In elf_load_file() to not call free(9) with an uninitialized size
even if the pointer is NULL. This is not a real bug as free(9)
checks the addr pointer before the size value, but the compiler
canno

In elf_load_file() to not call free(9) with an uninitialized size
even if the pointer is NULL. This is not a real bug as free(9)
checks the addr pointer before the size value, but the compiler
cannot know that.
found by clang -Wuninitialized; OK deraadt@

show more ...

Initialize the stack buffer used to build the auxiliary vector to zero to
avoid leaking the contents of the kernel stack into userspace.

ok guenther@, deraadt@

Generating a coredump requires walking the map twice; change
uvm_coredump_walkmap() to do both with a callback in between
so it can hold locks/change state across the two.

ok stefan@

Correct the entry point and base address calculations for an
interpreter whose entry point isn't in its first PT_LOAD segment.

problem report and testing by patrick@

Remove support for forcing the ELF interpreter to a specific address,
last used by COMPAT_SYSV which was removed in 2011.

ok millert@

In exec_elf.c: expand ELFNAME(), ELFNAME2(), and ELFNAMEEND() except
leaving out the size, so that
ELFNAME2(exec,makecmds)
becomes
exec_elf_makecmds
instead of
exec_elf{32,64}_makecmds
and then de

In exec_elf.c: expand ELFNAME(), ELFNAME2(), and ELFNAMEEND() except
leaving out the size, so that
ELFNAME2(exec,makecmds)
becomes
exec_elf_makecmds
instead of
exec_elf{32,64}_makecmds
and then delete the ELFNAME2() and ELFNAMEEND() macros.

Move the prototypes for functions local to exec_elf.c to there from
exec_elf.h.

Simplify the SMALL_KERNEL conditionals around the ELF coredump code.

Change exec_conf.c to use the size-generic names and macros

Remove exec_elf{32,64}.c and just build exec_elf.c; delete the
_KERN_DO_ELF and _KERN_DO_ELF64 #defines.

ok jca@, encouragement from deraadt@ and tom@

show more ...

Move ELF_AUX_ENTRIES from exec_elf.h to exec_elf.c; it's totally internal
and not something we guarantee to userspace

ok jca@

Change ELFNAME(read_from)'s buf parameter to be void*, eliminating a cast
from all but one call

ok jca@

elf{32,64}_check_brand() isn't used; delete it

ok jca@

Provide size-generic ELF_NO_ADDR in <sys/exec_elf.h> and use that instead
of ELFDEFNNAME(NO_ADDR)

ok jca@

Since we expect to never do binary compat with other OSes again,
delete the no-longer-used probe hook support.

ok mpi@ jca@

p_comm is the process's command and isn't per thread, so move it from
struct proc to struct process.

ok deraadt@ kettenis@

Split PID from TID, giving processes a PID unrelated to the TID of their
initial thread

ok jsing@ kettenis@

Display/test/use the process PID, not the thread's TID, in a few places.

ok mpi@ mikeb@

When trying to run an ELF binary marked PT_OPENBSD_WXNEEDED from a
file system mounted without MNT_WXALLOWED, fail with EACCES rather
than with ENOEXEC, to discourage the shell from trying to run the

When trying to run an ELF binary marked PT_OPENBSD_WXNEEDED from a
file system mounted without MNT_WXALLOWED, fail with EACCES rather
than with ENOEXEC, to discourage the shell from trying to run the
file as a shell script.
OK deraadt@ millert@; tedu@ and halex@ agreed with the general direction.

show more ...

Since epp->ep_name is a userland pointer, use copyinstr(9) to get a copy ok
the string into kernel space before logging the W^X binary warning.

ok jca@, guenther@

Enforce W^X and map W|X segments without X permission initially. The
dynamic linker will make these read-only and add back X permission after
elocation processing. Static executables with W|X segme

Enforce W^X and map W|X segments without X permission initially. The
dynamic linker will make these read-only and add back X permission after
elocation processing. Static executables with W|X segments will probably
crash.

ok deraadt@, guenther@

show more ...

Identify W^X labelled binaries at execve() time based upon WX_OPENBSD_WXNEEDED
flag set by ld -zwxneeded. Such binaries are allowed to run only on wxallowed
mountpoints. They do not report mmap/mpr

Identify W^X labelled binaries at execve() time based upon WX_OPENBSD_WXNEEDED
flag set by ld -zwxneeded. Such binaries are allowed to run only on wxallowed
mountpoints. They do not report mmap/mprotect problems.

Rate limit mmap/mprotect reports from other binaries.

These semantics are chosen to encourage progress in the ports ecosystem,
without overwhelming the developers who work in the area.
ok sthen kettenis

show more ...

backout to insert correct commit message

*** empty log message ***

SROP mitigation. sendsig() stores a (per-process ^ &sigcontext) cookie
inside the sigcontext. sigreturn(2) checks syscall entry was from the
exact PC addr in the (per-process ASLR) sigtramp, verifi

SROP mitigation. sendsig() stores a (per-process ^ &sigcontext) cookie
inside the sigcontext. sigreturn(2) checks syscall entry was from the
exact PC addr in the (per-process ASLR) sigtramp, verifies the cookie,
and clears it to prevent sigcontext reuse.
not yet tested on landisk, sparc, *88k, socppc.
ok kettenis

show more ...

Support for running Linux binaries under emulation is going away.

Remove "option COMPAT_LINUX" and everything directly tied to it from the
kernel and the corresponding man page documentation.

ok vi

Support for running Linux binaries under emulation is going away.

Remove "option COMPAT_LINUX" and everything directly tied to it from the
kernel and the corresponding man page documentation.

ok visa@ guenther@

show more ...

move the pledgenote annotation from `struct proc' to `struct nameidata'

pledgenote is used for annotate the policy for a namei context. So make it
tracking the nameidata.

It is expected for the cal

move the pledgenote annotation from `struct proc' to `struct nameidata'

pledgenote is used for annotate the policy for a namei context. So make it
tracking the nameidata.

It is expected for the caller to explicitly define the policy. It is a kernel
bug to not do so.

ok deraadt@

show more ...

Paranoa: p_pledgenote the NAMEI for ld.so loading

Track size of an opaque allocation to pass to free() later
ok guenther tedu