Invalid pintables in ELF binaries can crash the kernel.
Fix from yufeng.gao@uq.edu.au

If binaries lack a pintable, execve() can now reject them at startup
by returning EINVAL, rather than at runtime when the first system call
occurs (and then probably dumping core). Let's find out if

If binaries lack a pintable, execve() can now reject them at startup
by returning EINVAL, rather than at runtime when the first system call
occurs (and then probably dumping core). Let's find out if there are
any surprising exceptions we were unaware of (would need a custom linker,
or a non-crt0 runtime)
errno discussions with kettenis, sthen, millert. Vague concensus it is
worth trying now.

show more ...

We do not need the PS_LIBCPIN and PS_PIN flag fields anymore, which were
used during devlopment (for visibility). There is speculation claudio will
immediately use these bits for something else.

Actually provide *definitions* for hwcap & hwcap2

Double checked by kettenis@

Sorry for the time window with breakage visible on arm64 and riscv64. :-/

Actually set up hwcap AUX_* entries when available

Erroneously dropped from the last elf_aux_info(3) diff I sent on tech@.
Lack of this chunk would affect arm64 and riscv64 as they're the two
archit

Actually set up hwcap AUX_* entries when available

Erroneously dropped from the last elf_aux_info(3) diff I sent on tech@.
Lack of this chunk would affect arm64 and riscv64 as they're the two
architectures providing hwcap*.

Should have been ok kettenis@

show more ...

Delete the msyscall mechanism entirely, since mimmutable+pinsyscalls has
replaced it with a more strict mechanism, which happens to be lockless O(1)
rather than micro-lock O(1)+O(log N). Also nop-ou

Delete the msyscall mechanism entirely, since mimmutable+pinsyscalls has
replaced it with a more strict mechanism, which happens to be lockless O(1)
rather than micro-lock O(1)+O(log N). Also nop-out the sys_msyscall(2) guts,
but leave the syscall around for a bit longer so that people can build through
it, since ld.so(1) still wants to call it.

show more ...

Fix core file writing when a file map into memory has later been truncated
to be smaller than the mapping. Record which memory segments are backed by
vnodes while walking the uvm map and later suppre

Fix core file writing when a file map into memory has later been truncated
to be smaller than the mapping. Record which memory segments are backed by
vnodes while walking the uvm map and later suppress EFAULT errors caused
by the underlying file being truncated. okay miod@

show more ...

The kernel will now read pinsyscall tables out of PT_OPENBSD_SYSCALLS in
the main program or ld.so, and accept a submission of that information
for libc.so from ld.so via pinsyscalls(2). At system c

The kernel will now read pinsyscall tables out of PT_OPENBSD_SYSCALLS in
the main program or ld.so, and accept a submission of that information
for libc.so from ld.so via pinsyscalls(2). At system call invocation,
the syscall number is matched to the specific address it must come from.
ok kettenis, gnezdo, testing of variations by many people

show more ...

address incomplete validation of ELF program headers in execve(2) which could lead
to a panic in vmcmd_map_readvn() with a malformed binary/interpreter.

original crash found with Melkor, additional

address incomplete validation of ELF program headers in execve(2) which could lead
to a panic in vmcmd_map_readvn() with a malformed binary/interpreter.

original crash found with Melkor, additional validation provided by
guenther@.

ok kettenis@ guenther@ deraadt@

show more ...

Implement support for pointer authentication (PAC) in userland. With PAC
it is possible to "sign" pointers with a hidden key. The signature is
placed in unused bits of the pointer and can be checke

Implement support for pointer authentication (PAC) in userland. With PAC
it is possible to "sign" pointers with a hidden key. The signature is
placed in unused bits of the pointer and can be checked later. This can
be used to provide "tail CFI" that is similar to what retguard provides.

Debuggers need to be aware of the fact that pointers can be signed. For
this purpose a new PT_PACMASK ptrace(2) request is introduced that returns
as mask that indicates the bits used for the signature. Separate masks
are provided for code and data pointers even though the masks are identical
in the current implementation. These masks are also written into a special
note section in the core dump.

ok patrick@

show more ...

Add a new PT_OPENBSD_NOBTCFI "segment type" to indicate that the kernel
should not enforce branch target control flow integrety for a binary.
This works analoguous to PT_OPENBSD_WXNEEDED in that we w

Add a new PT_OPENBSD_NOBTCFI "segment type" to indicate that the kernel
should not enforce branch target control flow integrety for a binary.
This works analoguous to PT_OPENBSD_WXNEEDED in that we will set it on
binaries that don't have the necessary landing pads (yet). The kernel
will enforce branch target CFI by default in the near future!

This is a better match for what we want to achieve than the GNU property
note mechanism that the Linux folks came up with. We can still use the
GNU property notes for diagnostic purposes so we won't disable their
generation in the toolchain. But ports will need to pass an explicit
-Wl,-z,nobtcfi option to disable branch target CFI.

Like with PT_OPENBSD_WXNEEDED we convert the presence of PT_OPENBSD_NOBTCFI
into a flag in struct exec_package. From there MD code can pick it up
and set a struct process flag or take action in setregs().

ok deraadt@

show more ...

Currently we disable kbind(2) for static program from libc.a's
preinit hook. Delete that and instead have the kernel disable kbind
at exec-time if the program doesn't have an ELF interpreter. For
n

Currently we disable kbind(2) for static program from libc.a's
preinit hook. Delete that and instead have the kernel disable kbind
at exec-time if the program doesn't have an ELF interpreter. For
now, permit userland calls to disable it when already disabled so
existing static programs continue to work.

prompted by deraadt@ questioning about the call in libc.a

ok deraadt@ miod@

show more ...

Since the signal trampoline is now execute-only we no longer write it
into core dumps. As a result backtraces through signal handlers no
longer work in gdb and other debuggers.

Fix this by keeping

Since the signal trampoline is now execute-only we no longer write it
into core dumps. As a result backtraces through signal handlers no
longer work in gdb and other debuggers.

Fix this by keeping a read-only mapping of the signal trampoline in the
kernel and writing it into the core dump at the virtual address where it
is mapped in the process.

ok deraadt@, tb@

show more ...

fix a mangled comment

zap a pile of dangling tabs

cache ps_auxinfo inside the kernel, to avoid codedump() reading the
copy on userland stack which points at an illicit region.
ok kettenis, deraadt

Fix tag type and buffer limit in DT_TEXTREL lookup.

OK deraadt@ kettenis@

For textrel binaries, skipping immutability on text segments is not enough:
It needs to be all non-writeable segments, which really means rodata.
crt0 and ld.so will need to call mimmutable() later o

For textrel binaries, skipping immutability on text segments is not enough:
It needs to be all non-writeable segments, which really means rodata.
crt0 and ld.so will need to call mimmutable() later on these regions.
ok kettenis

show more ...

Unfortunately there are still ugly text-relocation binaries in the wild.
Libraries are less of a concern, because ld.so can fix them in the right
order. So we must scan DYNAMIC for the TEXTREL marke

Unfortunately there are still ugly text-relocation binaries in the wild.
Libraries are less of a concern, because ld.so can fix them in the right
order. So we must scan DYNAMIC for the TEXTREL marker, and not make
X LOADs immutable. ld.so will apply changes to the text segment. In
upcoming diff, crt0 and ld.so will then apply immutability.
ok kettenis

show more ...

VMCMD_SYSCALL cannot be incorporated into flags variable, because flags
is inspected narrowly for base address later.
ok kettenis

A better workaround for mips64 mimmutable problem. The problem is the
DT_DEBUG word is inside a R LOAD that gets marked immutable, but ld.so
does a mprotect RW + adjustment + mprotect R. DT_DEBUG i

A better workaround for mips64 mimmutable problem. The problem is the
DT_DEBUG word is inside a R LOAD that gets marked immutable, but ld.so
does a mprotect RW + adjustment + mprotect R. DT_DEBUG is specified as
being inside the DYNAMIC range, solet's do all the immutables and then,
on mips64 only, turn around and make DYNAMIC mutable. That gives us
time to see if we can move DT_DEBUG or change what ld.so is doing.
discussed at length with kettenis

show more ...

automatic immutable for base executable is not ready on mips
because DT_DEBUG isn't in the right place

automatically mark immutable certain regions in program&ld.so LOADs.
The large commented block in elf_load_psection explains the sitaution.
ok kettenis.

If ld.so loading fails inside execve, uprintf a message to report this
before the SIGABRT kills the process. This clarifies the failure mode
(and resolution to take) when a dynamic executable is run

If ld.so loading fails inside execve, uprintf a message to report this
before the SIGABRT kills the process. This clarifies the failure mode
(and resolution to take) when a dynamic executable is run while /usr
isn't mounted. ok miod kettenis

show more ...

remove unneeded includes in sys/kern
ok mpi@ miod@