Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| 6d638812 | 2025-01-12 00:18:15 | When running a shell to check that the startup files properly set up the environment, discard standard output from the startup files. While putting commands into startup files that generate output is certainly not recommended, we don't want such output to interfere with these checks. Based on a smaller patch from Lloyd <ng2d68 at proton dot me> on bugs@ made more consistent and less aggressive by me. OK afresh1@ semarie@ | ||
| f5da8a2d | 2025-01-10 10:16:48 | Ignore quota(1) files and all subdirectories of /var/mail/ when checking the ownership and mode of mailboxes. Based on a patch from Robert <rmz at hostexpert dot pl>, tweaked by me. OK sthen@ | ||
| b9f606a9 | 2024-12-24 17:08:50 | Add preservation of fdisk info to libexec/security daily script. perl fix && ok afresh1@ | ||
| 667e8970 | 2024-11-09 11:22:18 | gettytab's dx flag is supposed to set decctlq, which is the opposite of ixany, but was setting ixany instead. Fix this by reversing the logic. Bug report and fix from Piotr Durlej, thanks! | ||
| 484eff01 | 2024-09-22 04:19:22 | remove BACK_CHANNEL define, unused since YP bits removed in rev 1.20 | ||
| 4538572b | 2024-07-19 15:28:51 | unveil(2) /etc/gettytab.db in getty(8) to avoid possible violation. OK deraadt@ | ||
| 671eecb8 | 2024-07-18 02:45:31 | Since libcrypto is used to calc message authenticator, use libcrypto md5 also in other places instead libc md5. ok millert | ||
| 3ae2a32a | 2024-07-17 20:50:28 | Add Message-Authenticator attriubte when sending Access-Request. ok millert | ||
| c0b7aa14 | 2024-07-10 20:33:31 | Allow pfIfTable to have more than 64 entries. Taken from pfctl_table.c r1.85 by sashan@ OK tb@ | ||
| c5d0954b | 2024-06-09 18:31:17 | Silently ignore setuid changes in relinked binaries If these files are being relinked at reboot, this causes false positives and alert fatigue. Prompted by florian@ Feedback from millert@ and deraadt@ | ||
| 1457ca87 | 2024-06-04 15:14:44 | enable -fret-clean on amd64, for libc libcrypto ld.so kernel, and all the ssh tools. The dynamic objects are entirely ret-clean, static binaries will contain a blend of cleaning and non-cleaning callers. | ||
| f7af79d4 | 2024-05-22 08:44:02 | When localtime() fails, throw an error instead of returning a non-sensical 0 filled string. OK florian@ | ||
| ce7279d8 | 2024-05-21 05:00:47 | remove prototypes with no matching function and externs with no var partly checked by millert@ | ||
| 172cfcf8 | 2024-05-20 01:05:17 | remove setproctitle() prototype that matches the one in stdlib.h | ||
| cc45ccb8 | 2024-05-19 10:30:43 | remove prototypes with no matching function | ||
| c694ed72 | 2024-05-17 06:11:54 | use SIGKILL instead of 9; ok guenther | ||
| 94c8de54 | 2024-05-09 08:35:03 | ctime(3) and ctime_r(3) can fail when timestamps are way off. Add missing error checks to all calls under libexec/ Input kettenis, millert OK millert | ||
| 73fe6daa | 2024-04-28 16:42:53 | gmtime(3) / locatime(3) can fail when timestamps are way off. Add missing error checks to all calls under libexec/ Input & OK millert | ||
| f7413c6a | 2024-04-05 13:51:47 | ld.so should stop calling msyscall(2), since it is fully neutered and about to be removed. Please be careful building through this, you need a kernel at least March 29th or so to build through it, otherwise use snapshots to cross over. ok various people | ||
| 834c4ef2 | 2024-04-01 21:09:44 | Advertise SMTPUTF8 and 8BITMIME extensions in EHLO. Fixes potential interoperability issues when the real MTA supports those extensions. From Arnt Gulbrandsen, OK benno@ | ||
| 2584d4c0 | 2024-03-30 10:42:26 | Prefer illop1 rather than nop for text padding in the ld.so linker script. | ||
| e60a0123 | 2024-03-30 08:44:20 | Remove nonsensical comments. NFC | ||
| 19f4e8b9 | 2024-03-05 18:54:29 | backup disklabel for softraid(4) chunks Extend "Check for changes to the disklabels of mounted disks" to those that host online softraid volumes, e.g installations with root inside CRYPTO sd0a (and EFI System partition on sd0i). That produces /var/backup/disklabel.sd0.current, previously missing in such setups; noticed after someone dd(1)ed miniroot onto sd0 by accident and had no disklabel(8) backup to restore. Feedback OK bluhm | ||
| 210cc31e | 2024-01-22 02:08:31 | ugly whitespaces | ||
| a09d28f1 | 2024-01-19 14:16:41 | Stop initializing pinsyscall(SYS_execve in dynamic binaries that contain a reference reaching the execve(2) stub. The new pinsyscalls(2) that applies to all system calls has made this redundant. | ||
| 83447bbc | 2024-01-17 13:00:05 | very ugly whitespaces | ||
| 4a066def | 2024-01-16 19:07:31 | Read PT_OPENBSD_SYSCALLS in libc.so, and convert it to a table for pinsyscalls(2). ok kettenis | ||
| 5a40d3e0 | 2024-01-14 09:39:03 | Whenever we have a libc major bump, we run the risk that dependent shared libraries will request a different (major) libc version from the one requested by the binary itself. For various reasons loading multiple libc versions is not a good idea, and since the introduction of msyscall(2) support, system calls will only work when called from one of the two loaded libcs. This really means that when we have a libc major bump, users must update all dynamic executables and shared libraries in the system. However, to ease this transition, change ld.so to only load the first libc version that we encounter (in a breadth first sense) and substitute that libc version for all further loads of libc, even if different versions are requested. This is done silently since I can't come up with a good warning message. In practice this means the libc version requested by the executable itself will be loaded. This means that shared libraries may fail to load if they use a symbol that has been removed. But given the constraints, this is the best that we can do. Even when we bump the libc major, the set of changes is typically small and most binaries and shared libraries will continue to run and allow the user to run pkg_add -u without any fallout. ok deraadt@, gkoehler@ | ||
| a346a825 | 2023-12-20 14:54:29 | create a stub for pinsyscalls(2) | ||
| 43ad5020 | 2023-12-20 14:52:07 | there is a super-alignment between btext and text, this creates a hole. Twice, I have seen the sigtramp mapping land inside that hole. This causes grief for the upcoming pinsyscalls() work which operates on address space ranges. But the micro-optimization is silly. ok kettenis | ||
| 805b87ea | 2023-12-20 14:50:08 | For strange reasons which made sense at the time, the text segment was placed head of the btext (boot.text) segment. (the boot.text segment is "unmapped" after initization, as a self-protection mechanism). this meant the LOAD's virtual addresses were not in sequence, which clearly isn't what we intended. | ||
| 434871b6 | 2023-12-19 16:13:22 | whitespaces | ||
| d20ca04b | 2023-12-19 06:27:45 | correct alignment placement | ||
| babd3ace | 2023-12-18 17:19:07 | correct section the SYS_kbind syscall pin record goes into noticed by gnezdo | ||
| f73a2a97 | 2023-12-16 06:42:38 | Fix phdr name in ld.script. ok deraadt@ | ||
| 2c98d8df | 2023-12-12 17:39:14 | repair type for 2nd arg of read(2) | ||
| 876ab33d | 2023-12-12 15:44:00 | To avoid kbind(2) becoming a powerful gadget, it is called inline to a function. Therefore we cannot create a precise pinsyscall label. Instead create a duplicate entry (using inline asm) to force the kernel's pinsyscall code to skip validation, rather than labelling it illegal. kbind(2) remains safe because it self-protects by checking its calling address. ok kettenis | ||
| 04459484 | 2023-12-11 22:29:23 | Make sure the syscall table entries are aligned on a 4-byte boundary. Required for strict-alignment architectures and a good idea on others. same as kettenis commit to libc | ||
| a0ef76c2 | 2023-12-11 03:05:15 | arm just had to be different and change the syntax for .pushsection arguments, so we have to cope. | ||
| 83762a71 | 2023-12-10 16:45:50 | Populate the non-LOAD openbsd.syscalls section (and PT_OPENBSD_SYSCALL) with {uint offset, uint syscall#} entries in libc & ld.so. In libc a few syscall# entries (break, sigprocmask, _tfork, _threxit) are duplicated because additional or inline uses occur (that situation is handled elsewhere) ok kettenis | ||
| a4e0416e | 2023-12-08 12:58:27 | locally us MAXIMUM() rather than MAX() ok tb gnezdo | ||
| 6750a6d9 | 2023-12-06 06:15:33 | Move CALLSYS_NOERROR macro from <machine/asm.h> to libc, and expand it for non-libc users. This is a two-liner macro anyway, and this will make deraadt@'s future changes in this area easier to make. NFC | ||
| 41a3185c | 2023-11-21 08:49:08 | Set sc_rtfilter to specific ROUTE_FILTER() values, as was originally intended, instead of filtering out everything. OK sthen@ | ||
| 1e43641e | 2023-11-18 16:26:15 | crt0 uses a helper function in a MD src/libexec/ld.so .h file (rather than reproducing the relevant defines and code in a different place) to perform minor relocations. If things go very wrong, it would call _dl_exit() -- a locally defined crt0 function which is syscall exit(2). We don't need to call exit(2) for this obscure case which doesn't happen and provides no debugging information. An 'abort' is going to provide better information. So let's change the function name to _dso_abort() and make it a single illegal instruction. ok guenther | ||
| 494a7cf8 | 2023-10-24 18:27:26 | Make hrSWRunPath use argv[0], instead of p_comm. hrSWRunName is supposed to be a descriptive name, where hrSWRunPath should give the full path to the binary. While argv[0] can contain any of a simple binary name, the full path, or a custom name given by the application itself, it gives us the option to retrieve both pieces of information. This is also the same distinction made by netsnmp. This also keeps the default command column from top(1) and snmptop in sync, and now allows for identical output in the column between `top -C` and `snmptop -Cpa` OK tb@ | ||
| 56081d37 | 2023-10-24 18:16:05 | Add support for HOST-RESOURCES-MIB:hrSWRunPerfTable by adding hrSWRunPerfCPU and hrSWRunPerfMem. This allows snmptop to work with snmpd(8). Math copied from top(1). OK tb@ | ||
| 1b3607db | 2023-09-05 16:01:58 | Log a dummy "<unknown>" IP address in the unlikely event that genameinfo(3) fails clang-16 warning reported by robert@, ok tb@ millert@ | ||
| b75a4ace | 2023-08-15 13:50:53 | ldd can pledge "stdio rpath proc exec prot_exec". We can later bifurbicate at the dlopen vs execve split, dropping either "proc" or "prot_exec". ok gnezdo | ||
| ac42b3c8 | 2023-08-15 06:26:34 | Improve handling of dlopen(RTLD_TRACE) aka ldd, of a library that is already loaded: * add a 'trace' argument to _dl_show_objects() and exit the walk-the-objects loop if you hit that traced object * in dlopen(), pass the trace object to _dl_show_objects() * also, invoke _dl_show_objects() + exit if the object was already opened * pass NULL to _dl_show_objects() for all the other calls * oh hey, _dl_tracelib is now superfluous: _dl_show_objects() should do the walk-the-objects loop only if trace is not NULL. Problem noted by gnezdo@ ok millert@ | ||
| 15fded63 | 2023-08-15 06:23:31 | Skip the _dl_msyscall() invocation if tracing library loading. Problem noted by gnezdo@ ok millert@ | ||
| d4a5aacd | 2023-08-12 13:43:22 | Check for a full read, avoid warn when errno might be unmodified Promote size from int to size_t. From: lucas at sexy dot is Regress tests by gnezdo@ deraadt: yes | ||
| f61db8b9 | 2023-07-24 01:02:47 | I added the 2nd argument (execpromises) to pledge(2), and then hunted for more than a year code which could use it; but in all non-trivial circumstances (programs which would benefit), I was stopped by issues (in particular by environment variable behavious). But I never looked in ldd(1). This is the FIRST one which is completely obvious. spledge(NULL, "stdio rpath") ok guenther | ||
| fbc42936 | 2023-07-13 19:04:50 | - use IS_ELF() to check the ELF magic bytes - reject non-sensical program header values which would result in a crash when accessing the 0 bytes sized buffer allocated due to it ok deraadt@ kettenis@ | ||
| 4bd80098 | 2023-07-12 19:49:06 | validate alignment of ELF program headers | ||
| d198ddd1 | 2023-07-08 14:09:43 | turn an ifdef'd _dl_printf call into DL_DEB and various whitespace fixes sure deraadt@ | ||
| f81a9d33 | 2023-07-08 11:03:45 | zap stray backslash ok deraadt@ | ||
| d2364f60 | 2023-07-04 11:34:19 | The recent change to DIOCGETRULE allows applications which periodically read rules from pf(4) to consume all kernel memory. The bug has been discovered and root caused by florian@. In this particular case it was snmpd(8) what ate all kernel memory. This commit introduces DIOCXEND to pf(4) so applications such as snmpd(8) and systat(1) to close ticket/transaction when they are done with fetching the rules. This change also updates snmpd(8) and systat(1) to use newly introduced DIOCXEND ioctl(2). OK claudio@, deraadt@, kn@ | ||
| 01f59d78 | 2023-06-05 08:07:18 | use getline(3) instead of fgetln(3) while here simplify the "From " check too. ok millert@ | ||
| 2903f217 | 2023-05-18 16:33:39 | If you disable retpolineplt then _dl_bind_start is called with an indirect branch, so include an endbr64 Just In Case. ok deraadt@ | ||
| 320e1832 | 2023-05-15 12:02:40 | cast to '(long long)' instead of '(long long int)' requested by deraadt@, ok tb@ | ||
| ad520ff8 | 2023-05-10 08:03:49 | cast off_t to long long int for printing reduces the diff with opensmtpd-portable. ok tb@ | ||
| ba367c05 | 2023-04-27 12:27:56 | revert cache lookup for full pathnames | ||
| 12e285c6 | 2023-04-25 04:11:10 | endbr64 is potentially neccessary in the syscall stubs. | ||
| e00439cd | 2023-04-24 22:06:05 | Since ENTRY() already inserts a BTI instructions so don't add another one. ok patrick@ | ||
| 34280c35 | 2023-04-24 08:59:09 | do a cache lookup as well in case a full pathname is passed to dlopen | ||
| 6bae335d | 2023-04-19 12:58:15 | remove duplicate includes | ||
| 93f6aaea | 2023-04-19 12:34:23 | remove duplicate include feedback tb@ | ||
| d82bde86 | 2023-04-13 19:57:30 | Avoid an overflow in the ELF SYSV ABI hash function. The hash function is supposed to return a value less than or equal to 0x0fffffff. Due to a bug in the sample code supplied with the ELF SYSV ABI documentation, the hash function can overflow on 64-bit systems. Apply the same fix used by GNU libc, MUSL libc and FreeBSD. Prompted by https://maskray.me/blog/2023-04-12-elf-hash-function OK tb@ miod@ | ||
| c51b9268 | 2023-04-09 23:41:47 | Treat symlinks better in $ORIGIN determination in ld.so Now symlinking an executable away from the rest of its installation tree no longer prevents it from finding the libraries. This matches the behavior of other OS linkers. Prompted by a behavior change in lang/ghc test suite. Swapped the order of dirname/realpath in _dl_origin_path. Added some regress tests that pass and then bin3 that fails without this change and reflects the behavior needd for lang/ghc. Suggestion by semarie@, OK deraadt@ | ||
| 7dfdc4ec | 2023-03-31 18:45:05 | Call entry point of the executable through register x17. This allows it to be a normal C function that starts with "bti c" when BTI contro flow integretry enforcement is in place. Add "bti c" to _dl_bind_start(). Remove unused _rtld_tlsdesc() function to avoid having to add "bti c" to it. ok deraadt@ | ||
| 5b133f3f | 2023-03-08 04:43:04 | Delete obsolete /* ARGSUSED */ lint comments. ok miod@ millert@ | ||
| d103d2f2 | 2023-03-02 16:13:57 | rad_recv: verify length field in received auth_hdr_t before using it. Reported by Peter J. Philipp. OK deraadt@ | ||
| 8cef5497 | 2023-02-20 00:51:57 | Adjust inline !libc check to match the intent in ld.so right, deraadt@ | ||
| a4ba1e57 | 2023-02-18 01:22:50 | Lookup the start,len of the "execve" stub in libc.so, and tell the kernel where it is with pinsyscall(). In non-static binaries, kernel execve(2) will now insist upon being called from that small region. Arriving from a different region smells like ROP methodology, and the process is killed. | ||
| 1a0a232e | 2023-02-17 17:59:36 | Remove unused variables; ok millert@ | ||
| e148ff24 | 2023-02-10 03:22:12 | Explicitly mark the text LOAD as FLAGS(5), meaning RX, with a comment. This is the default value of the linker, but I really like placing the comment "architecturally required data islands". | ||
| 92c11255 | 2023-02-02 00:44:08 | unify spacing for LOAD FLAGS lines | ||
| c284c86c | 2023-02-02 00:43:08 | i386 and alpha ld.so also work with X-only text LOAD. There is no hardware enforcement for this, but uvm can some of it's own tricks on occasion. | ||
| 71410e9b | 2023-01-31 00:50:17 | powerpc xonly for G5 is coming. ld.so can have xonly text. ok gkoehler | ||
| 4098e116 | 2023-01-29 20:30:56 | Accumulate intermediate imutables locally before applying OK deraadt | ||
| 388165f5 | 2023-01-29 20:30:21 | Unite all nitems copies in ld.so/util.h OK deraadt | ||
| 8e81a2e9 | 2023-01-29 07:37:34 | powerpc64 xonly works; ld.so can be switched over | ||
| 79094096 | 2023-01-20 16:03:14 | amd64 now has xonly support via the PKU feature. Marking ld.so exec-only is no longer a NOP on those systems, let's do it. | ||
| 1d1793f7 | 2023-01-14 07:36:16 | Add missing void to function definition | ||
| 55822a5e | 2023-01-12 07:25:29 | Use proper sparc64 illtrap instruction as text sections filler, rather than the x86 one. | ||
| f14117cf | 2023-01-11 17:16:33 | be very paranoid like other architectures and force no-jump-tables came up in two seperate conversations with miod and kettenis | ||
| 7a839740 | 2023-01-11 16:33:36 | put LD_SCRIPT in the canonical location | ||
| c0a58aa7 | 2023-01-11 16:31:46 | Add ld.so linker scripts on the remaining platforms. | ||
| edb83f86 | 2023-01-11 16:21:32 | force-disable jump tables in ld.so building on sparc64, to ease the exonly transition for people building through an upcoming commit series | ||
| a291dbc8 | 2023-01-11 15:14:01 | the kernel on mips64 (octeon, loongson) is in good enough shape to run --execute-only ld.so (meaning FLAGS (1) on the LOAD line for the text segment, in the ld.script). the linker, when using built-in linker scripts, is not ready yet for other libraries / binaries.. | ||
| 39b8558c | 2023-01-11 01:55:17 | Add retguard to amd64 syscalls. Since we got rid of padded syscalls we have enough registers to do this. ok deraadt@ ok kettenis@ | ||
| 7e81395c | 2023-01-10 21:22:39 | hppa ld.so works with executable-only text (non-readable) | ||
| 571ef328 | 2023-01-09 15:05:49 | riscv64 ld.so is ready to be xonly ok kettenis | ||
| d857960c | 2023-01-09 13:52:42 | Rewrite the hppa assembly code to avoid reads from .text, by using the standard PIC magic. This makes the code similar to what we already use for rcrt0.o. This makes it ready for execute-only. Build C code using -fno-jump-tables to make it ready for execute-only. ok deraadt@, miod@ | ||
| 4bd9ff11 | 2023-01-09 13:45:55 | In preparation for upcoming execute-only support, change the magic branch instruction used by __canonicalize_funcptr_for_compare() from "bl" into "b". This allows __canonicalize_funcptr_for_compare() to execute the branch instead of decoding the instruction to find the address of _dl_bind(). This is the first step in the transition to a new ABI. Once an updated ld.so has been installed, we can change __canonicalize_funcptr_for_compare() (which lives in libgcc) and rebuild everything with a new libgcc. Only then we can actually make ld.so executable-only. ok deraadt@, miod@ | ||
| 6d9ddefd | 2022-12-26 20:06:43 | spelling fixes; from paul tagliamonte | ||
| 41b7dcd7 | 2022-12-25 09:39:37 | Re-enable DT_MIPS_RLD_MAP_REL tag in ld.so The linker now produces correct values for DT_MIPS_RLD_MAP_REL tags. The DT_MIPS_RLD_MAP_REL offset is relative to the entry of the original dynamic tags array. Therefore look up the tag from exe_obj->load_dyn instead of exe_obj->Dyn.info to get the correct base address. OK kettenis@ deraadt@ | ||
| 40627327 | 2022-12-24 10:52:04 | Make .text (and .btext) execute-only on arm64. ok deraadt@ | ||
| 61923635 | 2022-12-18 19:33:11 | cannot try the boot.data unmap until all the ld.script are commited, and fixed to identify the region correctly. | ||
| 13f8c82f | 2022-12-16 03:14:52 | delete // debug comment chunks. If anyone wants to debug ld.so and runs into a mimmutable related concern, you want to undo this revision to get this debug back. I do not consider this suitable for hiding behind a cpp macro. |