);
- kern.elf{32,64}.aslr.pie_enable - for PIE image activation mappings;
- kern.elf{32,64}.aslr.honor_sbrk - allow to use sbrk area for mmap(2);
- vm.cluster_anon - enables anon mapping clustering.

PR:	208580 (exp runs)
Exp-runs done by:	antoine
Reviewed by:	markj (previous version)
Discussed with:	emaste
Tested by:	pho
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D5603
2019-02-10 17:19:45 +00:00
Dimitry Andric
7362ea6db0 Fix the first couple of AddressSanitizer violations in usr.bin/top.
Avoid setting zero bytes beyond the length of the 'thisline' parameters
in i_process() and u_process(), and don't attempt to memset a negative
number of bytes.

MFC after:	1 week
2019-02-10 13:44:36 +00:00
Dimitry Andric
2f301637c8 Fix multiple warnings in usr.bin/top about variables shadowing global
declarations from base gcc, by renaming those variables.

MFC after:	1 week
2019-02-10 13:34:21 +00:00
Dimitry Andric
d0f687d30f Fix multiple warnings in usr.bin/top about discarded qualifiers from
both clang and gcc, by either constifying variables, or when that is not
possible, using __DECONST.

MFC after:	1 week
2019-02-10 13:31:08 +00:00
Johannes Lundberg
5515886768 Add myself to committers-src.dot and calendar.freebsd
Reviewed by:	imp (mentor)
Approved by:	imp (mentor)
Differential Revision:	https://reviews.freebsd.org/D19101
2019-02-09 16:53:39 +00:00
Kai Knoblich
78aa2590c1 Add myself to committers-ports.dot and calendar.freebsd
Reviewed by:	miwi (mentor)
Approved by:	miwi (mentor)
Differential Revision:	https://reviews.freebsd.org/D19119
2019-02-08 17:57:39 +00:00
Andriy Voskoboinyk
245a7edb05 newkey(8): fix 'tmpname' memory leak (always) and input file descriptor leak
when output file cannot be opened

PR:		201732
Reported by:	David Binderman <dcb314@hotmail.com>
MFC after:	1 week
2019-02-08 14:31:44 +00:00
Andriy Voskoboinyk
558fe07149 ipcs(1): drop obsolete error checking
This code is not reached since r77551.

PR:		201728
MFC after:	5 days
2019-02-07 14:29:45 +00:00
Ed Maste
0235d5e283 vtfontcvt: whitespace cleanup
PR:		205707
Submitted by:	Dmitry Wagin
2019-02-06 18:50:48 +00:00
Bryan Drewery
ab3cf2b476 Shar files may be seen as binary by grep.
Suggest using -a to egrep to properly see executed commands.

This is a minor improvement to the manpage.  A better improvement
would be removal or gigantic warnings.

Sponsored by:	Dell EMC
MFC after:	1 week
2019-01-31 23:21:18 +00:00
Ed Maste
97d368d62b elfdump: use designated array initialization for note types
This ensures the note type name is in the correct slot.

PR:		228290
Submitted by:	kib
MFC with:	343610
Sponsored by:	The FreeBSD Foundation
2019-01-31 16:49:06 +00:00
Ed Maste
8ae9aa2772 elfdump: fix build after r343610
One patch hunk did not survive the trip from git to svn.

PR:		228290
MFC with:	r343610
2019-01-31 16:21:09 +00:00
Ed Maste
2bc7b0242f elfdump: include note type names
Based on a patch submitted by Dan McGregor.

PR:		228290
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2019-01-31 16:19:04 +00:00
Ed Maste
0f663f7258 elfdump: whitespace fixup in advance of other changes 2019-01-31 16:11:15 +00:00
Kyle Evans
6cbda6d943 install(1): Fix relative path calculation with partial common dest/src
For example, from the referenced PR [1]:

$ mkdir /tmp/lib/ /tmp/libexec
$ touch /tmp/lib/foo.so
$ install -lrs /tmp/lib/foo.so /tmp/libexec/

The common path identification bits terminate src at /tmp/lib/ and the
destination at /tmp/libe. The subsequent backtracking is then incorrect, as
it traverses the destination and backtraces exactly one level while eating
the 'libexec' because it was previously (falsely) identified as common with
'lib'.

The obvious fix would be to make sure we've actually terminated just after
directory separators and rewind a character if we haven't. In the above
example, we would end up rewinding to /tmp/ and subsequently doing the right
thing.

Test case added.

PR:		235330 [1]
MFC after:	1 week
2019-01-31 05:20:11 +00:00
Oleksandr Tymoshenko
c245efb99b calendar(1): Fix Aschermittwoch date for Austrian calendar
PR:		165516
Submitted by:	jhs@berklix.com
MFC after:	1 week
2019-01-29 19:54:37 +00:00
Benedict Reuschling
a9ea96eafd A few corrections and clarifications to r343406.
- Use "in" instead of "on" when referring to directory and UFS partition.
- Switch from hw.physmem to hw.realmem and add a description to
distinguish the two.
- Explain why the "df" command is having trouble displaying ZFS sizes
correctly. Add a bit more descriptive text to help why the output of
"zfs list -o space" should be used.
- Switch to vmstat instead of iostat display for systat(1) as it shows
more information on one screen. Describe what is displayed based on the
text of the man page. Change the list of the other values accordingly.
- Sort the flags to "zfs destroy" alphabetically.

Reviewed by:	rgrimes
Approved by:	rgrimes
MFC after:	8 days
Differential Revision:	https://reviews.freebsd.org/D18993
2019-01-28 19:54:58 +00:00
Oleksandr Tymoshenko
f2ef15fec4 Fix whiteout support in find(1)
find(1) ignores -type w passed to it. With this patch find(1) properly
identifies and prints whiteouts.

PR:		126384, 156703
Submitted by:	oleg@mamontov.net
MFC after:	1 week
2019-01-28 02:00:39 +00:00
Stefan Eßer
f5ce14028c Silence Clang Scan warnings regarding the use of strcp().
While these warnings are false positives, the use of strdup() instead of
malloc() and strcpy() simplifies and clarifies the code.

While checking the remaining uses of strcpy and strcat I noticed an
assignment of a strlen() to a variable "s", whose value needs to be
preserved for use in later output routines (where it is used to allocate
a buffer). I do not think that the value of "s" will come out lower than
its correct value and thus there is no risk of a buffer overflow, in the
general case, but a specially crafter argument might lead to an overflow.

The bogus assignment to "s" is removed since this value was only used a
single time in the following malloc() call, which has been removed.

MFC after:	2 weeks
2019-01-24 18:39:45 +00:00
Benedict Reuschling
56d417fd5d Add ZFS usage tips to freebsd-tips.
Add a bunch of examples on how to use ZFS features like:
- listing available space,
- setting and displaying a userquota,
- displaying pool I/O statistics and pool history,
- displaying the compression ratio for a dataset,
- various list options (sorting, removing headers),
- performing a dry-run of a snapshot delete,
- removing a range of snapshots,
- setting a custom property,
- preventing removal of a snapshot with ZFS holds,
- permission sets for zfs send/receive.

Additionally, clarify the existing examples a bit when
it comes to displaying space by mentioning UFS explicitly.
Other examples include displaying I/O in top(1), querying
sysctl(8) for active CPUs and available RAM. Mention systat(1)
and its options, too.
While here, reformat the example to upload a dmesg(8) a bit
to wrap properly.

Thanks to Allan Jude for his help with some of the ZFS examples.

Reviewed by:	dru,allanjude
Approved by:	allanjude (earlier version)
MFC after:	3 days
Relnotes:	yes (ZFS examples in freebsd-tips)
Differential Revision:	https://reviews.freebsd.org/D18541
2019-01-24 18:13:23 +00:00
Mark Johnston
27ed53c311 Remove extraneous setutxent() calls in write(1).
We already call setutxent() once during initialization.  Furthermore,
the subsequent calls occur after the process has entered capability
mode, so they fail, and attempts to fetch database entries fail as
a result.

PR:		235096
Submitted by:	fullermd@over-yonder.net
MFC after:	3 days
2019-01-23 20:02:17 +00:00
Oleksandr Tymoshenko
d65e72a818 Fix systat's :only command parser for the multiple arguments case
According to systat(1) :only option is supposed to accept multiple drives
but the parser for its arguments stops after first entry. Fix the parser
logic to accept multiple drives.

PR:		59220
Reported by:	Andy Farkas <andyf@speednet.com.au>
MFC after:	1 week
2019-01-23 02:46:35 +00:00
Glen Barber
6b27f978f5 Correct a typo: was -> way.
Submitted by:	Larry Hynes
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2019-01-21 15:27:58 +00:00
Mark Johnston
109b5c109c Fix cmp(1) tests for "special" mode.
Test failures don't seem to propagate up if atf_check is run in
a pipeline.  Thus, the tests continued to pass despite the bug reverted
in r343245.

MFC after:	1 week
2019-01-21 03:57:49 +00:00
Mark Johnston
33a28349a7 Revert r343117.
It breaks the special mode specified by passing "-" as one of the
input files.  Revert for now while we discuss a fix.

PR:		234885
Reported by:	delphij
MFC after:	now
2019-01-21 03:47:20 +00:00
Oleksandr Tymoshenko
e457729f18 Fix inconsistency in return values introduced by r343222
Consistently return 1 or the case of missing arguments in both functions

PR:		219689
MFC after:	1 week
X-MFC-With:	343222
2019-01-20 19:55:54 +00:00
Oleksandr Tymoshenko
13fe9f7f82 Fix crash in systat(4) when certain commands are called without arguments
Add check for missing arguments to dsmatchselect and dsselect

PR:		219689
Submitted by:	Marko Turk <mt@markoturk.info>
MFC after:	1 week
2019-01-20 19:47:33 +00:00
Justin Hibbits
61ef814f56 Fix top(1) long options handling
getopt_long(3) requires the long options be terminated by a NULL block.
Without the terminator, an invalid long option results in a segmentation
fault.

Reported by:	Brandon Bergren
MFC after:	1 week
2019-01-18 23:26:31 +00:00
Brooks Davis
e4478d7e46 Use a private definition of osockaddr rather then relying on type
namespace polution in sys/socket.h.

Also remove support for operation on 4.3BSD.

PR:		224529
Differential Revision:	https://reviews.freebsd.org/D14505
2019-01-18 21:30:06 +00:00
Oleksandr Tymoshenko
b63800ac8f Fix descriptor/memory leak in compress(1) code
This is mostly a style fix since the code in question is not called multiple
times and doesn't have cummulative effect.

PR:		204953
Submitted by:	David Binderman <dcb314@hotmail.com>
MFC after:	1 week
2019-01-18 00:26:25 +00:00
Mark Johnston
e6de40fa79 Fix handling of rights on stdio streams.
- Limit rights on stdio before opening input files.  Otherwise, open()
  may return one of the standard descriptors and we end up limiting
  rights such that we cannot read from one of the input files.
- Use caph_limit_stdio(), which suppresses EBADF, to ensure that
  we don't emit an error if one of the stdio streams is closed.
- Don't bother further limiting rights on stdin when stdin isn't going
  to be used.  Doing so correctly requires checking for a number of
  edge cases, and it doesn't provide any significant benefit.

PR:		234885
Reviewed by:	oshogbo
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D18860
2019-01-17 17:36:18 +00:00
Yoshihiro Takahashi
31afdd6f10 Fix indentation in ruptime command output for hosts in the "down" state.
PR:		234239
MFC after:	1 week
2019-01-12 12:57:32 +00:00
Yoshihiro Takahashi
1da80a2c75 Sync with OpenBSD.
bc.y: Rev 1.50
- write parse errors to stderr, prompted by Martijn Dekker
- we're only interactive if stdout en stderr are a tty as well as stdin

PR:		234430
Obtained from:	OpenBSD
MFC after:	1 week
2019-01-12 12:35:02 +00:00
Enji Cooper
7b97300547 Add Linux compatibility support for SC_NPROCESSORS_{CONF,ONLN} as _SC_NPROCESSORS_{CONF,ONLN}
The goal of this change is to make it easier to use getconf to query
the number of available processors.

Sadly it's unclear per POSIX, which form (with a preceding _ or
lacking it) is correct. I will bring this up on the Austin Group list so
this point is clarified for implementors that might rely on this getconf
variable in future POSIX spec versions.

This is something I noticed when trying to import GoogleTest to FreeBSD
as one of the CI scripts uses this variable on Linux.

MFC after:	2 weeks
Approved by:	emaste (mentor)
Differential Revision:	https://reviews.freebsd.org/D18640
2019-01-11 22:28:18 +00:00
Kyle Evans
26e3f9681b Fix bsdgrep manpage clobbering grep(1) with default build options
The default build should install bsdgrep(1) and grep(1), with the latter
being gnugrep(1). WITH_BSD_GREP flips this situation such that we have
gnugrep(1) and grep(1), with the latter being bsdgrep(1).

Changes to start installing the zgrep script out of usr.bin/grep
inadvertently altered the default build such that grep(1) was being
installed, and it was bsdgrep(1). Correct the typo.

Reported by:	bcran
MFC after:	3 days
2019-01-09 02:47:07 +00:00
Xin LI
197884df8a Correct documentation year.
MFC after:	2 weeks
2019-01-07 08:29:27 +00:00
Xin LI
5c4b64e66b Port NetBSD improvements:
- Add -l support for xz files
 - Add lzip support to gzip based on the example lzip decoder.

Obtained from:	NetBSD
MFC after:	2 weeks
Relnotes:	yes
2019-01-07 08:27:11 +00:00
Jilles Tjoelker
da61c776f3 getconf(1): Minor mdoc fix
MFC after:	1 week
2019-01-06 21:43:14 +00:00
Xin LI
4f4b31568a Remove unneeded assert.h (there is no assertion in this file).
MFC after:	2 weeks
2019-01-06 20:42:09 +00:00
Xin LI
4dbd43cd05 Remove unneeded headers.
MFC after:	1 month
2019-01-06 20:39:23 +00:00
Allan Jude
07372194c3 The lam(1) man page is unclear about the uppercase versions of the flags
PR:		229571
Submitted by:	Tim Chase <freebsd@tim.thechases.com>
2019-01-04 02:48:43 +00:00
Conrad Meyer
a0483764f3 Update to Zstandard 1.3.8
This merge brings in a couple new files, which needed to be attached to the
build; a new dependency on <limits.h>, which must be stubbed; and a name
change in the Context parameter constants, from ZSTD_p_foo to ZSTD_c_foo.

Significantly, it fixes a kernel build error with GCC where floating-point
functions were included in the kernel build, by hiding them under the same
compile-time #ifdef that already covered their invocation.  That issue was
introduced to FreeBSD in the 1.3.7 update and tracked upstream here:

  https://github.com/facebook/zstd/issues/1386

The full 1.3.8 release notes can be found on Github:

  https://github.com/facebook/zstd/releases/tag/v1.3.8

Relnotes:	yes
2018-12-29 21:18:01 +00:00
Ed Maste
ac8e938122 ar: detect and error out on 32-bit symbol table overflow
BSD ar currently does not support the /SYM64/ 64-bit symbol table, and
previously truncated to 32-bits, silently producing corrupted archives
larger than 4GB.

This is another overflow case in addtion to r342575.

PR:		234454
Reported by:	Aijaz Baig, imp
MFC after:	2 weeks
MFC with:	r342575
Sponsored by:	The FreeBSD Foundation
2018-12-28 22:47:55 +00:00
Ed Maste
699f180198 ar: detect and error out on 32-bit symbol table overflow
BSD ar currently does not support the /SYM64/ 64-bit symbol table, and
previously truncated to 32-bits, silently producing corrupted archives
larger than 4GB.

Note that this is only a partial fix; additional checks will come.

PR:		234454
Reported by:	Aijaz Baig, imp
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
2018-12-28 17:00:12 +00:00
Mateusz Piotrowski
8ece0ee096 iscsictl.8: Add missing flag parameters
- Add missing parameters to flags in the description of available options.
- Remove spaces between alternative parameters and "|".
- Align descriptions of options to the longest option.
- Use em dash instead of a hyphen.

Reviewed by:	bcr
Approved by:	doc (bcr)
Approved by:	krion (mentor, implicit), mat (mentor, implicit)
Differential Revision:	https://reviews.freebsd.org/D18608
2018-12-27 14:44:01 +00:00
Simon J. Gerraty
dfd669ab38 Merge bmake-20181221 2018-12-23 01:05:52 +00:00
Shteryana Shopova
e1747016b9 Add myself to the calendar 2018-12-12 19:58:54 +00:00
Dimitry Andric
893405b45f Merge ^/head r341764 through r341812. 2018-12-11 06:47:04 +00:00
John Baldwin
c1745bf503 Validate the string size parameter passed to -s.
Use strtonum() to reject negative sizes instead of core dumping.

PR:		232206
Submitted by:	David Carlier <devnexen@gmail.com>
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D17537
2018-12-10 21:47:19 +00:00
Dimitry Andric
67350cb56a Merge ^/head r340918 through r341763. 2018-12-09 11:39:45 +00:00