FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_pax.c
1 /* $NetBSD: kern_pax.c,v 1.22.8.1 2010/08/31 10:55:00 bouyer Exp $ */
2
3 /*-
4 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote products
16 * derived from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 __KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.22.8.1 2010/08/31 10:55:00 bouyer Exp $");
32
33 #include "opt_pax.h"
34
35 #include <sys/param.h>
36 #include <sys/proc.h>
37 #include <sys/exec_elf.h>
38 #include <sys/pax.h>
39 #include <sys/sysctl.h>
40 #include <sys/malloc.h>
41 #include <sys/fileassoc.h>
42 #include <sys/syslog.h>
43 #include <sys/vnode.h>
44 #include <sys/queue.h>
45 #include <sys/kauth.h>
46
47 #ifdef PAX_ASLR
48 #include <sys/mman.h>
49 #include <sys/rnd.h>
50 #include <sys/exec.h>
51
52 int pax_aslr_enabled = 1;
53 int pax_aslr_global = PAX_ASLR;
54
55 #ifndef PAX_ASLR_DELTA_MMAP_LSB
56 #define PAX_ASLR_DELTA_MMAP_LSB PGSHIFT
57 #endif
58 #ifndef PAX_ASLR_DELTA_MMAP_LEN
59 #define PAX_ASLR_DELTA_MMAP_LEN ((sizeof(void *) * NBBY) / 2)
60 #endif
61 #ifndef PAX_ASLR_DELTA_STACK_LSB
62 #define PAX_ASLR_DELTA_STACK_LSB PGSHIFT
63 #endif
64 #ifndef PAX_ASLR_DELTA_STACK_LEN
65 #define PAX_ASLR_DELTA_STACK_LEN 12
66 #endif
67
68 #endif /* PAX_ASLR */
69
70 #ifdef PAX_MPROTECT
71 static int pax_mprotect_enabled = 1;
72 static int pax_mprotect_global = PAX_MPROTECT;
73 #endif /* PAX_MPROTECT */
74
75 #ifdef PAX_SEGVGUARD
76 #ifndef PAX_SEGVGUARD_EXPIRY
77 #define PAX_SEGVGUARD_EXPIRY (2 * 60)
78 #endif
79
80 #ifndef PAX_SEGVGUARD_SUSPENSION
81 #define PAX_SEGVGUARD_SUSPENSION (10 * 60)
82 #endif
83
84 #ifndef PAX_SEGVGUARD_MAXCRASHES
85 #define PAX_SEGVGUARD_MAXCRASHES 5
86 #endif
87
88 static int pax_segvguard_enabled = 1;
89 static int pax_segvguard_global = PAX_SEGVGUARD;
90 static int pax_segvguard_expiry = PAX_SEGVGUARD_EXPIRY;
91 static int pax_segvguard_suspension = PAX_SEGVGUARD_SUSPENSION;
92 static int pax_segvguard_maxcrashes = PAX_SEGVGUARD_MAXCRASHES;
93
94 static fileassoc_t segvguard_id;
95
96 struct pax_segvguard_uid_entry {
97 uid_t sue_uid;
98 size_t sue_ncrashes;
99 time_t sue_expiry;
100 time_t sue_suspended;
101 LIST_ENTRY(pax_segvguard_uid_entry) sue_list;
102 };
103
104 struct pax_segvguard_entry {
105 LIST_HEAD(, pax_segvguard_uid_entry) segv_uids;
106 };
107
108 static void pax_segvguard_cb(void *);
109 #endif /* PAX_SEGVGUARD */
110
111 /* PaX internal setspecific flags */
112 #define PAX_MPROTECT_EXPLICIT_ENABLE (void *)0x01
113 #define PAX_MPROTECT_EXPLICIT_DISABLE (void *)0x02
114 #define PAX_SEGVGUARD_EXPLICIT_ENABLE (void *)0x03
115 #define PAX_SEGVGUARD_EXPLICIT_DISABLE (void *)0x04
116 #define PAX_ASLR_EXPLICIT_ENABLE (void *)0x05
117 #define PAX_ASLR_EXPLICIT_DISABLE (void *)0x06
118
119 SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup")
120 {
121 const struct sysctlnode *rnode = NULL, *cnode;
122
123 sysctl_createv(clog, 0, NULL, &rnode,
124 CTLFLAG_PERMANENT,
125 CTLTYPE_NODE, "security", NULL,
126 NULL, 0, NULL, 0,
127 CTL_SECURITY, CTL_EOL);
128
129 sysctl_createv(clog, 0, &rnode, &rnode,
130 CTLFLAG_PERMANENT,
131 CTLTYPE_NODE, "pax",
132 SYSCTL_DESCR("PaX (exploit mitigation) features."),
133 NULL, 0, NULL, 0,
134 CTL_CREATE, CTL_EOL);
135
136 cnode = rnode;
137
138 #ifdef PAX_MPROTECT
139 rnode = cnode;
140 sysctl_createv(clog, 0, &rnode, &rnode,
141 CTLFLAG_PERMANENT,
142 CTLTYPE_NODE, "mprotect",
143 SYSCTL_DESCR("mprotect(2) W^X restrictions."),
144 NULL, 0, NULL, 0,
145 CTL_CREATE, CTL_EOL);
146 sysctl_createv(clog, 0, &rnode, NULL,
147 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
148 CTLTYPE_INT, "enabled",
149 SYSCTL_DESCR("Restrictions enabled."),
150 NULL, 0, &pax_mprotect_enabled, 0,
151 CTL_CREATE, CTL_EOL);
152 sysctl_createv(clog, 0, &rnode, NULL,
153 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
154 CTLTYPE_INT, "global",
155 SYSCTL_DESCR("When enabled, unless explicitly "
156 "specified, apply restrictions to "
157 "all processes."),
158 NULL, 0, &pax_mprotect_global, 0,
159 CTL_CREATE, CTL_EOL);
160 #endif /* PAX_MPROTECT */
161
162 #ifdef PAX_SEGVGUARD
163 rnode = cnode;
164 sysctl_createv(clog, 0, &rnode, &rnode,
165 CTLFLAG_PERMANENT,
166 CTLTYPE_NODE, "segvguard",
167 SYSCTL_DESCR("PaX segvguard."),
168 NULL, 0, NULL, 0,
169 CTL_CREATE, CTL_EOL);
170 sysctl_createv(clog, 0, &rnode, NULL,
171 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
172 CTLTYPE_INT, "enabled",
173 SYSCTL_DESCR("segvguard enabled."),
174 NULL, 0, &pax_segvguard_enabled, 0,
175 CTL_CREATE, CTL_EOL);
176 sysctl_createv(clog, 0, &rnode, NULL,
177 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
178 CTLTYPE_INT, "global",
179 SYSCTL_DESCR("segvguard all programs."),
180 NULL, 0, &pax_segvguard_global, 0,
181 CTL_CREATE, CTL_EOL);
182 sysctl_createv(clog, 0, &rnode, NULL,
183 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
184 CTLTYPE_INT, "expiry_timeout",
185 SYSCTL_DESCR("Entry expiry timeout (in seconds)."),
186 NULL, 0, &pax_segvguard_expiry, 0,
187 CTL_CREATE, CTL_EOL);
188 sysctl_createv(clog, 0, &rnode, NULL,
189 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
190 CTLTYPE_INT, "suspend_timeout",
191 SYSCTL_DESCR("Entry suspension timeout (in seconds)."),
192 NULL, 0, &pax_segvguard_suspension, 0,
193 CTL_CREATE, CTL_EOL);
194 sysctl_createv(clog, 0, &rnode, NULL,
195 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
196 CTLTYPE_INT, "max_crashes",
197 SYSCTL_DESCR("Max number of crashes before expiry."),
198 NULL, 0, &pax_segvguard_maxcrashes, 0,
199 CTL_CREATE, CTL_EOL);
200 #endif /* PAX_SEGVGUARD */
201
202 #ifdef PAX_ASLR
203 rnode = cnode;
204 sysctl_createv(clog, 0, &rnode, &rnode,
205 CTLFLAG_PERMANENT,
206 CTLTYPE_NODE, "aslr",
207 SYSCTL_DESCR("Address Space Layout Randomization."),
208 NULL, 0, NULL, 0,
209 CTL_CREATE, CTL_EOL);
210 sysctl_createv(clog, 0, &rnode, NULL,
211 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
212 CTLTYPE_INT, "enabled",
213 SYSCTL_DESCR("Restrictions enabled."),
214 NULL, 0, &pax_aslr_enabled, 0,
215 CTL_CREATE, CTL_EOL);
216 sysctl_createv(clog, 0, &rnode, NULL,
217 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
218 CTLTYPE_INT, "global",
219 SYSCTL_DESCR("When enabled, unless explicitly "
220 "specified, apply to all processes."),
221 NULL, 0, &pax_aslr_global, 0,
222 CTL_CREATE, CTL_EOL);
223 sysctl_createv(clog, 0, &rnode, NULL,
224 CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE,
225 CTLTYPE_INT, "mmap_len",
226 SYSCTL_DESCR("Number of bits randomized for "
227 "mmap(2) calls."),
228 NULL, PAX_ASLR_DELTA_MMAP_LEN, NULL, 0,
229 CTL_CREATE, CTL_EOL);
230 sysctl_createv(clog, 0, &rnode, NULL,
231 CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE,
232 CTLTYPE_INT, "stack_len",
233 SYSCTL_DESCR("Number of bits randomized for "
234 "the stack."),
235 NULL, PAX_ASLR_DELTA_STACK_LEN, NULL, 0,
236 CTL_CREATE, CTL_EOL);
237 sysctl_createv(clog, 0, &rnode, NULL,
238 CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE,
239 CTLTYPE_INT, "exec_len",
240 SYSCTL_DESCR("Number of bits randomized for "
241 "the PIE exec base."),
242 NULL, PAX_ASLR_DELTA_EXEC_LEN, NULL, 0,
243 CTL_CREATE, CTL_EOL);
244
245 #endif /* PAX_ASLR */
246 }
247
248 /*
249 * Initialize PaX.
250 */
251 void
252 pax_init(void)
253 {
254 #ifdef PAX_SEGVGUARD
255 int error;
256 #endif /* PAX_SEGVGUARD */
257
258 #ifdef PAX_SEGVGUARD
259 error = fileassoc_register("segvguard", pax_segvguard_cb,
260 &segvguard_id);
261 if (error) {
262 panic("pax_init: segvguard_id: error=%d\n", error);
263 }
264 #endif /* PAX_SEGVGUARD */
265 }
266
267 #ifdef PAX_MPROTECT
268 void
269 pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot)
270 {
271 uint32_t f;
272
273 if (!pax_mprotect_enabled)
274 return;
275
276 f = l->l_proc->p_pax;
277 if ((pax_mprotect_global && (f & ELF_NOTE_PAX_NOMPROTECT) != 0) ||
278 (!pax_mprotect_global && (f & ELF_NOTE_PAX_MPROTECT) == 0))
279 return;
280
281 if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) {
282 *prot &= ~VM_PROT_EXECUTE;
283 *maxprot &= ~VM_PROT_EXECUTE;
284 } else {
285 *prot &= ~VM_PROT_WRITE;
286 *maxprot &= ~VM_PROT_WRITE;
287 }
288 }
289 #endif /* PAX_MPROTECT */
290
291 #ifdef PAX_ASLR
292 bool
293 pax_aslr_active(struct lwp *l)
294 {
295 uint32_t f;
296
297 if (!pax_aslr_enabled)
298 return false;
299
300 f = l->l_proc->p_pax;
301 if ((pax_aslr_global && (f & ELF_NOTE_PAX_NOASLR) != 0) ||
302 (!pax_aslr_global && (f & ELF_NOTE_PAX_ASLR) == 0))
303 return false;
304 return true;
305 }
306
307 void
308 pax_aslr_init(struct lwp *l, struct vmspace *vm)
309 {
310 if (!pax_aslr_active(l))
311 return;
312
313 vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(arc4random(),
314 PAX_ASLR_DELTA_MMAP_LSB, PAX_ASLR_DELTA_MMAP_LEN);
315 }
316
317 void
318 pax_aslr(struct lwp *l, vaddr_t *addr, vaddr_t orig_addr, int f)
319 {
320 if (!pax_aslr_active(l))
321 return;
322
323 if (!(f & MAP_FIXED) && ((orig_addr == 0) || !(f & MAP_ANON))) {
324 #ifdef DEBUG_ASLR
325 uprintf("applying to 0x%lx orig_addr=0x%lx f=%x\n",
326 (unsigned long)*addr, (unsigned long)orig_addr, f);
327 #endif
328 if (!(l->l_proc->p_vmspace->vm_map.flags & VM_MAP_TOPDOWN))
329 *addr += l->l_proc->p_vmspace->vm_aslr_delta_mmap;
330 else
331 *addr -= l->l_proc->p_vmspace->vm_aslr_delta_mmap;
332 #ifdef DEBUG_ASLR
333 uprintf("result 0x%lx\n", *addr);
334 #endif
335 }
336 #ifdef DEBUG_ASLR
337 else
338 uprintf("not applying to 0x%lx orig_addr=0x%lx f=%x\n",
339 (unsigned long)*addr, (unsigned long)orig_addr, f);
340 #endif
341 }
342
343 void
344 pax_aslr_stack(struct lwp *l, struct exec_package *epp, u_long *max_stack_size)
345 {
346 if (pax_aslr_active(l)) {
347 u_long d = PAX_ASLR_DELTA(arc4random(),
348 PAX_ASLR_DELTA_STACK_LSB,
349 PAX_ASLR_DELTA_STACK_LEN);
350 #ifdef DEBUG_ASLR
351 uprintf("stack 0x%lx d=0x%lx 0x%lx\n",
352 epp->ep_minsaddr, d, epp->ep_minsaddr - d);
353 #endif
354 epp->ep_minsaddr -= d;
355 *max_stack_size -= d;
356 if (epp->ep_ssize > *max_stack_size)
357 epp->ep_ssize = *max_stack_size;
358 }
359 }
360 #endif /* PAX_ASLR */
361
362 #ifdef PAX_SEGVGUARD
363 static void
364 pax_segvguard_cb(void *v)
365 {
366 struct pax_segvguard_entry *p;
367 struct pax_segvguard_uid_entry *up;
368
369 if (v == NULL)
370 return;
371
372 p = v;
373 while ((up = LIST_FIRST(&p->segv_uids)) != NULL) {
374 LIST_REMOVE(up, sue_list);
375 free(up, M_TEMP);
376 }
377
378 free(v, M_TEMP);
379 }
380
381 /*
382 * Called when a process of image vp generated a segfault.
383 */
384 int
385 pax_segvguard(struct lwp *l, struct vnode *vp, const char *name,
386 bool crashed)
387 {
388 struct pax_segvguard_entry *p;
389 struct pax_segvguard_uid_entry *up;
390 struct timeval tv;
391 uid_t uid;
392 uint32_t f;
393 bool have_uid;
394
395 if (!pax_segvguard_enabled)
396 return (0);
397
398 f = l->l_proc->p_pax;
399 if ((pax_segvguard_global && (f & ELF_NOTE_PAX_NOGUARD) != 0) ||
400 (!pax_segvguard_global && (f & ELF_NOTE_PAX_GUARD) == 0))
401 return (0);
402
403 if (vp == NULL)
404 return (EFAULT);
405
406 /* Check if we already monitor the file. */
407 p = fileassoc_lookup(vp, segvguard_id);
408
409 /* Fast-path if starting a program we don't know. */
410 if (p == NULL && !crashed)
411 return (0);
412
413 microtime(&tv);
414
415 /*
416 * If a program we don't know crashed, we need to create a new entry
417 * for it.
418 */
419 if (p == NULL) {
420 p = malloc(sizeof(*p), M_TEMP, M_WAITOK);
421 fileassoc_add(vp, segvguard_id, p);
422 LIST_INIT(&p->segv_uids);
423
424 /*
425 * Initialize a new entry with "crashes so far" of 1.
426 * The expiry time is when we purge the entry if it didn't
427 * reach the limit.
428 */
429 up = malloc(sizeof(*up), M_TEMP, M_WAITOK);
430 up->sue_uid = kauth_cred_getuid(l->l_cred);
431 up->sue_ncrashes = 1;
432 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
433 up->sue_suspended = 0;
434
435 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list);
436
437 return (0);
438 }
439
440 /*
441 * A program we "know" either executed or crashed again.
442 * See if it's a culprit we're familiar with.
443 */
444 uid = kauth_cred_getuid(l->l_cred);
445 have_uid = false;
446 LIST_FOREACH(up, &p->segv_uids, sue_list) {
447 if (up->sue_uid == uid) {
448 have_uid = true;
449 break;
450 }
451 }
452
453 /*
454 * It's someone else. Add an entry for him if we crashed.
455 */
456 if (!have_uid) {
457 if (crashed) {
458 up = malloc(sizeof(*up), M_TEMP, M_WAITOK);
459 up->sue_uid = uid;
460 up->sue_ncrashes = 1;
461 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
462 up->sue_suspended = 0;
463
464 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list);
465 }
466
467 return (0);
468 }
469
470 if (crashed) {
471 /* Check if timer on previous crashes expired first. */
472 if (up->sue_expiry < tv.tv_sec) {
473 log(LOG_INFO, "PaX Segvguard: [%s] Suspension"
474 " expired.\n", name ? name : "unknown");
475
476 up->sue_ncrashes = 1;
477 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
478 up->sue_suspended = 0;
479
480 return (0);
481 }
482
483 up->sue_ncrashes++;
484
485 if (up->sue_ncrashes >= pax_segvguard_maxcrashes) {
486 log(LOG_ALERT, "PaX Segvguard: [%s] Suspending "
487 "execution for %d seconds after %zu crashes.\n",
488 name ? name : "unknown", pax_segvguard_suspension,
489 up->sue_ncrashes);
490
491 /* Suspend this program for a while. */
492 up->sue_suspended = tv.tv_sec + pax_segvguard_suspension;
493 up->sue_ncrashes = 0;
494 up->sue_expiry = 0;
495 }
496 } else {
497 /* Are we supposed to be suspended? */
498 if (up->sue_suspended > tv.tv_sec) {
499 log(LOG_ALERT, "PaX Segvguard: [%s] Preventing "
500 "execution due to repeated segfaults.\n", name ?
501 name : "unknown");
502
503 return (EPERM);
504 }
505 }
506
507 return (0);
508 }
509 #endif /* PAX_SEGVGUARD */
Cache object: b4951cec1d94d810693139540f3116f8
|