1 | /* $NetBSD: kern_pax.c,v 1.57 2016/09/17 02:29:11 christos Exp $ */ |
2 | |
3 | /* |
4 | * Copyright (c) 2015 The NetBSD Foundation, Inc. |
5 | * All rights reserved. |
6 | * |
7 | * This code is derived from software contributed to The NetBSD Foundation |
8 | * by Maxime Villard. |
9 | * |
10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions |
12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. |
15 | * 2. Redistributions in binary form must reproduce the above copyright |
16 | * notice, this list of conditions and the following disclaimer in the |
17 | * documentation and/or other materials provided with the distribution. |
18 | * |
19 | * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
20 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ |
31 | |
32 | /* |
33 | * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> |
34 | * All rights reserved. |
35 | * |
36 | * Redistribution and use in source and binary forms, with or without |
37 | * modification, are permitted provided that the following conditions |
38 | * are met: |
39 | * 1. Redistributions of source code must retain the above copyright |
40 | * notice, this list of conditions and the following disclaimer. |
41 | * 2. Redistributions in binary form must reproduce the above copyright |
42 | * notice, this list of conditions and the following disclaimer in the |
43 | * documentation and/or other materials provided with the distribution. |
44 | * 3. The name of the author may not be used to endorse or promote products |
45 | * derived from this software without specific prior written permission. |
46 | * |
47 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
48 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
49 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
50 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
51 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
52 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
53 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
54 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
55 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
56 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
57 | */ |
58 | |
59 | #include <sys/cdefs.h> |
60 | __KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.57 2016/09/17 02:29:11 christos Exp $" ); |
61 | |
62 | #include "opt_pax.h" |
63 | |
64 | #include <sys/param.h> |
65 | #include <sys/proc.h> |
66 | #include <sys/exec.h> |
67 | #include <sys/exec_elf.h> |
68 | #include <sys/pax.h> |
69 | #include <sys/sysctl.h> |
70 | #include <sys/kmem.h> |
71 | #include <sys/mman.h> |
72 | #include <sys/fileassoc.h> |
73 | #include <sys/syslog.h> |
74 | #include <sys/vnode.h> |
75 | #include <sys/queue.h> |
76 | #include <sys/bitops.h> |
77 | #include <sys/kauth.h> |
78 | #include <sys/cprng.h> |
79 | |
80 | #ifdef PAX_ASLR_DEBUG |
81 | #define PAX_DPRINTF(_fmt, args...) \ |
82 | do if (pax_aslr_debug) uprintf("%s: " _fmt "\n", __func__, ##args); \ |
83 | while (/*CONSTCOND*/0) |
84 | #else |
85 | #define PAX_DPRINTF(_fmt, args...) do {} while (/*CONSTCOND*/0) |
86 | #endif |
87 | |
88 | #ifdef PAX_ASLR |
89 | #include <sys/mman.h> |
90 | |
91 | int pax_aslr_enabled = 1; |
92 | int pax_aslr_global = PAX_ASLR; |
93 | |
94 | #ifndef PAX_ASLR_DELTA_MMAP_LSB |
95 | #define PAX_ASLR_DELTA_MMAP_LSB PGSHIFT |
96 | #endif |
97 | #ifndef PAX_ASLR_DELTA_MMAP_LEN |
98 | #define PAX_ASLR_DELTA_MMAP_LEN ((sizeof(void *) * NBBY) / 2) |
99 | #endif |
100 | #ifndef PAX_ASLR_DELTA_MMAP_LEN32 |
101 | #define PAX_ASLR_DELTA_MMAP_LEN32 ((sizeof(uint32_t) * NBBY) / 2) |
102 | #endif |
103 | #ifndef PAX_ASLR_DELTA_STACK_LSB |
104 | #define PAX_ASLR_DELTA_STACK_LSB PGSHIFT |
105 | #endif |
106 | #ifndef PAX_ASLR_DELTA_STACK_LEN |
107 | #define PAX_ASLR_DELTA_STACK_LEN ((sizeof(void *) * NBBY) / 4) |
108 | #endif |
109 | #ifndef PAX_ASLR_DELTA_STACK_LEN32 |
110 | #define PAX_ASLR_DELTA_STACK_LEN32 ((sizeof(uint32_t) * NBBY) / 4) |
111 | #endif |
112 | #define PAX_ASLR_MAX_STACK_WASTE 8 |
113 | |
114 | #ifdef PAX_ASLR_DEBUG |
115 | int pax_aslr_debug; |
116 | /* flag set means disable */ |
117 | int pax_aslr_flags; |
118 | uint32_t pax_aslr_rand; |
119 | #define PAX_ASLR_STACK 0x01 |
120 | #define PAX_ASLR_STACK_GAP 0x02 |
121 | #define PAX_ASLR_MMAP 0x04 |
122 | #define PAX_ASLR_EXEC_OFFSET 0x08 |
123 | #define PAX_ASLR_RTLD_OFFSET 0x10 |
124 | #define PAX_ASLR_FIXED 0x20 |
125 | #endif |
126 | |
127 | static bool pax_aslr_elf_flags_active(uint32_t); |
128 | #endif /* PAX_ASLR */ |
129 | |
130 | #ifdef PAX_MPROTECT |
131 | static int pax_mprotect_enabled = 1; |
132 | static int pax_mprotect_global = PAX_MPROTECT; |
133 | static int pax_mprotect_ptrace = 1; |
134 | static bool pax_mprotect_elf_flags_active(uint32_t); |
135 | #endif /* PAX_MPROTECT */ |
136 | #ifdef PAX_MPROTECT_DEBUG |
137 | int pax_mprotect_debug; |
138 | #endif |
139 | |
140 | #ifdef PAX_SEGVGUARD |
141 | #ifndef PAX_SEGVGUARD_EXPIRY |
142 | #define PAX_SEGVGUARD_EXPIRY (2 * 60) |
143 | #endif |
144 | #ifndef PAX_SEGVGUARD_SUSPENSION |
145 | #define PAX_SEGVGUARD_SUSPENSION (10 * 60) |
146 | #endif |
147 | #ifndef PAX_SEGVGUARD_MAXCRASHES |
148 | #define PAX_SEGVGUARD_MAXCRASHES 5 |
149 | #endif |
150 | |
151 | |
152 | static int pax_segvguard_enabled = 1; |
153 | static int pax_segvguard_global = PAX_SEGVGUARD; |
154 | static int pax_segvguard_expiry = PAX_SEGVGUARD_EXPIRY; |
155 | static int pax_segvguard_suspension = PAX_SEGVGUARD_SUSPENSION; |
156 | static int pax_segvguard_maxcrashes = PAX_SEGVGUARD_MAXCRASHES; |
157 | |
158 | static fileassoc_t segvguard_id; |
159 | |
160 | struct pax_segvguard_uid_entry { |
161 | uid_t sue_uid; |
162 | size_t sue_ncrashes; |
163 | time_t sue_expiry; |
164 | time_t sue_suspended; |
165 | LIST_ENTRY(pax_segvguard_uid_entry) sue_list; |
166 | }; |
167 | |
168 | struct pax_segvguard_entry { |
169 | LIST_HEAD(, pax_segvguard_uid_entry) segv_uids; |
170 | }; |
171 | |
172 | static bool pax_segvguard_elf_flags_active(uint32_t); |
173 | static void pax_segvguard_cleanup_cb(void *); |
174 | #endif /* PAX_SEGVGUARD */ |
175 | |
176 | SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup" ) |
177 | { |
178 | const struct sysctlnode *rnode = NULL, *cnode; |
179 | |
180 | sysctl_createv(clog, 0, NULL, &rnode, |
181 | CTLFLAG_PERMANENT, |
182 | CTLTYPE_NODE, "pax" , |
183 | SYSCTL_DESCR("PaX (exploit mitigation) features." ), |
184 | NULL, 0, NULL, 0, |
185 | CTL_SECURITY, CTL_CREATE, CTL_EOL); |
186 | |
187 | cnode = rnode; |
188 | |
189 | #ifdef PAX_MPROTECT |
190 | rnode = cnode; |
191 | sysctl_createv(clog, 0, &rnode, &rnode, |
192 | CTLFLAG_PERMANENT, |
193 | CTLTYPE_NODE, "mprotect" , |
194 | SYSCTL_DESCR("mprotect(2) W^X restrictions." ), |
195 | NULL, 0, NULL, 0, |
196 | CTL_CREATE, CTL_EOL); |
197 | sysctl_createv(clog, 0, &rnode, NULL, |
198 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
199 | CTLTYPE_INT, "enabled" , |
200 | SYSCTL_DESCR("Restrictions enabled." ), |
201 | NULL, 0, &pax_mprotect_enabled, 0, |
202 | CTL_CREATE, CTL_EOL); |
203 | sysctl_createv(clog, 0, &rnode, NULL, |
204 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
205 | CTLTYPE_INT, "global" , |
206 | SYSCTL_DESCR("When enabled, unless explicitly " |
207 | "specified, apply restrictions to " |
208 | "all processes." ), |
209 | NULL, 0, &pax_mprotect_global, 0, |
210 | CTL_CREATE, CTL_EOL); |
211 | sysctl_createv(clog, 0, &rnode, NULL, |
212 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
213 | CTLTYPE_INT, "ptrace" , |
214 | SYSCTL_DESCR("When enabled, allow ptrace(2) to " |
215 | "override mprotect permissions on traced " |
216 | "processes" ), |
217 | NULL, 0, &pax_mprotect_ptrace, 0, |
218 | CTL_CREATE, CTL_EOL); |
219 | #ifdef PAX_MPROTECT_DEBUG |
220 | sysctl_createv(clog, 0, &rnode, NULL, |
221 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
222 | CTLTYPE_INT, "debug" , |
223 | SYSCTL_DESCR("print mprotect changes." ), |
224 | NULL, 0, &pax_mprotect_debug, 0, |
225 | CTL_CREATE, CTL_EOL); |
226 | #endif |
227 | #endif /* PAX_MPROTECT */ |
228 | |
229 | #ifdef PAX_SEGVGUARD |
230 | rnode = cnode; |
231 | sysctl_createv(clog, 0, &rnode, &rnode, |
232 | CTLFLAG_PERMANENT, |
233 | CTLTYPE_NODE, "segvguard" , |
234 | SYSCTL_DESCR("PaX segvguard." ), |
235 | NULL, 0, NULL, 0, |
236 | CTL_CREATE, CTL_EOL); |
237 | sysctl_createv(clog, 0, &rnode, NULL, |
238 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
239 | CTLTYPE_INT, "enabled" , |
240 | SYSCTL_DESCR("segvguard enabled." ), |
241 | NULL, 0, &pax_segvguard_enabled, 0, |
242 | CTL_CREATE, CTL_EOL); |
243 | sysctl_createv(clog, 0, &rnode, NULL, |
244 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
245 | CTLTYPE_INT, "global" , |
246 | SYSCTL_DESCR("segvguard all programs." ), |
247 | NULL, 0, &pax_segvguard_global, 0, |
248 | CTL_CREATE, CTL_EOL); |
249 | sysctl_createv(clog, 0, &rnode, NULL, |
250 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
251 | CTLTYPE_INT, "expiry_timeout" , |
252 | SYSCTL_DESCR("Entry expiry timeout (in seconds)." ), |
253 | NULL, 0, &pax_segvguard_expiry, 0, |
254 | CTL_CREATE, CTL_EOL); |
255 | sysctl_createv(clog, 0, &rnode, NULL, |
256 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
257 | CTLTYPE_INT, "suspend_timeout" , |
258 | SYSCTL_DESCR("Entry suspension timeout (in seconds)." ), |
259 | NULL, 0, &pax_segvguard_suspension, 0, |
260 | CTL_CREATE, CTL_EOL); |
261 | sysctl_createv(clog, 0, &rnode, NULL, |
262 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
263 | CTLTYPE_INT, "max_crashes" , |
264 | SYSCTL_DESCR("Max number of crashes before expiry." ), |
265 | NULL, 0, &pax_segvguard_maxcrashes, 0, |
266 | CTL_CREATE, CTL_EOL); |
267 | #endif /* PAX_SEGVGUARD */ |
268 | |
269 | #ifdef PAX_ASLR |
270 | rnode = cnode; |
271 | sysctl_createv(clog, 0, &rnode, &rnode, |
272 | CTLFLAG_PERMANENT, |
273 | CTLTYPE_NODE, "aslr" , |
274 | SYSCTL_DESCR("Address Space Layout Randomization." ), |
275 | NULL, 0, NULL, 0, |
276 | CTL_CREATE, CTL_EOL); |
277 | sysctl_createv(clog, 0, &rnode, NULL, |
278 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
279 | CTLTYPE_INT, "enabled" , |
280 | SYSCTL_DESCR("Restrictions enabled." ), |
281 | NULL, 0, &pax_aslr_enabled, 0, |
282 | CTL_CREATE, CTL_EOL); |
283 | sysctl_createv(clog, 0, &rnode, NULL, |
284 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
285 | CTLTYPE_INT, "global" , |
286 | SYSCTL_DESCR("When enabled, unless explicitly " |
287 | "specified, apply to all processes." ), |
288 | NULL, 0, &pax_aslr_global, 0, |
289 | CTL_CREATE, CTL_EOL); |
290 | #ifdef PAX_ASLR_DEBUG |
291 | sysctl_createv(clog, 0, &rnode, NULL, |
292 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
293 | CTLTYPE_INT, "debug" , |
294 | SYSCTL_DESCR("Pring ASLR selected addresses." ), |
295 | NULL, 0, &pax_aslr_debug, 0, |
296 | CTL_CREATE, CTL_EOL); |
297 | sysctl_createv(clog, 0, &rnode, NULL, |
298 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
299 | CTLTYPE_INT, "flags" , |
300 | SYSCTL_DESCR("Disable/Enable select ASLR features." ), |
301 | NULL, 0, &pax_aslr_flags, 0, |
302 | CTL_CREATE, CTL_EOL); |
303 | sysctl_createv(clog, 0, &rnode, NULL, |
304 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
305 | CTLTYPE_INT, "rand" , |
306 | SYSCTL_DESCR("Use the given fixed random value" ), |
307 | NULL, 0, &pax_aslr_rand, 0, |
308 | CTL_CREATE, CTL_EOL); |
309 | #endif |
310 | sysctl_createv(clog, 0, &rnode, NULL, |
311 | CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE, |
312 | CTLTYPE_INT, "mmap_len" , |
313 | SYSCTL_DESCR("Number of bits randomized for " |
314 | "mmap(2) calls." ), |
315 | NULL, PAX_ASLR_DELTA_MMAP_LEN, NULL, 0, |
316 | CTL_CREATE, CTL_EOL); |
317 | sysctl_createv(clog, 0, &rnode, NULL, |
318 | CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE, |
319 | CTLTYPE_INT, "stack_len" , |
320 | SYSCTL_DESCR("Number of bits randomized for " |
321 | "the stack." ), |
322 | NULL, PAX_ASLR_DELTA_STACK_LEN, NULL, 0, |
323 | CTL_CREATE, CTL_EOL); |
324 | sysctl_createv(clog, 0, &rnode, NULL, |
325 | CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE, |
326 | CTLTYPE_INT, "exec_len" , |
327 | SYSCTL_DESCR("Number of bits randomized for " |
328 | "the PIE exec base." ), |
329 | NULL, PAX_ASLR_DELTA_EXEC_LEN, NULL, 0, |
330 | CTL_CREATE, CTL_EOL); |
331 | |
332 | #endif /* PAX_ASLR */ |
333 | } |
334 | |
335 | /* |
336 | * Initialize PaX. |
337 | */ |
338 | void |
339 | pax_init(void) |
340 | { |
341 | #ifdef PAX_SEGVGUARD |
342 | int error; |
343 | |
344 | error = fileassoc_register("segvguard" , pax_segvguard_cleanup_cb, |
345 | &segvguard_id); |
346 | if (error) { |
347 | panic("pax_init: segvguard_id: error=%d\n" , error); |
348 | } |
349 | #endif /* PAX_SEGVGUARD */ |
350 | #ifdef PAX_ASLR |
351 | /* Adjust maximum stack by the size we can consume for ASLR */ |
352 | extern rlim_t maxsmap; |
353 | maxsmap = MAXSSIZ - (MAXSSIZ / PAX_ASLR_MAX_STACK_WASTE); |
354 | // XXX: compat32 is not handled. |
355 | #endif |
356 | } |
357 | |
358 | void |
359 | pax_set_flags(struct exec_package *epp, struct proc *p) |
360 | { |
361 | p->p_pax = epp->ep_pax_flags; |
362 | |
363 | #ifdef PAX_MPROTECT |
364 | if (pax_mprotect_ptrace == 0) |
365 | return; |
366 | /* |
367 | * If we are running under the debugger, turn off MPROTECT so |
368 | * the debugger can insert/delete breakpoints |
369 | */ |
370 | if (p->p_slflag & PSL_TRACED) |
371 | p->p_pax &= ~P_PAX_MPROTECT; |
372 | #endif |
373 | } |
374 | |
375 | void |
376 | pax_setup_elf_flags(struct exec_package *epp, uint32_t elf_flags) |
377 | { |
378 | uint32_t flags = 0; |
379 | |
380 | #ifdef PAX_ASLR |
381 | if (pax_aslr_elf_flags_active(elf_flags)) { |
382 | flags |= P_PAX_ASLR; |
383 | } |
384 | #endif |
385 | #ifdef PAX_MPROTECT |
386 | if (pax_mprotect_elf_flags_active(elf_flags)) { |
387 | flags |= P_PAX_MPROTECT; |
388 | } |
389 | #endif |
390 | #ifdef PAX_SEGVGUARD |
391 | if (pax_segvguard_elf_flags_active(elf_flags)) { |
392 | flags |= P_PAX_GUARD; |
393 | } |
394 | #endif |
395 | |
396 | epp->ep_pax_flags = flags; |
397 | } |
398 | |
399 | #if defined(PAX_MPROTECT) || defined(PAX_SEGVGUARD) || defined(PAX_ASLR) |
400 | static inline bool |
401 | pax_flags_active(uint32_t flags, uint32_t opt) |
402 | { |
403 | if (!(flags & opt)) |
404 | return false; |
405 | return true; |
406 | } |
407 | #endif /* PAX_MPROTECT || PAX_SEGVGUARD || PAX_ASLR */ |
408 | |
409 | #ifdef PAX_MPROTECT |
410 | static bool |
411 | pax_mprotect_elf_flags_active(uint32_t flags) |
412 | { |
413 | if (!pax_mprotect_enabled) |
414 | return false; |
415 | if (pax_mprotect_global && (flags & ELF_NOTE_PAX_NOMPROTECT) != 0) { |
416 | /* Mprotect explicitly disabled */ |
417 | return false; |
418 | } |
419 | if (!pax_mprotect_global && (flags & ELF_NOTE_PAX_MPROTECT) == 0) { |
420 | /* Mprotect not requested */ |
421 | return false; |
422 | } |
423 | return true; |
424 | } |
425 | |
426 | void |
427 | pax_mprotect_adjust( |
428 | #ifdef PAX_MPROTECT_DEBUG |
429 | const char *file, size_t line, |
430 | #endif |
431 | struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot) |
432 | { |
433 | uint32_t flags; |
434 | |
435 | flags = l->l_proc->p_pax; |
436 | if (!pax_flags_active(flags, P_PAX_MPROTECT)) |
437 | return; |
438 | |
439 | if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) { |
440 | #ifdef PAX_MPROTECT_DEBUG |
441 | struct proc *p = l->l_proc; |
442 | if ((*prot & VM_PROT_EXECUTE) && pax_mprotect_debug) { |
443 | printf("%s: %s,%zu: %d.%d (%s): -x\n" , |
444 | __func__, file, line, |
445 | p->p_pid, l->l_lid, p->p_comm); |
446 | } |
447 | #endif |
448 | *prot &= ~VM_PROT_EXECUTE; |
449 | *maxprot &= ~VM_PROT_EXECUTE; |
450 | } else { |
451 | #ifdef PAX_MPROTECT_DEBUG |
452 | struct proc *p = l->l_proc; |
453 | if ((*prot & VM_PROT_WRITE) && pax_mprotect_debug) { |
454 | printf("%s: %s,%zu: %d.%d (%s): -w\n" , |
455 | __func__, file, line, |
456 | p->p_pid, l->l_lid, p->p_comm); |
457 | } |
458 | #endif |
459 | *prot &= ~VM_PROT_WRITE; |
460 | *maxprot &= ~VM_PROT_WRITE; |
461 | } |
462 | } |
463 | |
464 | /* |
465 | * Bypass MPROTECT for traced processes |
466 | */ |
467 | int |
468 | pax_mprotect_prot(struct lwp *l) |
469 | { |
470 | uint32_t flags; |
471 | |
472 | flags = l->l_proc->p_pax; |
473 | if (!pax_flags_active(flags, P_PAX_MPROTECT)) |
474 | return 0; |
475 | if (pax_mprotect_ptrace < 2) |
476 | return 0; |
477 | return UVM_EXTRACT_PROT_ALL; |
478 | } |
479 | |
480 | |
481 | #endif /* PAX_MPROTECT */ |
482 | |
483 | #ifdef PAX_ASLR |
484 | static bool |
485 | pax_aslr_elf_flags_active(uint32_t flags) |
486 | { |
487 | if (!pax_aslr_enabled) |
488 | return false; |
489 | if (pax_aslr_global && (flags & ELF_NOTE_PAX_NOASLR) != 0) { |
490 | /* ASLR explicitly disabled */ |
491 | return false; |
492 | } |
493 | if (!pax_aslr_global && (flags & ELF_NOTE_PAX_ASLR) == 0) { |
494 | /* ASLR not requested */ |
495 | return false; |
496 | } |
497 | return true; |
498 | } |
499 | |
500 | static bool |
501 | pax_aslr_epp_active(struct exec_package *epp) |
502 | { |
503 | if (__predict_false((epp->ep_flags & (EXEC_32|EXEC_TOPDOWN_VM)) == 0)) |
504 | return false; |
505 | return pax_flags_active(epp->ep_pax_flags, P_PAX_ASLR); |
506 | } |
507 | |
508 | static bool |
509 | pax_aslr_active(struct lwp *l) |
510 | { |
511 | return pax_flags_active(l->l_proc->p_pax, P_PAX_ASLR); |
512 | } |
513 | |
514 | void |
515 | pax_aslr_init_vm(struct lwp *l, struct vmspace *vm, struct exec_package *ep) |
516 | { |
517 | if (!pax_aslr_active(l)) |
518 | return; |
519 | |
520 | if (__predict_false((ep->ep_flags & (EXEC_32|EXEC_TOPDOWN_VM)) == 0)) |
521 | return; |
522 | |
523 | #ifdef PAX_ASLR_DEBUG |
524 | if (pax_aslr_flags & PAX_ASLR_MMAP) |
525 | return; |
526 | #endif |
527 | |
528 | uint32_t len = (ep->ep_flags & EXEC_32) ? |
529 | PAX_ASLR_DELTA_MMAP_LEN32 : PAX_ASLR_DELTA_MMAP_LEN; |
530 | |
531 | uint32_t rand = cprng_fast32(); |
532 | #ifdef PAX_ASLR_DEBUG |
533 | if (pax_aslr_flags & PAX_ASLR_FIXED) |
534 | rand = pax_aslr_rand; |
535 | #endif |
536 | vm->vm_aslr_delta_mmap = PAX_ASLR_DELTA(rand, |
537 | PAX_ASLR_DELTA_MMAP_LSB, len); |
538 | |
539 | PAX_DPRINTF("delta_mmap=%#jx/%u" , |
540 | (uintmax_t)vm->vm_aslr_delta_mmap, len); |
541 | } |
542 | |
543 | void |
544 | pax_aslr_mmap(struct lwp *l, vaddr_t *addr, vaddr_t orig_addr, int f) |
545 | { |
546 | if (!pax_aslr_active(l)) |
547 | return; |
548 | #ifdef PAX_ASLR_DEBUG |
549 | char buf[256]; |
550 | |
551 | if (pax_aslr_flags & PAX_ASLR_MMAP) |
552 | return; |
553 | |
554 | if (pax_aslr_debug) |
555 | snprintb(buf, sizeof(buf), MAP_FMT, f); |
556 | else |
557 | buf[0] = '\0'; |
558 | #endif |
559 | |
560 | if (!(f & MAP_FIXED) && ((orig_addr == 0) || !(f & MAP_ANON))) { |
561 | PAX_DPRINTF("applying to %#jx orig_addr=%#jx f=%s" , |
562 | (uintmax_t)*addr, (uintmax_t)orig_addr, buf); |
563 | if (!(l->l_proc->p_vmspace->vm_map.flags & VM_MAP_TOPDOWN)) |
564 | *addr += l->l_proc->p_vmspace->vm_aslr_delta_mmap; |
565 | else |
566 | *addr -= l->l_proc->p_vmspace->vm_aslr_delta_mmap; |
567 | PAX_DPRINTF("result %#jx" , (uintmax_t)*addr); |
568 | } else { |
569 | PAX_DPRINTF("not applying to %#jx orig_addr=%#jx f=%s" , |
570 | (uintmax_t)*addr, (uintmax_t)orig_addr, buf); |
571 | } |
572 | } |
573 | |
574 | static vaddr_t |
575 | pax_aslr_offset(vaddr_t align) |
576 | { |
577 | size_t pax_align, l2, delta; |
578 | uint32_t rand; |
579 | vaddr_t offset; |
580 | |
581 | pax_align = align == 0 ? PGSHIFT : align; |
582 | l2 = ilog2(pax_align); |
583 | |
584 | rand = cprng_fast32(); |
585 | #ifdef PAX_ASLR_DEBUG |
586 | if (pax_aslr_flags & PAX_ASLR_FIXED) |
587 | rand = pax_aslr_rand; |
588 | #endif |
589 | |
590 | #define PAX_TRUNC(a, b) ((a) & ~((b) - 1)) |
591 | |
592 | delta = PAX_ASLR_DELTA(rand, l2, PAX_ASLR_DELTA_EXEC_LEN); |
593 | offset = PAX_TRUNC(delta, pax_align) + PAGE_SIZE; |
594 | |
595 | PAX_DPRINTF("rand=%#x l2=%#zx pax_align=%#zx delta=%#zx offset=%#jx" , |
596 | rand, l2, pax_align, delta, (uintmax_t)offset); |
597 | |
598 | return offset; |
599 | } |
600 | |
601 | vaddr_t |
602 | pax_aslr_exec_offset(struct exec_package *epp, vaddr_t align) |
603 | { |
604 | if (!pax_aslr_epp_active(epp)) |
605 | goto out; |
606 | |
607 | #ifdef PAX_ASLR_DEBUG |
608 | if (pax_aslr_flags & PAX_ASLR_EXEC_OFFSET) |
609 | goto out; |
610 | #endif |
611 | return pax_aslr_offset(align) + PAGE_SIZE; |
612 | out: |
613 | return MAX(align, PAGE_SIZE); |
614 | } |
615 | |
616 | voff_t |
617 | pax_aslr_rtld_offset(struct exec_package *epp, vaddr_t align, int use_topdown) |
618 | { |
619 | voff_t offset; |
620 | |
621 | if (!pax_aslr_epp_active(epp)) |
622 | return 0; |
623 | |
624 | #ifdef PAX_ASLR_DEBUG |
625 | if (pax_aslr_flags & PAX_ASLR_RTLD_OFFSET) |
626 | return 0; |
627 | #endif |
628 | offset = pax_aslr_offset(align); |
629 | if (use_topdown) |
630 | offset = -offset; |
631 | |
632 | return offset; |
633 | } |
634 | |
635 | void |
636 | pax_aslr_stack(struct exec_package *epp, vsize_t *max_stack_size) |
637 | { |
638 | if (!pax_aslr_epp_active(epp)) |
639 | return; |
640 | #ifdef PAX_ASLR_DEBUG |
641 | if (pax_aslr_flags & PAX_ASLR_STACK) |
642 | return; |
643 | #endif |
644 | |
645 | uint32_t len = (epp->ep_flags & EXEC_32) ? |
646 | PAX_ASLR_DELTA_STACK_LEN32 : PAX_ASLR_DELTA_STACK_LEN; |
647 | uint32_t rand = cprng_fast32(); |
648 | #ifdef PAX_ASLR_DEBUG |
649 | if (pax_aslr_flags & PAX_ASLR_FIXED) |
650 | rand = pax_aslr_rand; |
651 | #endif |
652 | u_long d = PAX_ASLR_DELTA(rand, PAX_ASLR_DELTA_STACK_LSB, len); |
653 | d &= (*max_stack_size / PAX_ASLR_MAX_STACK_WASTE) - 1; |
654 | u_long newminsaddr = (u_long)STACK_GROW(epp->ep_minsaddr, d); |
655 | PAX_DPRINTF("old minsaddr=%#jx delta=%#lx new minsaddr=%#lx" , |
656 | (uintmax_t)epp->ep_minsaddr, d, newminsaddr); |
657 | epp->ep_minsaddr = (vaddr_t)newminsaddr; |
658 | *max_stack_size -= d; |
659 | } |
660 | |
661 | uint32_t |
662 | pax_aslr_stack_gap(struct exec_package *epp) |
663 | { |
664 | if (!pax_aslr_epp_active(epp)) |
665 | return 0; |
666 | |
667 | #ifdef PAX_ASLR_DEBUG |
668 | if (pax_aslr_flags & PAX_ASLR_STACK_GAP) |
669 | return 0; |
670 | #endif |
671 | |
672 | uint32_t rand = cprng_fast32(); |
673 | #ifdef PAX_ASLR_DEBUG |
674 | if (pax_aslr_flags & PAX_ASLR_FIXED) |
675 | rand = pax_aslr_rand; |
676 | #endif |
677 | rand %= PAGE_SIZE; |
678 | PAX_DPRINTF("stack gap=%#x\n" , rand); |
679 | return rand; |
680 | } |
681 | #endif /* PAX_ASLR */ |
682 | |
683 | #ifdef PAX_SEGVGUARD |
684 | static bool |
685 | pax_segvguard_elf_flags_active(uint32_t flags) |
686 | { |
687 | if (!pax_segvguard_enabled) |
688 | return false; |
689 | if (pax_segvguard_global && (flags & ELF_NOTE_PAX_NOGUARD) != 0) { |
690 | /* Segvguard explicitly disabled */ |
691 | return false; |
692 | } |
693 | if (!pax_segvguard_global && (flags & ELF_NOTE_PAX_GUARD) == 0) { |
694 | /* Segvguard not requested */ |
695 | return false; |
696 | } |
697 | return true; |
698 | } |
699 | |
700 | static void |
701 | pax_segvguard_cleanup_cb(void *v) |
702 | { |
703 | struct pax_segvguard_entry *p = v; |
704 | struct pax_segvguard_uid_entry *up; |
705 | |
706 | if (p == NULL) { |
707 | return; |
708 | } |
709 | while ((up = LIST_FIRST(&p->segv_uids)) != NULL) { |
710 | LIST_REMOVE(up, sue_list); |
711 | kmem_free(up, sizeof(*up)); |
712 | } |
713 | kmem_free(p, sizeof(*p)); |
714 | } |
715 | |
716 | /* |
717 | * Called when a process of image vp generated a segfault. |
718 | */ |
719 | int |
720 | pax_segvguard(struct lwp *l, struct vnode *vp, const char *name, |
721 | bool crashed) |
722 | { |
723 | struct pax_segvguard_entry *p; |
724 | struct pax_segvguard_uid_entry *up; |
725 | struct timeval tv; |
726 | uid_t uid; |
727 | uint32_t flags; |
728 | bool have_uid; |
729 | |
730 | flags = l->l_proc->p_pax; |
731 | if (!pax_flags_active(flags, P_PAX_GUARD)) |
732 | return 0; |
733 | |
734 | if (vp == NULL) |
735 | return EFAULT; |
736 | |
737 | /* Check if we already monitor the file. */ |
738 | p = fileassoc_lookup(vp, segvguard_id); |
739 | |
740 | /* Fast-path if starting a program we don't know. */ |
741 | if (p == NULL && !crashed) |
742 | return 0; |
743 | |
744 | microtime(&tv); |
745 | |
746 | /* |
747 | * If a program we don't know crashed, we need to create a new entry |
748 | * for it. |
749 | */ |
750 | if (p == NULL) { |
751 | p = kmem_alloc(sizeof(*p), KM_SLEEP); |
752 | fileassoc_add(vp, segvguard_id, p); |
753 | LIST_INIT(&p->segv_uids); |
754 | |
755 | /* |
756 | * Initialize a new entry with "crashes so far" of 1. |
757 | * The expiry time is when we purge the entry if it didn't |
758 | * reach the limit. |
759 | */ |
760 | up = kmem_alloc(sizeof(*up), KM_SLEEP); |
761 | up->sue_uid = kauth_cred_getuid(l->l_cred); |
762 | up->sue_ncrashes = 1; |
763 | up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; |
764 | up->sue_suspended = 0; |
765 | LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); |
766 | return 0; |
767 | } |
768 | |
769 | /* |
770 | * A program we "know" either executed or crashed again. |
771 | * See if it's a culprit we're familiar with. |
772 | */ |
773 | uid = kauth_cred_getuid(l->l_cred); |
774 | have_uid = false; |
775 | LIST_FOREACH(up, &p->segv_uids, sue_list) { |
776 | if (up->sue_uid == uid) { |
777 | have_uid = true; |
778 | break; |
779 | } |
780 | } |
781 | |
782 | /* |
783 | * It's someone else. Add an entry for him if we crashed. |
784 | */ |
785 | if (!have_uid) { |
786 | if (crashed) { |
787 | up = kmem_alloc(sizeof(*up), KM_SLEEP); |
788 | up->sue_uid = uid; |
789 | up->sue_ncrashes = 1; |
790 | up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; |
791 | up->sue_suspended = 0; |
792 | LIST_INSERT_HEAD(&p->segv_uids, up, sue_list); |
793 | } |
794 | return 0; |
795 | } |
796 | |
797 | if (crashed) { |
798 | /* Check if timer on previous crashes expired first. */ |
799 | if (up->sue_expiry < tv.tv_sec) { |
800 | log(LOG_INFO, "PaX Segvguard: [%s] Suspension" |
801 | " expired.\n" , name ? name : "unknown" ); |
802 | up->sue_ncrashes = 1; |
803 | up->sue_expiry = tv.tv_sec + pax_segvguard_expiry; |
804 | up->sue_suspended = 0; |
805 | return 0; |
806 | } |
807 | |
808 | up->sue_ncrashes++; |
809 | |
810 | if (up->sue_ncrashes >= pax_segvguard_maxcrashes) { |
811 | log(LOG_ALERT, "PaX Segvguard: [%s] Suspending " |
812 | "execution for %d seconds after %zu crashes.\n" , |
813 | name ? name : "unknown" , pax_segvguard_suspension, |
814 | up->sue_ncrashes); |
815 | |
816 | /* Suspend this program for a while. */ |
817 | up->sue_suspended = tv.tv_sec + pax_segvguard_suspension; |
818 | up->sue_ncrashes = 0; |
819 | up->sue_expiry = 0; |
820 | } |
821 | } else { |
822 | /* Are we supposed to be suspended? */ |
823 | if (up->sue_suspended > tv.tv_sec) { |
824 | log(LOG_ALERT, "PaX Segvguard: [%s] Preventing " |
825 | "execution due to repeated segfaults.\n" , name ? |
826 | name : "unknown" ); |
827 | return EPERM; |
828 | } |
829 | } |
830 | |
831 | return 0; |
832 | } |
833 | #endif /* PAX_SEGVGUARD */ |
834 | |