ld.so should stop calling msyscall(2), since it is fully neutered and
about to be removed. Please be careful building through this, you need
a kernel at least March 29th or so to build through it, o

ld.so should stop calling msyscall(2), since it is fully neutered and
about to be removed. Please be careful building through this, you need
a kernel at least March 29th or so to build through it, otherwise use
snapshots to cross over.
ok various people

show more ...

Stop initializing pinsyscall(SYS_execve in dynamic binaries that contain
a reference reaching the execve(2) stub. The new pinsyscalls(2) that
applies to all system calls has made this redundant.

create a stub for pinsyscalls(2)

zap stray backslash

ok deraadt@

Lookup the start,len of the "execve" stub in libc.so, and tell the kernel
where it is with pinsyscall(). In non-static binaries, kernel execve(2)
will now insist upon being called from that small re

Lookup the start,len of the "execve" stub in libc.so, and tell the kernel
where it is with pinsyscall(). In non-static binaries, kernel execve(2)
will now insist upon being called from that small region. Arriving from
a different region smells like ROP methodology, and the process is killed.

show more ...

teach ld.so how to call the mimmutable() system call
ok kettenis

Roll the syscalls that have an off_t argument to remove the explicit padding.
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or l

Roll the syscalls that have an off_t argument to remove the explicit padding.
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or ld.so!

Time for a story...

When gcc (back in 1.x days) first implemented long long, it didn't (always)
pass 64bit arguments in 'aligned' registers/stack slots, with the result that
argument offsets didn't match structure offsets. This affected the nine system
calls that pass off_t arguments:
ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate

To avoid having to do custom ASM wrappers for those, BSD put an explicit pad
argument in so that the off_t argument would always start on a even slot and
thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use
__syscall() and pass an extra '0' argument.

The ABIs for different CPUs eventually settled how things should be passed on
each and gcc 2.x followed them. The only arch now where it helps is landisk,
which needs to skip the last argument register if it would be the first half of
a 64bit argument. So: add new syscalls without the pad argument and on landisk
do that skipping directly in the syscall handler in the kernel. Keep compat
support for the existing syscalls long enough for the transition.

ok deraadt@

show more ...

Use AFLAGS when building syscall stubs. Drop AINC wich isn't used.

ok deraadt@

It is not always clear what ld.so was backed up to ld.so.backup, and
better that folk doing development in here use their own cp tooling.

As additional paranoia, make a copy of system ld.so into obj/ld.so.backup
We don't want to CLEANFILES this one. On occasion this comes in useful.

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisf

Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions. It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.

For static-executables the kernel registers the main program's
PIE-mapped exec section valid, as well as the randomly-placed sigtramp
page. For dynamic executables ELF ld.so's exec segment is also
labelled valid; ld.so then has enough information to register libc's
exec section as valid via call-once msyscall(2)

For dynamic binaries, we continue to to permit the main program exec
segment because "go" (and potentially a few other applications) have
embedded system calls in the main program. Hopefully at least go gets
fixed soon.

We declare the concept of embedded syscalls a bad idea for numerous
reasons, as we notice the ecosystem has many of
static-syscall-in-base-binary which are dynamically linked against
libraries which in turn use libc, which contains another set of
syscall stubs. We've been concerned about adding even one additional
syscall entry point... but go's approach tends to double the entry-point
attack surface.

This was started at a nano-hackathon in Bob Beck's basement 2 weeks
ago during a long discussion with mortimer trying to hide from the SSL
scream-conversations, and finished in more comfortable circumstances
next to a wood-stove at Elk Lakes cabin with UVM scream-conversations.

ok guenther kettenis mortimer, lots of feedback from others
conversations about go with jsing tb sthen

show more ...

For more archs, ld.so itself only needs/uses the arch's "just add load offset"
'relative' relocation. Take advantage of that to simplify ld.so's self-reloc
code:
* give the exceptional archs (hppa

For more archs, ld.so itself only needs/uses the arch's "just add load offset"
'relative' relocation. Take advantage of that to simplify ld.so's self-reloc
code:
* give the exceptional archs (hppa and mips64) copies of the current boot.c
as boot_md.c
* teach the Makefile to use boot_md.c when present
* reduce boot.c down to the minimum necessary to handle just relative reloc
* teach the Makefile to fail if the built ld.so has other types of relocs

ok visa@ kettenis@

show more ...

Suppress DWARF2 warnings on clang archs by building with -gdwarf-4

ok deraadt@, kettenis@

ld.so's $ORIGIN handling when argv[0] is a relative path was broken by
the change in __getcwd(2)'s return value. Fix it by switching to the
__realpath(2) syscall, eliminating the ld.so copy of realp

ld.so's $ORIGIN handling when argv[0] is a relative path was broken by
the change in __getcwd(2)'s return value. Fix it by switching to the
__realpath(2) syscall, eliminating the ld.so copy of realpath().

problem caught by regress and noted by bluhm@
ok deraadt@

show more ...

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64,

ld.so boot cleanup support:
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later

ok kettenis@

show more ...

make ld.so build reproducible by including a FILE symbol and by removing
-x from ld; this is only used for syspatch creation so builds are still
randomized just as before

ok guenther@

provide ffs, gcc generates calls to it, even when __builtin_ffs() is used.
ok deraadt@

also cleanout ld.so.a

Consolidate lib.so.*.a, ld.so.a and the kernel relink kit into
one location under /usr/share/relink.

Be more specific in src/etc/rc reorder_libs() what filesystems
need r/w remount and ensure that t

Consolidate lib.so.*.a, ld.so.a and the kernel relink kit into
one location under /usr/share/relink.

Be more specific in src/etc/rc reorder_libs() what filesystems
need r/w remount and ensure that their mount state is restored.

Idea and positive feedback from deraadt@
OK aja@ tb@

show more ...

Place all .o files, Symbols.map, and the test program into /usr/libdata/ld.so.a.
My work is done; the next piece is coming from rpe.
ok visa kettenis

The test program run before ld.so is installed was encoding the $OBJDIR
path to ld.so. Since the testprogram is run from inside $OBJDIR, encode
with a ./ path instead.
ok kettenis visa

Link the ~45 .o which become ld.so in a random order.
ok kettenis visa

hppa & sh use support functions from libgcc. Rather than linking against
the library, extract the specific pieces and link them directly.
ok kettenis visa

Replace heaps of hand-written syscall stubs with a simpler framework
which is largely MI.
ok visa kettenis

Build ld.so with ${DEBUG} which defults to -g, like other "libraries" are.
This provides some unwind benefits.
ok kettenis dlg