Allow enabling and disabling PaX ASLR debug

We never exec(2) with a kernel vmspace, so do not test for that, but instead
KASSERT() that we don't.
When calculating the load address for the interpreter (e.g. ld.elf_so),
we need to take into acco

We never exec(2) with a kernel vmspace, so do not test for that, but instead
KASSERT() that we don't.
When calculating the load address for the interpreter (e.g. ld.elf_so),
we need to take into account wether the exec'd process will run with
topdown memory or bottom up. We can not use the current vmspace's flags
to test for that, as this happens too early. Luckily the execpack already
knows what the new state will be later, so instead of testing the current
vmspace, pass the info as additional argument to struct emul
e_vm_default_addr.
Fix all such functions and adopt all callers.

show more ...

Ignore the ancient 01.01 tag that gnuc used to put in old NetBSD binaries.

Add buildid Go note

Check the error code from es_setup_stack, and correctly free ep_emul_arg if
it fails.

That bug is harmless, since ep_setup_stack never fails.

Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when l

Revamp the way processes are PaX'ed in the kernel. Sent on tech-kern@ two
months ago, but no one reviewed it - probably because it's not a trivial
change.

This change fixes the following bug: when loading a PaX'ed binary, the
kernel updates the PaX flag of the calling process before it makes sure
the new process is actually launched. If the kernel fails to launch the
new process, it does not restore the PaX flag of the calling process,
leaving it in an inconsistent state.

Actually, simply restoring it would be horrible as well, since in the
meantime another thread may have used the flag.

The solution is therefore: modify all the functions used by PaX so that
they take as argument the exec package instead of the lwp, and set the PaX
flag in the process *right before* launching the new process - it cannot
fail in the meantime.

show more ...

revert; but still fix the comment

stupid comment, and make sure we are not executing a lib

Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not

Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()

show more ...

Revamp PaX:
- don't confuse between ELF flags and proc flags. Introduce the proc-
specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
- introduce pax_setup_elf_flags(), which takes as arg

Revamp PaX:
- don't confuse between ELF flags and proc flags. Introduce the proc-
specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
- introduce pax_setup_elf_flags(), which takes as argument the PaX flag
of the ELF PaX note section, and which sets the proc flag as
appropriate. Also introduce a couple of other functions used for that
purpose.
- modify pax_aslr_active(), and all the other similar pieces of code, so
that it checks the proc flag directly, without extra ELF computation

In addition to making PaX clearer, the combination of these changes fixes
the following bug: if a non-PaX'ed process is launched, and then someone
sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
PaX'ed while its address space hasn't been randomized, which is not likely
to be a good idea.

Now, only the proc flag is checked at runtime, which means the process's
PaX status won't be altered during the execution.

Also:
- declare PAX_DPRINTF, makes it more readable
- fix a typo in exec_elf.h

show more ...

Remove #ifdef notyet.

Zero-fill the ELF auxiliary vectors. Otherwise, on 64bit systems, the
padding between a_v and a_type contains kernel garbage, therefore
exposed to userland.

Original report by uebayasi@

eliminate COMPAT_OLDNOTE and just always recognize the old notes.

Define ELF_MAXNOTESIZE, ELF_MAXSHNUM and ELF_MAXPHNUM in <sys/exec_elf.h>, so
that it can be used externally.

Check .evs_used==0 instead of .evs_cmds==NULL. evs_cmds would not be NULL if
another _makecmds() had allocated and deallocated VMCMDs (not the case
currently).

Provide a compatibility define for binaries generated before NetBSD 1.5.
These binaries contain multiple notes per section and their NetBSD version
value is 199905. This is enabled via COMPAT_OLDNOTE

Provide a compatibility define for binaries generated before NetBSD 1.5.
These binaries contain multiple notes per section and their NetBSD version
value is 199905. This is enabled via COMPAT_OLDNOTE (default off).

show more ...

be a bit more verbose about why we think a note is bad.

Small changes:
- rename elf_load_file() to elf_load_interp()
- use the correct type for 'nused'
- remove useless cases
- reorder a kmem_alloc

ok christos@

Remove the 'prot' argument from elf_load_psection(). It is not used
outside, and can be declared locally. Clearer.

ok christos@

add ep_entryoffset to exec_package so one can calculate the relocabase
of an ET_DYN image.

We have to ensure the string is NUL-terminated and of the expected
length to avoid copying uninitialized data.

ok christos@

Simplify error path.

ok christos@

Properly check the section size to avoid out-of-bound reads. The
computed size must be the exact same size that is indicated in
sh_size.

ok agc@ christos@

We need VMCMDs for a binary and its interpreter, so make sure we have
at least one VMCMD. This also prevents the kernel from using an
uninitialized pointer as entry point for the execution.

From me

We need VMCMDs for a binary and its interpreter, so make sure we have
at least one VMCMD. This also prevents the kernel from using an
uninitialized pointer as entry point for the execution.

From me and Christos

ok christos@

show more ...

Small cleanup:
- make elf_load_file() and elf_load_psection() static
- make loops consistent
- 'nload' is not used - see rev1.24
- 'ap' is not used in elf_load_file()

ok agc@ christos@