Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_pax.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $NetBSD: kern_pax.c,v 1.22.8.1 2010/08/31 10:55:00 bouyer Exp $ */ 2 3 /*- 4 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.22.8.1 2010/08/31 10:55:00 bouyer Exp $"); 32 33 #include "opt_pax.h" 34 35 #include <sys/param.h> 36 #include <sys/proc.h> 37 #include <sys/exec_elf.h> 38 #include <sys/pax.h> 39 #include <sys/sysctl.h> 40 #include <sys/malloc.h> 41 #include <sys/fileassoc.h> 42 #include <sys/syslog.h> 43 #include <sys/vnode.h> 44 #include <sys/queue.h> 45 #include <sys/kauth.h> 46 47 #ifdef PAX_ASLR 48 #include <sys/mman.h> 49 #include <sys/rnd.h> 50 #include <sys/exec.h> 51 52 int pax_aslr_enabled = 1; 53 int pax_aslr_global = PAX_ASLR; 54 55 #ifndef PAX_ASLR_DELTA_MMAP_LSB 56 #define PAX_ASLR_DELTA_MMAP_LSB PGSHIFT 57 #endif 58 #ifndef PAX_ASLR_DELTA_MMAP_LEN 59 #define PAX_ASLR_DELTA_MMAP_LEN ((sizeof(void *) * NBBY) / 2) 60 #endif 61 #ifndef PAX_ASLR_DELTA_STACK_LSB 62 #define PAX_ASLR_DELTA_STACK_LSB PGSHIFT 63 #endif 64 #ifndef PAX_ASLR_DELTA_STACK_LEN 65 #define PAX_ASLR_DELTA_STACK_LEN 12 66 #endif 67 68 #endif /* PAX_ASLR */ 69 70 #ifdef PAX_MPROTECT 71 static int pax_mprotect_enabled = 1; 72 static int pax_mprotect_global = PAX_MPROTECT; 73 #endif /* PAX_MPROTECT */ 74 75 #ifdef PAX_SEGVGUARD 76 #ifndef PAX_SEGVGUARD_EXPIRY 77 #define PAX_SEGVGUARD_EXPIRY (2 * 60) 78 #endif 79 80 #ifndef PAX_SEGVGUARD_SUSPENSION 81 #define PAX_SEGVGUARD_SUSPENSION (10 * 60) 82 #endif 83 84 #ifndef PAX_SEGVGUARD_MAXCRASHES 85 #define PAX_SEGVGUARD_MAXCRASHES 5 86 #endif 87 88 static int pax_segvguard_enabled = 1; 89 static int pax_segvguard_global = PAX_SEGVGUARD; 90 static int pax_segvguard_expiry = PAX_SEGVGUARD_EXPIRY; 91 static int pax_segvguard_suspension = PAX_SEGVGUARD_SUSPENSION; 92 static int pax_segvguard_maxcrashes = PAX_SEGVGUARD_MAXCRASHES; 93 94 static fileassoc_t segvguard_id; 95 96 struct pax_segvguard_uid_entry { 97 uid_t sue_uid; 98 size_t sue_ncrashes; 99 time_t sue_expiry; 100 time_t sue_suspended; 101 LIST_ENTRY(pax_segvguard_uid_entry) sue_list; 102 }; 103 104 struct pax_segvguard_entry { 105 LIST_HEAD(, pax_segvguard_uid_entry) segv_uids; 106 }; 107 108 static void pax_segvguard_cb(void *); 109 #endif /* PAX_SEGVGUARD */ 110 111 /* PaX internal setspecific flags */ 112 #define PAX_MPROTECT_EXPLICIT_ENABLE (void *)0x01 113 #define PAX_MPROTECT_EXPLICIT_DISABLE (void *)0x02 114 #define PAX_SEGVGUARD_EXPLICIT_ENABLE (void *)0x03 115 #define PAX_SEGVGUARD_EXPLICIT_DISABLE (void *)0x04 116 #define PAX_ASLR_EXPLICIT_ENABLE (void *)0x05 117 #define PAX_ASLR_EXPLICIT_DISABLE (void *)0x06 118 119 SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup") 120 { 121 const struct sysctlnode *rnode = NULL, *cnode; 122 123 sysctl_createv(clog, 0, NULL, &rnode, 124 CTLFLAG_PERMANENT, 125 CTLTYPE_NODE, "security", NULL, 126 NULL, 0, NULL, 0, 127 CTL_SECURITY, CTL_EOL); 128 129 sysctl_createv(clog, 0, &rnode, &rnode, 130 CTLFLAG_PERMANENT, 131 CTLTYPE_NODE, "pax", 132 SYSCTL_DESCR("PaX (exploit mitigation) features."), 133 NULL, 0, NULL, 0, 134 CTL_CREATE, CTL_EOL); 135 136 cnode = rnode; 137 138 #ifdef PAX_MPROTECT 139 rnode = cnode; 140 sysctl_createv(clog, 0, &rnode, &rnode, 141 CTLFLAG_PERMANENT, 142 CTLTYPE_NODE, "mprotect", 143 SYSCTL_DESCR("mprotect(2) W^X restrictions."), 144 NULL, 0, NULL, 0, 145 CTL_CREATE, CTL_EOL); 146 sysctl_createv(clog, 0, &rnode, NULL, 147 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 148 CTLTYPE_INT, "enabled", 149 SYSCTL_DESCR("Restrictions enabled."), 150 NULL, 0, &pax_mprotect_enabled, 0, 151 CTL_CREATE, CTL_EOL); 152 sysctl_createv(clog, 0, &rnode, NULL, 153 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 154 CTLTYPE_INT, "global", 155 SYSCTL_DESCR("When enabled, unless explicitly " 156 "specified, apply restrictions to " 157 "all processes."), 158 NULL, 0, &pax_mprotect_global, 0, 159 CTL_CREATE, CTL_EOL); 160 #endif /* PAX_MPROTECT */ 161 162 #ifdef PAX_SEGVGUARD 163 rnode = cnode; 164 sysctl_createv(clog, 0, &rnode, &rnode, 165 CTLFLAG_PERMANENT, 166 CTLTYPE_NODE, "segvguard", 167 SYSCTL_DESCR("PaX segvguard."), 168 NULL, 0, NULL, 0, 169 CTL_CREATE, CTL_EOL); 170 sysctl_createv(clog, 0, &rnode, NULL, 171 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 172 CTLTYPE_INT, "enabled", 173 SYSCTL_DESCR("segvguard enabled."), 174 NULL, 0, &pax_segvguard_enabled, 0, 175 CTL_CREATE, CTL_EOL); 176 sysctl_createv(clog, 0, &rnode, NULL, 177 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 178 CTLTYPE_INT, "global", 179 SYSCTL_DESCR("segvguard all programs."), 180 NULL, 0, &pax_segvguard_global, 0, 181 CTL_CREATE, CTL_EOL); 182 sysctl_createv(clog, 0, &rnode, NULL, 183 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 184 CTLTYPE_INT, "expiry_timeout", 185 SYSCTL_DESCR("Entry expiry timeout (in seconds)."), 186 NULL, 0, &pax_segvguard_expiry, 0, 187 CTL_CREATE, CTL_EOL); 188 sysctl_createv(clog, 0, &rnode, NULL, 189 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 190 CTLTYPE_INT, "suspend_timeout", 191 SYSCTL_DESCR("Entry suspension timeout (in seconds)."), 192 NULL, 0, &pax_segvguard_suspension, 0, 193 CTL_CREATE, CTL_EOL); 194 sysctl_createv(clog, 0, &rnode, NULL, 195 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 196 CTLTYPE_INT, "max_crashes", 197 SYSCTL_DESCR("Max number of crashes before expiry."), 198 NULL, 0, &pax_segvguard_maxcrashes, 0, 199 CTL_CREATE, CTL_EOL); 200 #endif /* PAX_SEGVGUARD */ 201 202 #ifdef PAX_ASLR 203 rnode = cnode; 204 sysctl_createv(clog, 0, &rnode, &rnode, 205 CTLFLAG_PERMANENT, 206 CTLTYPE_NODE, "aslr", 207 SYSCTL_DESCR("Address Space Layout Randomization."), 208 NULL, 0, NULL, 0, 209 CTL_CREATE, CTL_EOL); 210 sysctl_createv(clog, 0, &rnode, NULL, 211 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 212 CTLTYPE_INT, "enabled", 213 SYSCTL_DESCR("Restrictions enabled."), 214 NULL, 0, &pax_aslr_enabled, 0, 215 CTL_CREATE, CTL_EOL); 216 sysctl_createv(clog, 0, &rnode, NULL, 217 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 218 CTLTYPE_INT, "global", 219 SYSCTL_DESCR("When enabled, unless explicitly " 220 "specified, apply to all processes."), 221 NULL, 0, &pax_aslr_global, 0, 222 CTL_CREATE, CTL_EOL); 223 sysctl_createv(clog, 0, &rnode, NULL, 224 CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE, 225 CTLTYPE_INT, "mmap_len", 226 SYSCTL_DESCR("Number of bits randomized for " 227 "mmap(2) calls."), 228 NULL, PAX_ASLR_DELTA_MMAP_LEN, NULL, 0, 229 CTL_CREATE, CTL_EOL); 230 sysctl_createv(clog, 0, &rnode, NULL, 231 CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE, 232 CTLTYPE_INT, "stack_len", 233 SYSCTL_DESCR("Number of bits randomized for " 234 "the stack."), 235 NULL, PAX_ASLR_DELTA_STACK_LEN, NULL, 0, 236 CTL_CREATE, CTL_EOL); 237 sysctl_createv(clog, 0, &rnode, NULL, 238 CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE, 239 CTLTYPE_INT, "exec_len", 240 SYSCTL_DESCR("Number of bits randomized for " 241 "the PIE exec base."), 242 NULL, PAX_ASLR_DELTA_EXEC_LEN, NULL, 0, 243 CTL_CREATE, CTL_EOL); 244 245 #endif /* PAX_ASLR */ 246 } 247 248 /* 249 * Initialize PaX. 250 */ 251 void 252 pax_init(void) 253 { 254 #ifdef PAX_SEGVGUARD 255 int error; 256 #endif /* PAX_SEGVGUARD */ 257 258 #ifdef PAX_SEGVGUARD 259 error = fileassoc_register("segvguard", pax_segvguard_cb, 260 &segvguard_id); 261 if (error) { 262 panic("pax_init: segvguard_id: error=%d\n", error); 263 } 264 #endif /* PAX_SEGVGUARD */ 265 } 266 267 #ifdef PAX_MPROTECT 268 void 269 pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot) 270 { 271 uint32_t f; 272 273 if (!pax_mprotect_enabled) 274 return; 275 276 f = l->l_proc->p_pax; 277 if ((pax_mprotect_global && (f & ELF_NOTE_PAX_NOMPROTECT) != 0) || 278 (!pax_mprotect_global && (f & ELF_NOTE_PAX_MPROTECT) == 0)) 279 return; 280 281 if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) { 282 *prot &= ~VM_PROT_EXECUTE; 283 *maxprot &= ~VM_PROT_EXECUTE; 284 } else { 285 *prot &= ~VM_PROT_WRITE; 286 *maxprot &= ~VM_PROT_WRITE; 287 } 288 } 289 #endif /* PAX_MPROTECT */ 290 291 #ifdef PAX_ASLR 292 bool 293 pax_aslr_active(struct lwp *l) 294 { 295 uint32_t f; 296 297 if (!pax_aslr_enabled) 298 return false; 299 300 f = l->l_proc->p_pax; 301 if ((pax_aslr_global && (f & ELF_NOTE_PAX_NOASLR) != 0) || 302 (!pax_aslr_global && (f & ELF_NOTE_PAX_ASLR) == 0)) 303 return false; 304 return true; 305 } 306 307 void 308 pax_aslr_init(struct lwp *l, struct vmspace *vm) 309 { 310 if (!pax_aslr_active(l)) 311 return; 312 313 vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(arc4random(), 314 PAX_ASLR_DELTA_MMAP_LSB, PAX_ASLR_DELTA_MMAP_LEN); 315 } 316 317 void 318 pax_aslr(struct lwp *l, vaddr_t *addr, vaddr_t orig_addr, int f) 319 { 320 if (!pax_aslr_active(l)) 321 return; 322 323 if (!(f & MAP_FIXED) && ((orig_addr == 0) || !(f & MAP_ANON))) { 324 #ifdef DEBUG_ASLR 325 uprintf("applying to 0x%lx orig_addr=0x%lx f=%x\n", 326 (unsigned long)*addr, (unsigned long)orig_addr, f); 327 #endif 328 if (!(l->l_proc->p_vmspace->vm_map.flags & VM_MAP_TOPDOWN)) 329 *addr += l->l_proc->p_vmspace->vm_aslr_delta_mmap; 330 else 331 *addr -= l->l_proc->p_vmspace->vm_aslr_delta_mmap; 332 #ifdef DEBUG_ASLR 333 uprintf("result 0x%lx\n", *addr); 334 #endif 335 } 336 #ifdef DEBUG_ASLR 337 else 338 uprintf("not applying to 0x%lx orig_addr=0x%lx f=%x\n", 339 (unsigned long)*addr, (unsigned long)orig_addr, f); 340 #endif 341 } 342 343 void 344 pax_aslr_stack(struct lwp *l, struct exec_package *epp, u_long *max_stack_size) 345 { 346 if (pax_aslr_active(l)) { 347 u_long d = PAX_ASLR_DELTA(arc4random(), 348 PAX_ASLR_DELTA_STACK_LSB, 349 PAX_ASLR_DELTA_STACK_LEN); 350 #ifdef DEBUG_ASLR 351 uprintf("stack 0x%lx d=0x%lx 0x%lx\n", 352 epp->ep_minsaddr, d, epp->ep_minsaddr - d); 353 #endif 354 epp->ep_minsaddr -= d; 355 *max_stack_size -= d; 356 if (epp->ep_ssize > *max_stack_size) 357 epp->ep_ssize = *max_stack_size; 358 } 359 } 360 #endif /* PAX_ASLR */ 361 362 #ifdef PAX_SEGVGUARD 363 static void 364 pax_segvguard_cb(void *v) 365 { 366 struct pax_segvguard_entry *p; 367 struct pax_segvguard_uid_entry *up; 368 369 if (v == NULL) 370 return; 371 372 p = v; 373 while ((up = LIST_FIRST(&p->segv_uids)) != NULL) { 374 LIST_REMOVE(up, sue_list); 375 free(up, M_TEMP); 376 } 377 378 free(v, M_TEMP); 379 } 380 381 /* 382 * Called when a process of image vp generated a segfault. 383 */ 384 int 385 pax_segvguard(struct lwp *l, struct vnode *vp, const char *name, 386 bool crashed) 387 { 388 struct pax_segvguard_entry *p; 389 struct pax_segvguard_uid_entry *up; 390 struct timeval tv; 391 uid_t uid; 392 uint32_t f; 393 bool have_uid; 394 395 if (!pax_segvguard_enabled) 396 return (0); 397 398 f = l->l_proc->p_pax; 399 if ((pax_segvguard_global && (f & ELF_NOTE_PAX_NOGUARD) != 0) || 400 (!pax_segvguard_global && (f & ELF_NOTE_PAX_GUARD) == 0)) 401 return (0); 402 403 if (vp == NULL) 404 return (EFAULT); 405 406 /* Check if we already monitor the file. */ 407 p = fileassoc_lookup(vp, segvguard_id); 408 409 /* Fast-path if starting a program we don't know. */ 410 if (p == NULL && !crashed) 411 return (0); 412 413 microtime(&tv); 414 415 /* 416 * If a program we don't know crashed, we need to create a new entry 417 * for it. 418 */ 419 if (p == NULL) { 420 p = malloc(sizeof(*p), M_TEMP, M_WAITOK); 421 fileassoc_add(vp, segvguard_id, p); 422 LIST_INIT(&p->segv_uids); 423 424 /* 425 * Initialize a new entry with "crashes so far" of 1. 426 * The expiry time is when we purge the entry if it didn't 427 * reach the limit. 428 */ 429 up = malloc(sizeof(*up), M_TEMP, M_WAITOK); 430 up->sue_uid = kauth_cred_getuid(l->l_cred); 431 up->sue_ncrashes = 1; 432 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 433 up->sue_suspended = 0; 434 435 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); 436 437 return (0); 438 } 439 440 /* 441 * A program we "know" either executed or crashed again. 442 * See if it's a culprit we're familiar with. 443 */ 444 uid = kauth_cred_getuid(l->l_cred); 445 have_uid = false; 446 LIST_FOREACH(up, &p->segv_uids, sue_list) { 447 if (up->sue_uid == uid) { 448 have_uid = true; 449 break; 450 } 451 } 452 453 /* 454 * It's someone else. Add an entry for him if we crashed. 455 */ 456 if (!have_uid) { 457 if (crashed) { 458 up = malloc(sizeof(*up), M_TEMP, M_WAITOK); 459 up->sue_uid = uid; 460 up->sue_ncrashes = 1; 461 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 462 up->sue_suspended = 0; 463 464 LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); 465 } 466 467 return (0); 468 } 469 470 if (crashed) { 471 /* Check if timer on previous crashes expired first. */ 472 if (up->sue_expiry < tv.tv_sec) { 473 log(LOG_INFO, "PaX Segvguard: [%s] Suspension" 474 " expired.\n", name ? name : "unknown"); 475 476 up->sue_ncrashes = 1; 477 up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; 478 up->sue_suspended = 0; 479 480 return (0); 481 } 482 483 up->sue_ncrashes++; 484 485 if (up->sue_ncrashes >= pax_segvguard_maxcrashes) { 486 log(LOG_ALERT, "PaX Segvguard: [%s] Suspending " 487 "execution for %d seconds after %zu crashes.\n", 488 name ? name : "unknown", pax_segvguard_suspension, 489 up->sue_ncrashes); 490 491 /* Suspend this program for a while. */ 492 up->sue_suspended = tv.tv_sec + pax_segvguard_suspension; 493 up->sue_ncrashes = 0; 494 up->sue_expiry = 0; 495 } 496 } else { 497 /* Are we supposed to be suspended? */ 498 if (up->sue_suspended > tv.tv_sec) { 499 log(LOG_ALERT, "PaX Segvguard: [%s] Preventing " 500 "execution due to repeated segfaults.\n", name ? 501 name : "unknown"); 502 503 return (EPERM); 504 } 505 } 506 507 return (0); 508 } 509 #endif /* PAX_SEGVGUARD */
Cache object: b4951cec1d94d810693139540f3116f8
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]