#
329f0aa9 |
| 12-Mar-2019 |
Warner Losh <imp@FreeBSD.org> |
Kill tz_minuteswest and tz_dsttime.
Research Unix, 7th Edition introduced TIMEZONE and DSTFLAG compile-time constants in sys/param.h to communicate these values for the machine. 4.2BSD moved from th
Kill tz_minuteswest and tz_dsttime.
Research Unix, 7th Edition introduced TIMEZONE and DSTFLAG compile-time constants in sys/param.h to communicate these values for the machine. 4.2BSD moved from the compile-time to run-time and introduced these variables and used for localtime() to return the right offset from UTC (sometimes referred to as GMT, for this purpose is the same). 4.4BSD migrated to using the tzdata code/database and these variables were basically unused.
FreeBSD removed the real need for these with adjkerntz in 1995. However, some RTC clocks continued to use these variables, though they were largely unused otherwise. Later, phk centeralized most of the uses in utc_offset, but left it using both tz_minuteswest and adjkerntz.
POSIX (IEEE Std 1003.1-2017) states in the gettimeofday specification "If tzp is not a null pointer, the behavior is unspecified" so there's no standards reason to retain it anymore. In fact, gettimeofday has been marked as obsolecent, meaning it could be removed from a future release of the standard. It is the only interface defined in POSIX that references these two values. All other references come from the tzdata database via tzset().
These were used to more faithfully implement early unix ABIs which have been removed from FreeBSD. NetBSD has completely eliminated these variables years ago. Linux has migrated to tzdata as well, though these variables technically still exist for compatibility with unspecified older programs.
So, there's no real reason to have them these days. They are a historical vestige that's no longer used in any meaningful way.
Reviewed By: jhb@, brooks@ Differential Revision: https://reviews.freebsd.org/D19550
show more ...
|
#
c981cbbd |
| 15-Feb-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r343956 through r344177.
|
#
fa50a355 |
| 10-Feb-2019 |
Konstantin Belousov <kib@FreeBSD.org> |
Implement Address Space Layout Randomization (ASLR)
With this change, randomization can be enabled for all non-fixed mappings. It means that the base address for the mapping is selected with a guar
Implement Address Space Layout Randomization (ASLR)
With this change, randomization can be enabled for all non-fixed mappings. It means that the base address for the mapping is selected with a guaranteed amount of entropy (bits). If the mapping was requested to be superpage aligned, the randomization honours the superpage attributes.
Although the value of ASLR is diminshing over time as exploit authors work out simple ASLR bypass techniques, it elimintates the trivial exploitation of certain vulnerabilities, at least in theory. This implementation is relatively small and happens at the correct architectural level. Also, it is not expected to introduce regressions in existing cases when turned off (default for now), or cause any significant maintaince burden.
The randomization is done on a best-effort basis - that is, the allocator falls back to a first fit strategy if fragmentation prevents entropy injection. It is trivial to implement a strong mode where failure to guarantee the requested amount of entropy results in mapping request failure, but I do not consider that to be usable.
I have not fine-tuned the amount of entropy injected right now. It is only a quantitive change that will not change the implementation. The current amount is controlled by aslr_pages_rnd.
To not spoil coalescing optimizations, to reduce the page table fragmentation inherent to ASLR, and to keep the transient superpage promotion for the malloced memory, locality clustering is implemented for anonymous private mappings, which are automatically grouped until fragmentation kicks in. The initial location for the anon group range is, of course, randomized. This is controlled by vm.cluster_anon, enabled by default.
The default mode keeps the sbrk area unpopulated by other mappings, but this can be turned off, which gives much more breathing bits on architectures with small address space, such as i386. This is tied with the question of following an application's hint about the mmap(2) base address. Testing shows that ignoring the hint does not affect the function of common applications, but I would expect more demanding code could break. By default sbrk is preserved and mmap hints are satisfied, which can be changed by using the kern.elf{32,64}.aslr.honor_sbrk sysctl.
ASLR is enabled on per-ABI basis, and currently it is only allowed on FreeBSD native i386 and amd64 (including compat 32bit) ABIs. Support for additional architectures will be added after further testing.
Both per-process and per-image controls are implemented: - procctl(2) adds PROC_ASLR_CTL/PROC_ASLR_STATUS; - NT_FREEBSD_FCTL_ASLR_DISABLE feature control note bit makes it possible to force ASLR off for the given binary. (A tool to edit the feature control note is in development.) Global controls are: - kern.elf{32,64}.aslr.enable - for non-fixed mappings done by mmap(2); - kern.elf{32,64}.aslr.pie_enable - for PIE image activation mappings; - kern.elf{32,64}.aslr.honor_sbrk - allow to use sbrk area for mmap(2); - vm.cluster_anon - enables anon mapping clustering.
PR: 208580 (exp runs) Exp-runs done by: antoine Reviewed by: markj (previous version) Discussed with: emaste Tested by: pho MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D5603
show more ...
|
#
9e43c218 |
| 10-Feb-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r343807 through r343955.
|
#
a7f67fac |
| 09-Feb-2019 |
Konstantin Belousov <kib@FreeBSD.org> |
Normalize the declaration of i386_read_exec variable.
It is currently re-declared in sys/sysent.h which is a wrong place for MD variable. Which causes redeclaration error with gcc when sys/sysent.h
Normalize the declaration of i386_read_exec variable.
It is currently re-declared in sys/sysent.h which is a wrong place for MD variable. Which causes redeclaration error with gcc when sys/sysent.h and machine/md_var.h are included both.
Remove it from sys/sysent.h and instead include machine/md_var.h when needed, under #ifdef for both i386 and amd64.
Reported and tested by: bde Sponsored by: The FreeBSD Foundation MFC after: 1 week
show more ...
|
#
67350cb5 |
| 09-Dec-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r340918 through r341763.
|
Revision tags: release/12.0.0 |
|
#
f373437a |
| 29-Nov-2018 |
Brooks Davis <brooks@FreeBSD.org> |
Add helper functions to copy strings into struct image_args.
Given a zeroed struct image_args with an allocated buf member, exec_args_add_fname() must be called to install a file name (or NULL). The
Add helper functions to copy strings into struct image_args.
Given a zeroed struct image_args with an allocated buf member, exec_args_add_fname() must be called to install a file name (or NULL). Then zero or more calls to exec_args_add_env() followed by zero or more calls to exec_args_add_env(). exec_args_adjust_args() may be called after args and/or env to allow an interpreter to be prepended to the argument list.
To allow code reuse when adding arg and env variables, begin_envv should be accessed with the accessor exec_args_get_begin_envv() which handles the case when no environment entries have been added.
Use these functions to simplify exec_copyin_args() and freebsd32_exec_copyin_args().
Reviewed by: kib Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D15468
show more ...
|
#
9b5cb2f6 |
| 12-Nov-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r340235 through r340367.
|
#
9a38df59 |
| 09-Nov-2018 |
Brooks Davis <brooks@FreeBSD.org> |
Fix freebsd32 mknod(at).
As dev_t is now a 64-bit integer, it requires special handling as a system call argument. 64-bit arguments are split between two 64-bit integers due to the way arguments ar
Fix freebsd32 mknod(at).
As dev_t is now a 64-bit integer, it requires special handling as a system call argument. 64-bit arguments are split between two 64-bit integers due to the way arguments are promoted to allow reuse of most system call implementations. They must be reassembled before use. Further, 64-bit arguments at an odd offset (counting from zero) are padded and slid to the next slot on powerpc and mips. Fix the non-COMPAT11 system call by adding a freebsd32_mknodat() and appropriately padded declerations.
The COMPAT11 system calls are fully compatible with the 64-bit implementations so remove the freebsd32_ versions.
Use uint32_t consistently as the type of the old dev_t. This matches the old definition.
Reviewed by: kib MFC after: 3 days Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D17928
show more ...
|
#
40747517 |
| 09-Nov-2018 |
Brooks Davis <brooks@FreeBSD.org> |
Make __sysctl follow the freebsd32_foo convention.
Sponsored by: DARPA, AFRL
|
#
2a22df74 |
| 04-Nov-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r339813 through r340125.
|
#
12e69f96 |
| 02-Nov-2018 |
Brooks Davis <brooks@FreeBSD.org> |
Add const to input-only char * arguments.
These arguments are mostly paths handled by NAMEI*() macros which already take const char * arguments.
This change improves the match between syscalls.mast
Add const to input-only char * arguments.
These arguments are mostly paths handled by NAMEI*() macros which already take const char * arguments.
This change improves the match between syscalls.master and the public declerations of system calls.
Reviewed by: kib (prior version) Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D17812
show more ...
|
#
c542c43e |
| 16-Aug-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Revert r337922, except for some documention-only bits. This needs to wait until user is changed to stop using jail(2).
Differential Revision: D14791
|
#
284001a2 |
| 16-Aug-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Put jail(2) under COMPAT_FREEBSD11. It has been the "old" way of creating jails since FreeBSD 7.
Along with the system call, put the various security.jail.allow_foo and security.jail.foo_allowed sy
Put jail(2) under COMPAT_FREEBSD11. It has been the "old" way of creating jails since FreeBSD 7.
Along with the system call, put the various security.jail.allow_foo and security.jail.foo_allowed sysctls partly under COMPAT_FREEBSD11 (or BURN_BRIDGES). These sysctls had two disparate uses: on the system side, they were global permissions for jails created via jail(2) which lacked fine-grained permission controls; inside a jail, they're read-only descriptions of what the current jail is allowed to do. The first use is obsolete along with jail(2), but keep them for the second-read-only use.
Differential Revision: D14791
show more ...
|
#
14b841d4 |
| 11-Aug-2018 |
Kyle Evans <kevans@FreeBSD.org> |
MFH @ r337607, in preparation for boarding
|
#
f9c0a512 |
| 10-Aug-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r337286 through r337585.
|
#
c7902fbe |
| 07-Aug-2018 |
Mark Johnston <markj@FreeBSD.org> |
Improve handling of control message truncation.
If a recvmsg(2) or recvmmsg(2) caller doesn't provide sufficient space for all control messages, the kernel sets MSG_CTRUNC in the message flags to in
Improve handling of control message truncation.
If a recvmsg(2) or recvmmsg(2) caller doesn't provide sufficient space for all control messages, the kernel sets MSG_CTRUNC in the message flags to indicate truncation of the control messages. In the case of SCM_RIGHTS messages, however, we were failing to dispose of the rights that had already been externalized into the recipient's file descriptor table. Add a new function and mbuf type to handle this cleanup task, and use it any time we fail to copy control messages out to the recipient. To simplify cleanup, control message truncation is now only performed at control message boundaries.
The change also fixes a few related bugs: - Rights could be leaked to the recipient process if an error occurred while copying out a message's contents. - We failed to set MSG_CTRUNC if the truncation occurred on a control message boundary, e.g., if the caller received two control messages and provided only the exact amount of buffer space needed for the first.
PR: 131876 Reviewed by: ed (previous version) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D16561
show more ...
|
#
bbd7a929 |
| 04-Aug-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r336870 through r337285, and resolve conflicts.
|
#
3de1e9aa |
| 31-Jul-2018 |
Konstantin Belousov <kib@FreeBSD.org> |
Provide compat32 shims for sched_rr_get_interval(2).
The interface uses struct timespec, which needs a translation.
Reported and reviewed by: asomers PR: 230175 Sponsored by: The FreeBSD Foundation
Provide compat32 shims for sched_rr_get_interval(2).
The interface uses struct timespec, which needs a translation.
Reported and reviewed by: asomers PR: 230175 Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D16525
show more ...
|
#
9dea3ac8 |
| 29-Jul-2018 |
Alan Somers <asomers@FreeBSD.org> |
freebsd32_getrusage(2): skip freebsd32_rusage_out on error
PR: 230153 Reported by: kib MFC after: 2 weeks X-MFC-With: 336871 Differential Revision: https://reviews.freebsd.org/D16500
|
#
5cf35a10 |
| 29-Jul-2018 |
Alan Somers <asomers@FreeBSD.org> |
getrusage(2): fix return value under 32-bit emulation
According to the man page, getrusage(2) should return EFAULT if the rusage argument lies outside of the process's address space. But due to an o
getrusage(2): fix return value under 32-bit emulation
According to the man page, getrusage(2) should return EFAULT if the rusage argument lies outside of the process's address space. But due to an oversight in r100384, that's never been the case during 32-bit emulation. Fix it.
PR: 230153 Reported by: tests(7) Reviewed by: cem MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D16500
show more ...
|
Revision tags: release/11.2.0 |
|
#
ab35e1c7 |
| 13-Jun-2018 |
Bruce Evans <bde@FreeBSD.org> |
Fix the encoding of major and minor numbers in 64-bit dev_t by restoring the old encodings for the lower 16 and 32 bits and only using the higher 32 bits for unusually large major and minor numbers.
Fix the encoding of major and minor numbers in 64-bit dev_t by restoring the old encodings for the lower 16 and 32 bits and only using the higher 32 bits for unusually large major and minor numbers. This change breaks compatibility with the previous encoding (which was only used in -current).
Fix truncation to (essentially) 16-bit dev_t in newnfs v3.
Any encoding of device numbers gives an ABI, so it can't be changed without translations for compatibility. Extra bits give the much larger complication that the translations need to compress into fewer bits. Fortunately, more than 32 bits are rarely needed, so compression is rarely needed except for 16-bit linux dev_t where it was always needed but never done.
The previous encoding moved the major number into the top 32 bits. Almost no translation code handled this, so the major number was blindly truncated away in most 32-bit encodings. E.g., for ffs, mknod(8) with major = 1 and minor = 2 gave dev_t = 0x10000002; ffs cannot represent this and blindly truncated it to 2. But if this mknod was run on any released version of FreeBSD, it gives dev_t = 0x102. ffs can represent this, but in the previous encoding it was not decoded, giving major = 0, minor = 0x102.
The presence of bugs was most obvious for exporting dev_t's from an old system to -current, since bugs in newnfs augment them. I fixed oldnfs to support 32-bit dev_t in 1996 (r16634), but this regressed to 16-bit dev_t in newnfs, first to the old 16-bit encoding and then further in -current. E.g., old ad0 with major = 234, minor = 0x10002 had the correct (major, minor) number on the wire, but newnfs truncated this to (234, 2) and then the previous encoding shifted the major number into oblivion as seen by ffs or old applications.
I first tried to fix this by translating on every ABI/API boundary, but there are too many boundaries and too many sloppy translations by blind truncation. So use the old encoding for the low 32 bits so that sloppy translations work no worse than before provided the high 32 bits are not set. Add some error checking for when bits are lost. Keep not doing any error checking for translations for almost everything in compat/linux.
compat/freebsd32/freebsd32_misc.c: Optionally check for losing bits after possibly-truncating assignments as before.
compat/linux/linux_stats.c: Depend on the representation being compatible with Linux's (or just with itself for local use) and spell some of the translations as assignments in a macro that hides the details.
fs/nfsclient/nfs_clcomsubs.c: Essentially the same fix as in 1996, except there is now no possible truncation in makedev() itself. Also fix nearby style bugs.
kern/vfs_syscalls.c: As for freebsd32. Also update the sysctl description to include file numbers, and change it to describe device ids as device numbers.
sys/types.h: Use inline functions (wrapped by macros) since the expressions are now a bit too complicated for plain macros. Describe the encoding and some of the reasons for it. 16-bit compatibility didn't leave many reasonable choices for the 32-bit encoding, and 32-bit compatibility doesn't leave many reasonable choices for the 64-bit encoding. My choice is to put the 8 new minor bits in the low 8 bits of the top 32 bits. This minimizes discontiguities.
Reviewed by: kib (except for rewrite of the comment in linux_stats.c)
show more ...
|
#
372639f9 |
| 13-Jun-2018 |
Bruce Evans <bde@FreeBSD.org> |
Fix some bugs found while fixing the representation and translation of 64-bit dev_t's (but not ones involving dev_t's).
st_size was supposed to be clamped in cvtstat() and linux's copy_stat(), but t
Fix some bugs found while fixing the representation and translation of 64-bit dev_t's (but not ones involving dev_t's).
st_size was supposed to be clamped in cvtstat() and linux's copy_stat(), but the clamping code wasn't aware that st_size is signed, and also had an obfuscated off-by-1 value for the unsigned limit, so its effect was to produce a bizarre negative size instead of clamping.
Change freebsd32's copy_ostat() to be no worse than cvtstat(). It was missing clamping and bzero()ing of padding.
Reviewed by: kib (except a final fix of the clamp to the signed maximum)
show more ...
|
#
e15f0023 |
| 15-May-2018 |
Brooks Davis <brooks@FreeBSD.org> |
Allow freebsd32 __sysctl(2) to return ENOMEM.
This is required by programs like sockstat that read variably sized sysctls such as kern.file. The normal path has no such restriction and the restrict
Allow freebsd32 __sysctl(2) to return ENOMEM.
This is required by programs like sockstat that read variably sized sysctls such as kern.file. The normal path has no such restriction and the restriction was added without comment along with initial support for freebsd32 in 2002 (r100384).
Reviewed by: kib Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D15438
show more ...
|
#
1302eea7 |
| 20-Apr-2018 |
Konstantin Belousov <kib@FreeBSD.org> |
Rename PROC_PDEATHSIG_SET -> PROC_PDEATHSIG_CTL and PROC_PDEATHSIG_GET -> PROC_PDEATHSIG_STATUS for consistency with other procctl(2) operations names.
Requested by: emaste Sponsored by: The FreeBSD
Rename PROC_PDEATHSIG_SET -> PROC_PDEATHSIG_CTL and PROC_PDEATHSIG_GET -> PROC_PDEATHSIG_STATUS for consistency with other procctl(2) operations names.
Requested by: emaste Sponsored by: The FreeBSD Foundation MFC after: 13 days
show more ...
|