Skip to content

Commit

Permalink
HBSD: on i386 RWX pages were RX only
Browse files Browse the repository at this point in the history 
Submitted by: @lattera
  • Loading branch information
@fichtner
fichtner committed Nov 1, 2018
1 parent ea449cd commit 4b21e56
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions sys/kern/imgact_elf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -571,7 +571,11 @@ __elfN(load_section)(struct image_params *imgp, vm_ooffset_t offset,
map_addr, /* virtual start */
map_addr + map_len,/* virtual end */
prot,
#if defined(PAX_INSECURE_MODE) && defined(__i386__)
VM_PROT_ALL,
#else
prot,
#endif
cow);
if (rv != KERN_SUCCESS)
return (EINVAL);
Expand Down

2 comments on commit 4b21e56

@lattera
Copy link
Contributor

@lattera lattera commented on 4b21e56 Nov 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just thought I'd give a bit of background for this commit to those following along.

From the discovery email (with a few modifications):

Just like filesystems, memory mappings have read, write, and execute permissions. In HardenedBSD, we track the concept of "max permissions" (aka max prot, maxprot). Ideally, when a page is marked writable, it can never be marked as executable. When a page is marked, executable, it can never be writable. This is the PaX NOEXEC feature, which is disabled in OPNsense (ideally, we would want to enable it for amd64 and arm64 in OPNsense at some point in the future).

Because PaX NOEXEC is disabled, the maxprot should be RWX for this mapping (due to TEXTRELs), but it isn't; it's RX.

I feel comfortable with OPNsense using this patch because the state of exploit mitigations on i386 is really weak. I don't want HardenedBSD to carry the patch because we don't officially support i386.

This commit (4b21e56) aims to do just that. OPNsense's kernel config sets PAX_INSECURE_MODE. We set it for i386 only because applications compiled on arm64 and amd64 generally do not have this problem (at least, not the set of applications OPNsense uses). As such, any non-i386 architecture is unaffected by the commit.

This commit effectively slightly weakens OPNsense's security posture on i386, due to allowing writable text segments (for TEXTRELs). However, i386 does not properly support non-executable pages, so nothing is really lost. Yeah, that's a seemingly contradictory statement; hopefully you understand what I mean. If not, then reply with a comment and I can explain further.

HardenedBSD would like to reiterate the importance of switching to 64-bit systems. Non-executable page enforcement is supported on the 64-bit architectures HardenedBSD supports (arm64 and amd64). The security posture of 64-bit architectures is far superior than 32-bit architectures.

@fichtner
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the additional info @lattera ! We plan to remove i386 with the HardenedBSD 12 adoption which would be in OPNsense 20.1 or 20.7.

Please sign in to comment.