IABSD.fr/src/libexec

Branch :


Log

Author Commit Date CI Message
22339438 2025-03-31 17:35:28 Support setting the new variable PASSWDSKIP in /etc/daily.local to prevent security(8) from complaining about specific accounts that have no password, typically used for services like anoncvs and gotd. In addition to improving support for gotd, this also improves security for everyone because the exception will now only exist on machines where the admin explicitly enables it. Based on an idea from stsp@; OK stsp@. (Actually, sthen@ also mentioned a similar idea in 2009, and afresh1@ indicated potential support for the general direction in 2024.)
cf7d10fd 2025-03-09 20:10:17 Use GMT rather than the local timezone when checking for changes in device nodes and setuid files. Avoids false positives when changing timezones. change to a perl-native version by afresh1@, thanks! OK afresh1@ sthen@
6d638812 2025-01-12 00:18:15 When running a shell to check that the startup files properly set up the environment, discard standard output from the startup files. While putting commands into startup files that generate output is certainly not recommended, we don't want such output to interfere with these checks. Based on a smaller patch from Lloyd <ng2d68 at proton dot me> on bugs@ made more consistent and less aggressive by me. OK afresh1@ semarie@
f5da8a2d 2025-01-10 10:16:48 Ignore quota(1) files and all subdirectories of /var/mail/ when checking the ownership and mode of mailboxes. Based on a patch from Robert <rmz at hostexpert dot pl>, tweaked by me. OK sthen@
b9f606a9 2024-12-24 17:08:50 Add preservation of fdisk info to libexec/security daily script. perl fix && ok afresh1@
667e8970 2024-11-09 11:22:18 gettytab's dx flag is supposed to set decctlq, which is the opposite of ixany, but was setting ixany instead. Fix this by reversing the logic. Bug report and fix from Piotr Durlej, thanks!
484eff01 2024-09-22 04:19:22 remove BACK_CHANNEL define, unused since YP bits removed in rev 1.20
4538572b 2024-07-19 15:28:51 unveil(2) /etc/gettytab.db in getty(8) to avoid possible violation. OK deraadt@
671eecb8 2024-07-18 02:45:31 Since libcrypto is used to calc message authenticator, use libcrypto md5 also in other places instead libc md5. ok millert
3ae2a32a 2024-07-17 20:50:28 Add Message-Authenticator attriubte when sending Access-Request. ok millert
c0b7aa14 2024-07-10 20:33:31 Allow pfIfTable to have more than 64 entries. Taken from pfctl_table.c r1.85 by sashan@ OK tb@
c5d0954b 2024-06-09 18:31:17 Silently ignore setuid changes in relinked binaries If these files are being relinked at reboot, this causes false positives and alert fatigue. Prompted by florian@ Feedback from millert@ and deraadt@
1457ca87 2024-06-04 15:14:44 enable -fret-clean on amd64, for libc libcrypto ld.so kernel, and all the ssh tools. The dynamic objects are entirely ret-clean, static binaries will contain a blend of cleaning and non-cleaning callers.
f7af79d4 2024-05-22 08:44:02 When localtime() fails, throw an error instead of returning a non-sensical 0 filled string. OK florian@
ce7279d8 2024-05-21 05:00:47 remove prototypes with no matching function and externs with no var partly checked by millert@
172cfcf8 2024-05-20 01:05:17 remove setproctitle() prototype that matches the one in stdlib.h
cc45ccb8 2024-05-19 10:30:43 remove prototypes with no matching function
c694ed72 2024-05-17 06:11:54 use SIGKILL instead of 9; ok guenther
94c8de54 2024-05-09 08:35:03 ctime(3) and ctime_r(3) can fail when timestamps are way off. Add missing error checks to all calls under libexec/ Input kettenis, millert OK millert
73fe6daa 2024-04-28 16:42:53 gmtime(3) / locatime(3) can fail when timestamps are way off. Add missing error checks to all calls under libexec/ Input & OK millert
f7413c6a 2024-04-05 13:51:47 ld.so should stop calling msyscall(2), since it is fully neutered and about to be removed. Please be careful building through this, you need a kernel at least March 29th or so to build through it, otherwise use snapshots to cross over. ok various people
834c4ef2 2024-04-01 21:09:44 Advertise SMTPUTF8 and 8BITMIME extensions in EHLO. Fixes potential interoperability issues when the real MTA supports those extensions. From Arnt Gulbrandsen, OK benno@
2584d4c0 2024-03-30 10:42:26 Prefer illop1 rather than nop for text padding in the ld.so linker script.
e60a0123 2024-03-30 08:44:20 Remove nonsensical comments. NFC
19f4e8b9 2024-03-05 18:54:29 backup disklabel for softraid(4) chunks Extend "Check for changes to the disklabels of mounted disks" to those that host online softraid volumes, e.g installations with root inside CRYPTO sd0a (and EFI System partition on sd0i). That produces /var/backup/disklabel.sd0.current, previously missing in such setups; noticed after someone dd(1)ed miniroot onto sd0 by accident and had no disklabel(8) backup to restore. Feedback OK bluhm
210cc31e 2024-01-22 02:08:31 ugly whitespaces
a09d28f1 2024-01-19 14:16:41 Stop initializing pinsyscall(SYS_execve in dynamic binaries that contain a reference reaching the execve(2) stub. The new pinsyscalls(2) that applies to all system calls has made this redundant.
83447bbc 2024-01-17 13:00:05 very ugly whitespaces
4a066def 2024-01-16 19:07:31 Read PT_OPENBSD_SYSCALLS in libc.so, and convert it to a table for pinsyscalls(2). ok kettenis
5a40d3e0 2024-01-14 09:39:03 Whenever we have a libc major bump, we run the risk that dependent shared libraries will request a different (major) libc version from the one requested by the binary itself. For various reasons loading multiple libc versions is not a good idea, and since the introduction of msyscall(2) support, system calls will only work when called from one of the two loaded libcs. This really means that when we have a libc major bump, users must update all dynamic executables and shared libraries in the system. However, to ease this transition, change ld.so to only load the first libc version that we encounter (in a breadth first sense) and substitute that libc version for all further loads of libc, even if different versions are requested. This is done silently since I can't come up with a good warning message. In practice this means the libc version requested by the executable itself will be loaded. This means that shared libraries may fail to load if they use a symbol that has been removed. But given the constraints, this is the best that we can do. Even when we bump the libc major, the set of changes is typically small and most binaries and shared libraries will continue to run and allow the user to run pkg_add -u without any fallout. ok deraadt@, gkoehler@
a346a825 2023-12-20 14:54:29 create a stub for pinsyscalls(2)
43ad5020 2023-12-20 14:52:07 there is a super-alignment between btext and text, this creates a hole. Twice, I have seen the sigtramp mapping land inside that hole. This causes grief for the upcoming pinsyscalls() work which operates on address space ranges. But the micro-optimization is silly. ok kettenis
805b87ea 2023-12-20 14:50:08 For strange reasons which made sense at the time, the text segment was placed head of the btext (boot.text) segment. (the boot.text segment is "unmapped" after initization, as a self-protection mechanism). this meant the LOAD's virtual addresses were not in sequence, which clearly isn't what we intended.
434871b6 2023-12-19 16:13:22 whitespaces
d20ca04b 2023-12-19 06:27:45 correct alignment placement
babd3ace 2023-12-18 17:19:07 correct section the SYS_kbind syscall pin record goes into noticed by gnezdo
f73a2a97 2023-12-16 06:42:38 Fix phdr name in ld.script. ok deraadt@
2c98d8df 2023-12-12 17:39:14 repair type for 2nd arg of read(2)
876ab33d 2023-12-12 15:44:00 To avoid kbind(2) becoming a powerful gadget, it is called inline to a function. Therefore we cannot create a precise pinsyscall label. Instead create a duplicate entry (using inline asm) to force the kernel's pinsyscall code to skip validation, rather than labelling it illegal. kbind(2) remains safe because it self-protects by checking its calling address. ok kettenis
04459484 2023-12-11 22:29:23 Make sure the syscall table entries are aligned on a 4-byte boundary. Required for strict-alignment architectures and a good idea on others. same as kettenis commit to libc
a0ef76c2 2023-12-11 03:05:15 arm just had to be different and change the syntax for .pushsection arguments, so we have to cope.
83762a71 2023-12-10 16:45:50 Populate the non-LOAD openbsd.syscalls section (and PT_OPENBSD_SYSCALL) with {uint offset, uint syscall#} entries in libc & ld.so. In libc a few syscall# entries (break, sigprocmask, _tfork, _threxit) are duplicated because additional or inline uses occur (that situation is handled elsewhere) ok kettenis
a4e0416e 2023-12-08 12:58:27 locally us MAXIMUM() rather than MAX() ok tb gnezdo
6750a6d9 2023-12-06 06:15:33 Move CALLSYS_NOERROR macro from <machine/asm.h> to libc, and expand it for non-libc users. This is a two-liner macro anyway, and this will make deraadt@'s future changes in this area easier to make. NFC
41a3185c 2023-11-21 08:49:08 Set sc_rtfilter to specific ROUTE_FILTER() values, as was originally intended, instead of filtering out everything. OK sthen@
1e43641e 2023-11-18 16:26:15 crt0 uses a helper function in a MD src/libexec/ld.so .h file (rather than reproducing the relevant defines and code in a different place) to perform minor relocations. If things go very wrong, it would call _dl_exit() -- a locally defined crt0 function which is syscall exit(2). We don't need to call exit(2) for this obscure case which doesn't happen and provides no debugging information. An 'abort' is going to provide better information. So let's change the function name to _dso_abort() and make it a single illegal instruction. ok guenther
494a7cf8 2023-10-24 18:27:26 Make hrSWRunPath use argv[0], instead of p_comm. hrSWRunName is supposed to be a descriptive name, where hrSWRunPath should give the full path to the binary. While argv[0] can contain any of a simple binary name, the full path, or a custom name given by the application itself, it gives us the option to retrieve both pieces of information. This is also the same distinction made by netsnmp. This also keeps the default command column from top(1) and snmptop in sync, and now allows for identical output in the column between `top -C` and `snmptop -Cpa` OK tb@
56081d37 2023-10-24 18:16:05 Add support for HOST-RESOURCES-MIB:hrSWRunPerfTable by adding hrSWRunPerfCPU and hrSWRunPerfMem. This allows snmptop to work with snmpd(8). Math copied from top(1). OK tb@
1b3607db 2023-09-05 16:01:58 Log a dummy "<unknown>" IP address in the unlikely event that genameinfo(3) fails clang-16 warning reported by robert@, ok tb@ millert@
b75a4ace 2023-08-15 13:50:53 ldd can pledge "stdio rpath proc exec prot_exec". We can later bifurbicate at the dlopen vs execve split, dropping either "proc" or "prot_exec". ok gnezdo
ac42b3c8 2023-08-15 06:26:34 Improve handling of dlopen(RTLD_TRACE) aka ldd, of a library that is already loaded: * add a 'trace' argument to _dl_show_objects() and exit the walk-the-objects loop if you hit that traced object * in dlopen(), pass the trace object to _dl_show_objects() * also, invoke _dl_show_objects() + exit if the object was already opened * pass NULL to _dl_show_objects() for all the other calls * oh hey, _dl_tracelib is now superfluous: _dl_show_objects() should do the walk-the-objects loop only if trace is not NULL. Problem noted by gnezdo@ ok millert@
15fded63 2023-08-15 06:23:31 Skip the _dl_msyscall() invocation if tracing library loading. Problem noted by gnezdo@ ok millert@
d4a5aacd 2023-08-12 13:43:22 Check for a full read, avoid warn when errno might be unmodified Promote size from int to size_t. From: lucas at sexy dot is Regress tests by gnezdo@ deraadt: yes
f61db8b9 2023-07-24 01:02:47 I added the 2nd argument (execpromises) to pledge(2), and then hunted for more than a year code which could use it; but in all non-trivial circumstances (programs which would benefit), I was stopped by issues (in particular by environment variable behavious). But I never looked in ldd(1). This is the FIRST one which is completely obvious. spledge(NULL, "stdio rpath") ok guenther
fbc42936 2023-07-13 19:04:50 - use IS_ELF() to check the ELF magic bytes - reject non-sensical program header values which would result in a crash when accessing the 0 bytes sized buffer allocated due to it ok deraadt@ kettenis@
4bd80098 2023-07-12 19:49:06 validate alignment of ELF program headers
d198ddd1 2023-07-08 14:09:43 turn an ifdef'd _dl_printf call into DL_DEB and various whitespace fixes sure deraadt@
f81a9d33 2023-07-08 11:03:45 zap stray backslash ok deraadt@
d2364f60 2023-07-04 11:34:19 The recent change to DIOCGETRULE allows applications which periodically read rules from pf(4) to consume all kernel memory. The bug has been discovered and root caused by florian@. In this particular case it was snmpd(8) what ate all kernel memory. This commit introduces DIOCXEND to pf(4) so applications such as snmpd(8) and systat(1) to close ticket/transaction when they are done with fetching the rules. This change also updates snmpd(8) and systat(1) to use newly introduced DIOCXEND ioctl(2). OK claudio@, deraadt@, kn@
01f59d78 2023-06-05 08:07:18 use getline(3) instead of fgetln(3) while here simplify the "From " check too. ok millert@
2903f217 2023-05-18 16:33:39 If you disable retpolineplt then _dl_bind_start is called with an indirect branch, so include an endbr64 Just In Case. ok deraadt@
320e1832 2023-05-15 12:02:40 cast to '(long long)' instead of '(long long int)' requested by deraadt@, ok tb@
ad520ff8 2023-05-10 08:03:49 cast off_t to long long int for printing reduces the diff with opensmtpd-portable. ok tb@
ba367c05 2023-04-27 12:27:56 revert cache lookup for full pathnames
12e285c6 2023-04-25 04:11:10 endbr64 is potentially neccessary in the syscall stubs.
e00439cd 2023-04-24 22:06:05 Since ENTRY() already inserts a BTI instructions so don't add another one. ok patrick@
34280c35 2023-04-24 08:59:09 do a cache lookup as well in case a full pathname is passed to dlopen
6bae335d 2023-04-19 12:58:15 remove duplicate includes
93f6aaea 2023-04-19 12:34:23 remove duplicate include feedback tb@
d82bde86 2023-04-13 19:57:30 Avoid an overflow in the ELF SYSV ABI hash function. The hash function is supposed to return a value less than or equal to 0x0fffffff. Due to a bug in the sample code supplied with the ELF SYSV ABI documentation, the hash function can overflow on 64-bit systems. Apply the same fix used by GNU libc, MUSL libc and FreeBSD. Prompted by https://maskray.me/blog/2023-04-12-elf-hash-function OK tb@ miod@
c51b9268 2023-04-09 23:41:47 Treat symlinks better in $ORIGIN determination in ld.so Now symlinking an executable away from the rest of its installation tree no longer prevents it from finding the libraries. This matches the behavior of other OS linkers. Prompted by a behavior change in lang/ghc test suite. Swapped the order of dirname/realpath in _dl_origin_path. Added some regress tests that pass and then bin3 that fails without this change and reflects the behavior needd for lang/ghc. Suggestion by semarie@, OK deraadt@
7dfdc4ec 2023-03-31 18:45:05 Call entry point of the executable through register x17. This allows it to be a normal C function that starts with "bti c" when BTI contro flow integretry enforcement is in place. Add "bti c" to _dl_bind_start(). Remove unused _rtld_tlsdesc() function to avoid having to add "bti c" to it. ok deraadt@
5b133f3f 2023-03-08 04:43:04 Delete obsolete /* ARGSUSED */ lint comments. ok miod@ millert@
d103d2f2 2023-03-02 16:13:57 rad_recv: verify length field in received auth_hdr_t before using it. Reported by Peter J. Philipp. OK deraadt@
8cef5497 2023-02-20 00:51:57 Adjust inline !libc check to match the intent in ld.so right, deraadt@
a4ba1e57 2023-02-18 01:22:50 Lookup the start,len of the "execve" stub in libc.so, and tell the kernel where it is with pinsyscall(). In non-static binaries, kernel execve(2) will now insist upon being called from that small region. Arriving from a different region smells like ROP methodology, and the process is killed.
1a0a232e 2023-02-17 17:59:36 Remove unused variables; ok millert@
e148ff24 2023-02-10 03:22:12 Explicitly mark the text LOAD as FLAGS(5), meaning RX, with a comment. This is the default value of the linker, but I really like placing the comment "architecturally required data islands".
92c11255 2023-02-02 00:44:08 unify spacing for LOAD FLAGS lines
c284c86c 2023-02-02 00:43:08 i386 and alpha ld.so also work with X-only text LOAD. There is no hardware enforcement for this, but uvm can some of it's own tricks on occasion.
71410e9b 2023-01-31 00:50:17 powerpc xonly for G5 is coming. ld.so can have xonly text. ok gkoehler
4098e116 2023-01-29 20:30:56 Accumulate intermediate imutables locally before applying OK deraadt
388165f5 2023-01-29 20:30:21 Unite all nitems copies in ld.so/util.h OK deraadt
8e81a2e9 2023-01-29 07:37:34 powerpc64 xonly works; ld.so can be switched over
79094096 2023-01-20 16:03:14 amd64 now has xonly support via the PKU feature. Marking ld.so exec-only is no longer a NOP on those systems, let's do it.
1d1793f7 2023-01-14 07:36:16 Add missing void to function definition
55822a5e 2023-01-12 07:25:29 Use proper sparc64 illtrap instruction as text sections filler, rather than the x86 one.
f14117cf 2023-01-11 17:16:33 be very paranoid like other architectures and force no-jump-tables came up in two seperate conversations with miod and kettenis
7a839740 2023-01-11 16:33:36 put LD_SCRIPT in the canonical location
c0a58aa7 2023-01-11 16:31:46 Add ld.so linker scripts on the remaining platforms.
edb83f86 2023-01-11 16:21:32 force-disable jump tables in ld.so building on sparc64, to ease the exonly transition for people building through an upcoming commit series
a291dbc8 2023-01-11 15:14:01 the kernel on mips64 (octeon, loongson) is in good enough shape to run --execute-only ld.so (meaning FLAGS (1) on the LOAD line for the text segment, in the ld.script). the linker, when using built-in linker scripts, is not ready yet for other libraries / binaries..
39b8558c 2023-01-11 01:55:17 Add retguard to amd64 syscalls. Since we got rid of padded syscalls we have enough registers to do this. ok deraadt@ ok kettenis@
7e81395c 2023-01-10 21:22:39 hppa ld.so works with executable-only text (non-readable)
571ef328 2023-01-09 15:05:49 riscv64 ld.so is ready to be xonly ok kettenis
d857960c 2023-01-09 13:52:42 Rewrite the hppa assembly code to avoid reads from .text, by using the standard PIC magic. This makes the code similar to what we already use for rcrt0.o. This makes it ready for execute-only. Build C code using -fno-jump-tables to make it ready for execute-only. ok deraadt@, miod@
4bd9ff11 2023-01-09 13:45:55 In preparation for upcoming execute-only support, change the magic branch instruction used by __canonicalize_funcptr_for_compare() from "bl" into "b". This allows __canonicalize_funcptr_for_compare() to execute the branch instead of decoding the instruction to find the address of _dl_bind(). This is the first step in the transition to a new ABI. Once an updated ld.so has been installed, we can change __canonicalize_funcptr_for_compare() (which lives in libgcc) and rebuild everything with a new libgcc. Only then we can actually make ld.so executable-only. ok deraadt@, miod@
6d9ddefd 2022-12-26 20:06:43 spelling fixes; from paul tagliamonte
41b7dcd7 2022-12-25 09:39:37 Re-enable DT_MIPS_RLD_MAP_REL tag in ld.so The linker now produces correct values for DT_MIPS_RLD_MAP_REL tags. The DT_MIPS_RLD_MAP_REL offset is relative to the entry of the original dynamic tags array. Therefore look up the tag from exe_obj->load_dyn instead of exe_obj->Dyn.info to get the correct base address. OK kettenis@ deraadt@
40627327 2022-12-24 10:52:04 Make .text (and .btext) execute-only on arm64. ok deraadt@