[op/gsoc2014/smap+kpatch] change pmap_kenter_attr(...) #3
Assignees
Labels
Comments
|
pmap.h:void pmap_protect(pmap_t, vm_offset_t, vm_offset_t, vm_prot_t); |
opntr
added a commit
that referenced
this issue
Aug 11, 2014
After 3d154ea commit the paxtest's output are this: PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later Mode: kiddie FreeBSD 11.0-CURRENT FreeBSD 11.0-CURRENT #3 d6b9ed4(op/hardened/current/aslr-devel)-dirty: Fri Aug 8 17:06:55 CEST 2014 op@pandora-d:/tmp/amd64-objdir/usr/data/source/git/opBSD/opBSD.git/sys/GENERIC amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : 2 bits (guessed) Heap randomisation test (PIE) : 12 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 21 bits (guessed) Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : 15 bits (guessed) Stack randomisation test (PAGEEXEC) : 16 bits (guessed) Arg/env randomisation test (SEGMEXEC) : 17 bits (guessed) Arg/env randomisation test (PAGEEXEC) : 17 bits (guessed) Randomization under memory exhaustion @~0: No randomisation Randomization under memory exhaustion @0 : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Killed Return to function (memcpy, PIE) : Killed Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable After partially revert the mentioned commit, the paxtest's output fixed: FreeBSD pandora-d 10.0-STABLE FreeBSD 10.0-STABLE freebsd#72 6fd52c6(op/stable/10/opbsd-aslr): Sat Aug 9 02:33:44 CEST 2014 root@pandora-d:/usr/obj/usr/src/sys/OP-ASLR amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : 21 bits (guessed) Heap randomisation test (ET_EXEC) : 11 bits (guessed) Heap randomisation test (PIE) : 12 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 21 bits (guessed) Shared library randomisation test : 21 bits (guessed) Stack randomisation test (SEGMEXEC) : 15 bits (guessed) Stack randomisation test (PAGEEXEC) : 16 bits (guessed) Arg/env randomisation test (SEGMEXEC) : 17 bits (guessed) Arg/env randomisation test (PAGEEXEC) : 16 bits (guessed) Randomization under memory exhaustion @~0: 22 bits (guessed) Randomization under memory exhaustion @0 : 21 bits (guessed) Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Killed Return to function (memcpy, PIE) : Killed Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
opntr
added a commit
that referenced
this issue
Aug 12, 2014
After 3d154ea commit the paxtest's output are this: PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later Mode: kiddie FreeBSD 11.0-CURRENT FreeBSD 11.0-CURRENT #3 d6b9ed4(op/hardened/current/aslr-devel)-dirty: Fri Aug 8 17:06:55 CEST 2014 op@pandora-d:/tmp/amd64-objdir/usr/data/source/git/opBSD/opBSD.git/sys/GENERIC amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : 2 bits (guessed) Heap randomisation test (PIE) : 12 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 21 bits (guessed) Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : 15 bits (guessed) Stack randomisation test (PAGEEXEC) : 16 bits (guessed) Arg/env randomisation test (SEGMEXEC) : 17 bits (guessed) Arg/env randomisation test (PAGEEXEC) : 17 bits (guessed) Randomization under memory exhaustion @~0: No randomisation Randomization under memory exhaustion @0 : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Killed Return to function (memcpy, PIE) : Killed Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable After partially revert the mentioned commit, the paxtest's output fixed: FreeBSD pandora-d 10.0-STABLE FreeBSD 10.0-STABLE freebsd#72 6fd52c6(op/stable/10/opbsd-aslr): Sat Aug 9 02:33:44 CEST 2014 root@pandora-d:/usr/obj/usr/src/sys/OP-ASLR amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : 21 bits (guessed) Heap randomisation test (ET_EXEC) : 11 bits (guessed) Heap randomisation test (PIE) : 12 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 21 bits (guessed) Shared library randomisation test : 21 bits (guessed) Stack randomisation test (SEGMEXEC) : 15 bits (guessed) Stack randomisation test (PAGEEXEC) : 16 bits (guessed) Arg/env randomisation test (SEGMEXEC) : 17 bits (guessed) Arg/env randomisation test (PAGEEXEC) : 16 bits (guessed) Randomization under memory exhaustion @~0: 22 bits (guessed) Randomization under memory exhaustion @0 : 21 bits (guessed) Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Killed Return to function (memcpy, PIE) : Killed Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
opntr
pushed a commit
that referenced
this issue
Aug 23, 2014
Mostly bugfixes or features developed in the past 6 months, so this is a 10.1 candidate. Basically no user API changes (some bugfixes in sys/net/netmap_user.h). In detail: 1. netmap support for virtio-net, including in netmap mode. Under bhyve and with a netmap backend [2] we reach over 1Mpps with standard APIs (e.g. libpcap), and 5-8 Mpps in netmap mode. 2. (kernel) add support for multiple memory allocators, so we can better partition physical and virtual interfaces giving access to separate users. The most visible effect is one additional argument to the various kernel functions to compute buffer addresses. All netmap-supported drivers are affected, but changes are mechanical and trivial 3. (kernel) simplify the prototype for *txsync() and *rxsync() driver methods. All netmap drivers affected, changes mostly mechanical. 4. add support for netmap-monitor ports. Think of it as a mirroring port on a physical switch: a netmap monitor port replicates traffic present on the main port. Restrictions apply. Drive carefully. 5. if_lem.c: support for various paravirtualization features, experimental and disabled by default. Most of these are described in our ANCS'13 paper [1]. Paravirtualized support in netmap mode is new, and beats the numbers in the paper by a large factor (under qemu-kvm, we measured gues-host throughput up to 10-12 Mpps). A lot of refactoring and additional documentation in the files in sys/dev/netmap, but apart from #2 and #3 above, almost nothing of this stuff is visible to other kernel parts. Example programs in tools/tools/netmap have been updated with bugfixes and to support more of the existing features. This is meant to go into 10.1 so we plan an MFC before the Aug.22 deadline. A lot of this code has been contributed by my colleagues at UNIPI, including Giuseppe Lettieri, Vincenzo Maffione, Stefano Garzarella. MFC after: 3 days.
opntr
added a commit
that referenced
this issue
Nov 1, 2014
After 3d154ea commit the paxtest's output are this: PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later Mode: kiddie FreeBSD 11.0-CURRENT FreeBSD 11.0-CURRENT #3 d6b9ed4(op/hardened/current/aslr-devel)-dirty: Fri Aug 8 17:06:55 CEST 2014 op@pandora-d:/tmp/amd64-objdir/usr/data/source/git/opBSD/opBSD.git/sys/GENERIC amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : 2 bits (guessed) Heap randomisation test (PIE) : 12 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 21 bits (guessed) Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : 15 bits (guessed) Stack randomisation test (PAGEEXEC) : 16 bits (guessed) Arg/env randomisation test (SEGMEXEC) : 17 bits (guessed) Arg/env randomisation test (PAGEEXEC) : 17 bits (guessed) Randomization under memory exhaustion @~0: No randomisation Randomization under memory exhaustion @0 : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Killed Return to function (memcpy, PIE) : Killed Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable After partially revert the mentioned commit, the paxtest's output fixed: FreeBSD pandora-d 10.0-STABLE FreeBSD 10.0-STABLE freebsd#72 6fd52c6(op/stable/10/opbsd-aslr): Sat Aug 9 02:33:44 CEST 2014 root@pandora-d:/usr/obj/usr/src/sys/OP-ASLR amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : 21 bits (guessed) Heap randomisation test (ET_EXEC) : 11 bits (guessed) Heap randomisation test (PIE) : 12 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 21 bits (guessed) Shared library randomisation test : 21 bits (guessed) Stack randomisation test (SEGMEXEC) : 15 bits (guessed) Stack randomisation test (PAGEEXEC) : 16 bits (guessed) Arg/env randomisation test (SEGMEXEC) : 17 bits (guessed) Arg/env randomisation test (PAGEEXEC) : 16 bits (guessed) Randomization under memory exhaustion @~0: 22 bits (guessed) Randomization under memory exhaustion @0 : 21 bits (guessed) Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Killed Return to function (memcpy, PIE) : Killed Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
opntr
added a commit
that referenced
this issue
Nov 1, 2014
the log files permissions github-issue: #3 Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
opntr
pushed a commit
that referenced
this issue
Mar 13, 2016
r295341: Require /bin/getfacl and /bin/setfacl when running the acl tests For cases where these utilities aren't installed, the tests would fail today in a non-intuitive manner on sub-testcase #3 in each of the test scripts r295345: Use basenames for getfacl, setfacl, and zpool to work around the fact that Jenkins hardcodes image sizes to 2GB with the FreeBSD_HEAD job This is to stop the unnecessary failure emails because we've gone over the 2GB limit
opntr
added a commit
that referenced
this issue
Aug 19, 2016
unp_dispose and unp_gc could race to teardown the same mbuf chains, which can lead to dereferencing freed filedesc pointers. This patch adds an IGNORE_RIGHTS flag on unpcbs marking the unpcb's RIGHTS as invalid/freed. The flag is protected by UNP_LIST_LOCK. To serialize against unp_gc, unp_dispose needs the socket object. Change the dom_dispose() KPI to take a socket object instead of an mbuf chain directly. PR: 194264 Differential Revision: https://reviews.freebsd.org/D3044 Reviewed by: mjg (earlier version) Approved by: markj (mentor) Obtained from: mjg MFC after: 1 month Sponsored by: EMC / Isilon Storage Division This commit was never MFCd to 10-STABLE, and the issue is still reproducible in 2016, with the linked test program from FreeBSD's phabricator. --8<-- Unread portion of the kernel message buffer: [206] [206] [206] Fatal trap 9: general protection fault while in kernel mode [206] cpuid = 1; apic id = 01 [206] instruction pointer = 0x20:0xffffffff809e10e8 [206] stack pointer = 0x28:0xfffffe002bd96960 [206] frame pointer = 0x28:0xfffffe002bd969e0 [206] code segment = base 0x0, limit 0xfffff, type 0x1b [206] = DPL 0, pres 1, long 1, def32 0, gran 1 [206] processor eflags = interrupt enabled, resume, IOPL = 0 [206] current process = 0 (thread taskq) [206] trap number = 9 [206] panic: general protection fault [206] cpuid = 1 [206] KDB: stack backtrace: [206] #0 0xffffffff8098dc90 at kdb_backtrace+0x60 [206] #1 0xffffffff80953ed6 at vpanic+0x126 [206] #2 0xffffffff80953f63 at panic+0x43 [206] #3 0xffffffff80d6b2cb at trap_fatal+0x36b [206] #4 0xffffffff80d6af49 at trap+0x839 [206] #5 0xffffffff80d4f3ec at calltrap+0x8 [206] #6 0xffffffff809a2940 at taskqueue_run_locked+0xf0 [206] #7 0xffffffff809a32ab at taskqueue_thread_loop+0x9b [206] #8 0xffffffff8091c144 at fork_exit+0x84 [206] freebsd#9 0xffffffff80d4f92e at fork_trampoline+0xe [206] Uptime: 3m26s [206] Dumping 73 out of 487 MB:..22%..44%..66%..88% --8<-- (cherry picked from commit 576619e) Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org> CC: Bryan Drewery <bdrewery@freebsd.org> CC: Mark Johnston <markj@freebsd.org>
opntr
added a commit
that referenced
this issue
Aug 19, 2016
…unix socket. - by markj@ If the listening socket is closed while sonewconn() is executing, the nascent child socket is aborted, which results in recursion on the unp_link lock when the child's pru_detach method is invoked. Fix this by using a flag to mark such sockets, and skip a part of the socket's teardown during detach. Reported by: Raviprakash Darbha <rdarbha@juniper.net> Tested by: pho MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D7398 --8<-- [128] panic: __rw_wlock_hard: recursing but non-recursive rw unp_link_rwlock @ /usr/src/sys/kern/uipc_usrreq.c:654 [128] [128] cpuid = 1 [128] KDB: stack backtrace: [128] #0 0xffffffff8098dc90 at kdb_backtrace+0x60 [128] #1 0xffffffff80953ed6 at vpanic+0x126 [128] #2 0xffffffff80953da9 at kassert_panic+0x139 [128] #3 0xffffffff80951454 at __rw_wlock_hard+0x394 [128] #4 0xffffffff80951072 at _rw_wlock_cookie+0x92 [128] #5 0xffffffff809de636 at uipc_detach+0x36 [128] #6 0xffffffff809d217a at sofree+0x1da [128] #7 0xffffffff809d1da4 at sonewconn+0x324 [128] #8 0xffffffff809e0496 at unp_connectat+0x326 [128] freebsd#9 0xffffffff809de4ac at uipc_connect+0x4c [128] freebsd#10 0xffffffff809d8cf6 at kern_connectat+0x126 [128] freebsd#11 0xffffffff809d8b87 at sys_connect+0x77 [128] freebsd#12 0xffffffff80d6bab4 at amd64_syscall+0x2c4 [128] freebsd#13 0xffffffff80d4f6db at Xfast_syscall+0xfb [128] Uptime: 2m8s [128] Dumping 73 out of 487 MB:..22%..44%..66%..88% --8<-- (cherry picked from commit cfea0ef) Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
opntr
pushed a commit
that referenced
this issue
Sep 22, 2016
…xes. (dfb2179) MFV r305816: Sync libarchive with vendor including important security fixes. Issues fixed (FreeBSD): PR freebsd#778: ACL error handling Issue freebsd#745: Symlink check prefix optimization is too aggressive Issue freebsd#746: Hard links with data can evade sandboxing restrictions This update fixes the vulnerability #3 and vulnerability #4 as reported in "non-cryptanalytic attacks against FreeBSD update components". https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f Fix for vulnerability #2 has already been merged in r304989. MFC after: 1 week Security: http://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f (cherry picked from commit dfb2179) Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
opntr
pushed a commit
that referenced
this issue
Oct 3, 2016
Sync libarchive with vendor including important security fixes. Issues fixed (FreeBSD): PR freebsd#778: ACL error handling Issue freebsd#745: Symlink check prefix optimization is too aggressive Issue freebsd#746: Hard links with data can evade sandboxing restrictions This update fixes the vulnerability #3 and vulnerability #4 as reported in "non-cryptanalytic attacks against FreeBSD update components". https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f Fix for vulnerability #2 has already been merged in r305192. Security: http://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
No description provided.
The text was updated successfully, but these errors were encountered: