From owner-freebsd-current@FreeBSD.ORG Wed Nov 16 00:09:22 2011 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25CBF106570E for ; Wed, 16 Nov 2011 00:09:22 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 98EBB8FC0C for ; Wed, 16 Nov 2011 00:09:21 +0000 (UTC) Received: by wyf23 with SMTP id 23so7666615wyf.13 for ; Tue, 15 Nov 2011 16:09:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MEhhKc2riD8qlTT+XHQx9/5c+whkJdhedzfDZuEZYBw=; b=al+BjtUzFMwCzuZBib4BcZDYc7irr4the4t3Bwl/LmmHfhHGGzw4fXChXkamq5OXnX G/VH6BbJVClnjorQ/Ypdvk5CfGPoja1w5TVrST0aQrm9edEIOZ5rIDa9SVLnv2rYaf1L DDfl7QTbSqiUCJEv8gWmGS0k9Hju3SvLj8G1k= MIME-Version: 1.0 Received: by 10.182.21.134 with SMTP id v6mr6564022obe.64.1321402159833; Tue, 15 Nov 2011 16:09:19 -0800 (PST) Received: by 10.182.42.104 with HTTP; Tue, 15 Nov 2011 16:09:18 -0800 (PST) In-Reply-To: <20111115165756.GA11894@felucia.tataz.chchile.org> References: <20111018090750.GG50300@deviant.kiev.zoral.com.ua> <20111018183219.GN50300@deviant.kiev.zoral.com.ua> <20111115165756.GA11894@felucia.tataz.chchile.org> Date: Wed, 16 Nov 2011 01:09:18 +0100 Message-ID: From: Oliver Pinter To: Jeremie Le Hen Content-Type: multipart/mixed; boundary=14dae93b63ec57a2d904b1ceea11 Cc: Kostik Belousov , Garrett Cooper , current@freebsd.org, Arnaud Lacombe Subject: Re: [RFC] Enable nxstack by default X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2011 00:09:22 -0000 --14dae93b63ec57a2d904b1ceea11 Content-Type: text/plain; charset=ISO-8859-1 On 11/15/11, Jeremie Le Hen wrote: > Hi, > > On Wed, Oct 19, 2011 at 12:37:44AM +0200, Oliver Pinter wrote: >> In NetBSD has been some PaX feature [0] implemented. (ASLR, W^X >> (~nxstack), mprotect restriction, veriexec, mmap randomization[2]...) >> >> [0] http://pax.grsecurity.net/docs/index.html >> [1] http://www.netbsd.org/~elad/recent/man/security.8.html >> [2] http://people.freebsd.org/~ssouhlal/testing/stackgap-20050527.diff > > Suleiman actually wrought two patches, one randomizing the stack (the > one you pointed out) and another one randomizing non-fixed mmap(2) > calls: > > http://people.freebsd.org/~ssouhlal/testing/mmap_random-20050528.diff > > > FYI, they do not apply cleanly on recent source trees (the patches were > made in 2005), but they can be applied with little fiddling. I'm > running multiple 8.x production machines with them without any problem. Yeah, I use thins patch in 7-STABLE and 9-STABLE too. Patch for 9-STABLE has attached. > > I've always wanted them to be committed as opt-in knobs, but I can't > remember why they hadn't at the time. > > Cheers, > -- > Jeremie Le Hen > > Men are born free and equal. Later on, they're on their own. > Jean Yanne > --14dae93b63ec57a2d904b1ceea11 Content-Type: text/x-diff; charset=US-ASCII; name="randomize-stack-and-mmap.diff" Content-Disposition: attachment; filename="randomize-stack-and-mmap.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: file0 Y29tbWl0IDc3OWE5NjI1MTllN2VhZDYzZGRhMjQzNDhiOThmNmNkZTgxNTY3NTIKQXV0aG9yOiBP bGl2ZXIgUGludGVyIDxvcG5Ab3BuLihub25lKT4KRGF0ZTogICBUdWUgT2N0IDQgMDA6MjQ6MDEg MjAxMSArMDIwMAoKICAgIGZvcndhcmRwb3J0IG1tYXAtcmFuZG9taXphdGlvbiBwYXRjaCBmcm9t IDctU1RBQkxFLW9wCiAgICAKICAgIFNpZ25lZC1vZmYtYnk6IE9saXZlciBQaW50ZXIgPG9saXZl ci5wbnRyQGdtYWlsLmNvbT4KCmRpZmYgLS1naXQgYS9zeXMva2Vybi9rZXJuX2V4ZWMuYyBiL3N5 cy9rZXJuL2tlcm5fZXhlYy5jCmluZGV4IGZlMDExNDIuLmRjNjZkYjYgMTAwNjQ0Ci0tLSBhL3N5 cy9rZXJuL2tlcm5fZXhlYy5jCisrKyBiL3N5cy9rZXJuL2tlcm5fZXhlYy5jCkBAIC0xMDYsNiAr MTA2LDcgQEAgTUFMTE9DX0RFRklORShNX1BBUkdTLCAicHJvYy1hcmdzIiwgIlByb2Nlc3MgYXJn dW1lbnRzIik7CiBzdGF0aWMgaW50IHN5c2N0bF9rZXJuX3BzX3N0cmluZ3MoU1lTQ1RMX0hBTkRM RVJfQVJHUyk7CiBzdGF0aWMgaW50IHN5c2N0bF9rZXJuX3VzcnN0YWNrKFNZU0NUTF9IQU5ETEVS X0FSR1MpOwogc3RhdGljIGludCBzeXNjdGxfa2Vybl9zdGFja3Byb3QoU1lTQ1RMX0hBTkRMRVJf QVJHUyk7CitzdGF0aWMgaW50IHN5c2N0bF9rZXJuX3N0YWNrZ2FwX3JhbmRvbShTWVNDVExfSEFO RExFUl9BUkdTKTsKIHN0YXRpYyBpbnQgZG9fZXhlY3ZlKHN0cnVjdCB0aHJlYWQgKnRkLCBzdHJ1 Y3QgaW1hZ2VfYXJncyAqYXJncywKICAgICBzdHJ1Y3QgbWFjICptYWNfcCk7CiAKQEAgLTEyMCw2 ICsxMjEsOSBAQCBTWVNDVExfUFJPQyhfa2VybiwgS0VSTl9VU1JTVEFDSywgdXNyc3RhY2ssIENU TFRZUEVfVUxPTkd8Q1RMRkxBR19SRHwKIFNZU0NUTF9QUk9DKF9rZXJuLCBPSURfQVVUTywgc3Rh Y2twcm90LCBDVExUWVBFX0lOVHxDVExGTEFHX1JELAogICAgIE5VTEwsIDAsIHN5c2N0bF9rZXJu X3N0YWNrcHJvdCwgIkkiLCAiIik7CiAKK1NZU0NUTF9QUk9DKF9rZXJuLCBPSURfQVVUTywgc3Rh Y2tnYXBfcmFuZG9tLCBDVExUWVBFX0lOVHxDVExGTEFHX1JXLAorICAgIE5VTEwsIDAsIHN5c2N0 bF9rZXJuX3N0YWNrZ2FwX3JhbmRvbSwgIkkiLCAic3RhY2tnYXAgbWF4aW11bSBvZmZzZXQiKTsK KwogdV9sb25nIHBzX2FyZ19jYWNoZV9saW1pdCA9IFBBR0VfU0laRSAvIDE2OwogU1lTQ1RMX1VM T05HKF9rZXJuLCBPSURfQVVUTywgcHNfYXJnX2NhY2hlX2xpbWl0LCBDVExGTEFHX1JXLCAKICAg ICAmcHNfYXJnX2NhY2hlX2xpbWl0LCAwLCAiIik7CkBAIC0xNzcsNiArMTgxLDMwIEBAIHN5c2N0 bF9rZXJuX3N0YWNrcHJvdChTWVNDVExfSEFORExFUl9BUkdTKQogCSAgICBzaXplb2YocC0+cF9z eXNlbnQtPnN2X3N0YWNrcHJvdCkpKTsKIH0KIAorc3RhdGljIGludAlzdGFja2dhcF9yYW5kb20g PSA2NCAqIDEwMjQ7CisKK3N0YXRpYyBpbnQKK3N5c2N0bF9rZXJuX3N0YWNrZ2FwX3JhbmRvbShT WVNDVExfSEFORExFUl9BUkdTKQoreworCWludAllcnI7CisJaW50CXZhbDsKKworCXZhbD1zdGFj a2dhcF9yYW5kb207CisJZXJyPXN5c2N0bF9oYW5kbGVfaW50KG9pZHAsICZ2YWwsIHNpemVvZihp bnQpLCByZXEpOworCWlmIChlcnIgfHwgIXJlcS0+bmV3cHRyKSB7CisJCXJldHVybiAoZXJyKTsK Kwl9CisKKwlpZiAoKHZhbDxBTElHTkJZVEVTICYmICh2YWwhPTApKQorCSAgICB8fCAhcG93ZXJv ZjIodmFsKSB8fCB2YWw+NjQqMTAyNCoxMDI0KSB7CisJCXJldHVybiAoRUlOVkFMKTsKKwl9CisK KwlzdGFja2dhcF9yYW5kb209dmFsOworCisJcmV0dXJuICgwKTsKK30KKwogLyoKICAqIEVhY2gg b2YgdGhlIGl0ZW1zIGlzIGEgcG9pbnRlciB0byBhIGBjb25zdCBzdHJ1Y3QgZXhlY3N3JywgaGVu Y2UgdGhlCiAgKiBkb3VibGUgcG9pbnRlciBoZXJlLgpAQCAtMTI0OCw2ICsxMjc2LDcgQEAgZXhl Y19jb3B5b3V0X3N0cmluZ3MoaW1ncCkKIAlzaXplX3QgZXhlY3BhdGhfbGVuOwogCWludCBzenNp Z2NvZGUsIHN6cHM7CiAJY2hhciBjYW5hcnlbc2l6ZW9mKGxvbmcpICogOF07CisJaW50IHNnYXA7 CiAKIAlzenBzID0gc2l6ZW9mKHBhZ2VzaXplc1swXSkgKiBNQVhQQUdFU0laRVM7CiAJLyoKQEAg LTEyNjUsNyArMTI5NCwxMSBAQCBleGVjX2NvcHlvdXRfc3RyaW5ncyhpbWdwKQogCQlpZiAocC0+ cF9zeXNlbnQtPnN2X3N6c2lnY29kZSAhPSBOVUxMKQogCQkJc3pzaWdjb2RlID0gKihwLT5wX3N5 c2VudC0+c3Zfc3pzaWdjb2RlKTsKIAl9Ci0JZGVzdHAgPQkoY2FkZHJfdClhcmdpbmZvIC0gc3pz aWdjb2RlIC0gU1BBUkVfVVNSU1BBQ0UgLQorCXNnYXA9MDsKKwlpZiAoc3RhY2tnYXBfcmFuZG9t IT0wKSB7CisJCXNnYXA9QUxJR04oYXJjNHJhbmRvbSgpJihzdGFja2dhcF9yYW5kb20tMSkpOwor CX0KKwlkZXN0cCA9CShjYWRkcl90KWFyZ2luZm8gLSBzenNpZ2NvZGUgLSBTUEFSRV9VU1JTUEFD RSAtIHNnYXAgLQogCSAgICByb3VuZHVwKGV4ZWNwYXRoX2xlbiwgc2l6ZW9mKGNoYXIgKikpIC0K IAkgICAgcm91bmR1cChzaXplb2YoY2FuYXJ5KSwgc2l6ZW9mKGNoYXIgKikpIC0KIAkgICAgcm91 bmR1cChzenBzLCBzaXplb2YoY2hhciAqKSkgLQpkaWZmIC0tZ2l0IGEvc3lzL3ZtL3ZtX21tYXAu YyBiL3N5cy92bS92bV9tbWFwLmMKaW5kZXggZTg1YjY4MS4uOTkxYTM3ZCAxMDA2NDQKLS0tIGEv c3lzL3ZtL3ZtX21tYXAuYworKysgYi9zeXMvdm0vdm1fbW1hcC5jCkBAIC02OCw2ICs2OCw3IEBA IF9fRkJTRElEKCIkRnJlZUJTRCQiKTsKICNpbmNsdWRlIDxzeXMvc3RhdC5oPgogI2luY2x1ZGUg PHN5cy9zeXNlbnQuaD4KICNpbmNsdWRlIDxzeXMvdm1tZXRlci5oPgorI2luY2x1ZGUgPHN5cy9z eXNjdGwuaD4KIAogI2luY2x1ZGUgPHNlY3VyaXR5L21hYy9tYWNfZnJhbWV3b3JrLmg+CiAKQEAg LTk5LDYgKzEwMCwxMCBAQCBzdGF0aWMgaW50IHZtX21tYXBfY2RldihzdHJ1Y3QgdGhyZWFkICos IHZtX3NpemVfdCwgdm1fcHJvdF90LCB2bV9wcm90X3QgKiwKIHN0YXRpYyBpbnQgdm1fbW1hcF9z aG0oc3RydWN0IHRocmVhZCAqLCB2bV9zaXplX3QsIHZtX3Byb3RfdCwgdm1fcHJvdF90ICosCiAg ICAgaW50ICosIHN0cnVjdCBzaG1mZCAqLCB2bV9vb2Zmc2V0X3QsIHZtX29iamVjdF90ICopOwog CitzdGF0aWMgaW50IG1tYXBfcmFuZG9tPTE7CitTWVNDVExfSU5UKF92bSwgT0lEX0FVVE8sIG1t YXBfcmFuZG9tLCBDVExGTEFHX1JXLCAmbW1hcF9yYW5kb20sIDAsCisJCSJyYW5kb20gbW1hcCBv ZmZzZXQiKTsKKwogLyoKICAqIE1QU0FGRQogICovCkBAIC0yNTYsNyArMjYxLDggQEAgc3lzX21t YXAodGQsIHVhcCkKIAkJLyoKIAkJICogWFhYIGZvciBub24tZml4ZWQgbWFwcGluZ3Mgd2hlcmUg bm8gaGludCBpcyBwcm92aWRlZCBvcgogCQkgKiB0aGUgaGludCB3b3VsZCBmYWxsIGluIHRoZSBw b3RlbnRpYWwgaGVhcCBzcGFjZSwKLQkJICogcGxhY2UgaXQgYWZ0ZXIgdGhlIGVuZCBvZiB0aGUg bGFyZ2VzdCBwb3NzaWJsZSBoZWFwLgorCQkgKiBwbGFjZSBpdCBhZnRlciB0aGUgZW5kIG9mIHRo ZSBsYXJnZXN0IHBvc3NpYmxlIGhlYXAsCisJCSAqIHBsdXMgYSByYW5kb20gb2Zmc2V0LCBpZiBt bWFwX3JhbmRvbSBpcyBzZXQuCiAJCSAqCiAJCSAqIFRoZXJlIHNob3VsZCByZWFsbHkgYmUgYSBw bWFwIGNhbGwgdG8gZGV0ZXJtaW5lIGEgcmVhc29uYWJsZQogCQkgKiBsb2NhdGlvbi4KQEAgLTI2 NSw5ICsyNzEsMTMgQEAgc3lzX21tYXAodGQsIHVhcCkKIAkJaWYgKGFkZHIgPT0gMCB8fAogCQkg ICAgKGFkZHIgPj0gcm91bmRfcGFnZSgodm1fb2Zmc2V0X3Qpdm1zLT52bV90YWRkcikgJiYKIAkJ ICAgIGFkZHIgPCByb3VuZF9wYWdlKCh2bV9vZmZzZXRfdCl2bXMtPnZtX2RhZGRyICsKLQkJICAg IGxpbV9tYXgodGQtPnRkX3Byb2MsIFJMSU1JVF9EQVRBKSkpKQorCQkgICAgbGltX21heCh0ZC0+ dGRfcHJvYywgUkxJTUlUX0RBVEEpKSkpIHsKIAkJCWFkZHIgPSByb3VuZF9wYWdlKCh2bV9vZmZz ZXRfdCl2bXMtPnZtX2RhZGRyICsKIAkJCSAgICBsaW1fbWF4KHRkLT50ZF9wcm9jLCBSTElNSVRf REFUQSkpOworCQkJaWYgKG1tYXBfcmFuZG9tKSB7CisJCQkJYWRkcis9YXJjNHJhbmRvbSgpJigy NTYqMTAyNCoxMDI0LTEpOworCQkJfQorCQl9CiAJCVBST0NfVU5MT0NLKHRkLT50ZF9wcm9jKTsK IAl9CiAJaWYgKGZsYWdzICYgTUFQX0FOT04pIHsK --14dae93b63ec57a2d904b1ceea11--