IABSD.fr/src/libexec

Branch :


Log

Author Commit Date CI Message
b75a4ace 2023-08-15 13:50:53 ldd can pledge "stdio rpath proc exec prot_exec". We can later bifurbicate at the dlopen vs execve split, dropping either "proc" or "prot_exec". ok gnezdo
ac42b3c8 2023-08-15 06:26:34 Improve handling of dlopen(RTLD_TRACE) aka ldd, of a library that is already loaded: * add a 'trace' argument to _dl_show_objects() and exit the walk-the-objects loop if you hit that traced object * in dlopen(), pass the trace object to _dl_show_objects() * also, invoke _dl_show_objects() + exit if the object was already opened * pass NULL to _dl_show_objects() for all the other calls * oh hey, _dl_tracelib is now superfluous: _dl_show_objects() should do the walk-the-objects loop only if trace is not NULL. Problem noted by gnezdo@ ok millert@
15fded63 2023-08-15 06:23:31 Skip the _dl_msyscall() invocation if tracing library loading. Problem noted by gnezdo@ ok millert@
d4a5aacd 2023-08-12 13:43:22 Check for a full read, avoid warn when errno might be unmodified Promote size from int to size_t. From: lucas at sexy dot is Regress tests by gnezdo@ deraadt: yes
f61db8b9 2023-07-24 01:02:47 I added the 2nd argument (execpromises) to pledge(2), and then hunted for more than a year code which could use it; but in all non-trivial circumstances (programs which would benefit), I was stopped by issues (in particular by environment variable behavious). But I never looked in ldd(1). This is the FIRST one which is completely obvious. spledge(NULL, "stdio rpath") ok guenther
fbc42936 2023-07-13 19:04:50 - use IS_ELF() to check the ELF magic bytes - reject non-sensical program header values which would result in a crash when accessing the 0 bytes sized buffer allocated due to it ok deraadt@ kettenis@
4bd80098 2023-07-12 19:49:06 validate alignment of ELF program headers
d198ddd1 2023-07-08 14:09:43 turn an ifdef'd _dl_printf call into DL_DEB and various whitespace fixes sure deraadt@
f81a9d33 2023-07-08 11:03:45 zap stray backslash ok deraadt@
d2364f60 2023-07-04 11:34:19 The recent change to DIOCGETRULE allows applications which periodically read rules from pf(4) to consume all kernel memory. The bug has been discovered and root caused by florian@. In this particular case it was snmpd(8) what ate all kernel memory. This commit introduces DIOCXEND to pf(4) so applications such as snmpd(8) and systat(1) to close ticket/transaction when they are done with fetching the rules. This change also updates snmpd(8) and systat(1) to use newly introduced DIOCXEND ioctl(2). OK claudio@, deraadt@, kn@
01f59d78 2023-06-05 08:07:18 use getline(3) instead of fgetln(3) while here simplify the "From " check too. ok millert@
2903f217 2023-05-18 16:33:39 If you disable retpolineplt then _dl_bind_start is called with an indirect branch, so include an endbr64 Just In Case. ok deraadt@
320e1832 2023-05-15 12:02:40 cast to '(long long)' instead of '(long long int)' requested by deraadt@, ok tb@
ad520ff8 2023-05-10 08:03:49 cast off_t to long long int for printing reduces the diff with opensmtpd-portable. ok tb@
ba367c05 2023-04-27 12:27:56 revert cache lookup for full pathnames
12e285c6 2023-04-25 04:11:10 endbr64 is potentially neccessary in the syscall stubs.
e00439cd 2023-04-24 22:06:05 Since ENTRY() already inserts a BTI instructions so don't add another one. ok patrick@
34280c35 2023-04-24 08:59:09 do a cache lookup as well in case a full pathname is passed to dlopen
6bae335d 2023-04-19 12:58:15 remove duplicate includes
93f6aaea 2023-04-19 12:34:23 remove duplicate include feedback tb@
d82bde86 2023-04-13 19:57:30 Avoid an overflow in the ELF SYSV ABI hash function. The hash function is supposed to return a value less than or equal to 0x0fffffff. Due to a bug in the sample code supplied with the ELF SYSV ABI documentation, the hash function can overflow on 64-bit systems. Apply the same fix used by GNU libc, MUSL libc and FreeBSD. Prompted by https://maskray.me/blog/2023-04-12-elf-hash-function OK tb@ miod@
c51b9268 2023-04-09 23:41:47 Treat symlinks better in $ORIGIN determination in ld.so Now symlinking an executable away from the rest of its installation tree no longer prevents it from finding the libraries. This matches the behavior of other OS linkers. Prompted by a behavior change in lang/ghc test suite. Swapped the order of dirname/realpath in _dl_origin_path. Added some regress tests that pass and then bin3 that fails without this change and reflects the behavior needd for lang/ghc. Suggestion by semarie@, OK deraadt@
7dfdc4ec 2023-03-31 18:45:05 Call entry point of the executable through register x17. This allows it to be a normal C function that starts with "bti c" when BTI contro flow integretry enforcement is in place. Add "bti c" to _dl_bind_start(). Remove unused _rtld_tlsdesc() function to avoid having to add "bti c" to it. ok deraadt@
5b133f3f 2023-03-08 04:43:04 Delete obsolete /* ARGSUSED */ lint comments. ok miod@ millert@
d103d2f2 2023-03-02 16:13:57 rad_recv: verify length field in received auth_hdr_t before using it. Reported by Peter J. Philipp. OK deraadt@
8cef5497 2023-02-20 00:51:57 Adjust inline !libc check to match the intent in ld.so right, deraadt@
a4ba1e57 2023-02-18 01:22:50 Lookup the start,len of the "execve" stub in libc.so, and tell the kernel where it is with pinsyscall(). In non-static binaries, kernel execve(2) will now insist upon being called from that small region. Arriving from a different region smells like ROP methodology, and the process is killed.
1a0a232e 2023-02-17 17:59:36 Remove unused variables; ok millert@
e148ff24 2023-02-10 03:22:12 Explicitly mark the text LOAD as FLAGS(5), meaning RX, with a comment. This is the default value of the linker, but I really like placing the comment "architecturally required data islands".
92c11255 2023-02-02 00:44:08 unify spacing for LOAD FLAGS lines
c284c86c 2023-02-02 00:43:08 i386 and alpha ld.so also work with X-only text LOAD. There is no hardware enforcement for this, but uvm can some of it's own tricks on occasion.
71410e9b 2023-01-31 00:50:17 powerpc xonly for G5 is coming. ld.so can have xonly text. ok gkoehler
4098e116 2023-01-29 20:30:56 Accumulate intermediate imutables locally before applying OK deraadt
388165f5 2023-01-29 20:30:21 Unite all nitems copies in ld.so/util.h OK deraadt
8e81a2e9 2023-01-29 07:37:34 powerpc64 xonly works; ld.so can be switched over
79094096 2023-01-20 16:03:14 amd64 now has xonly support via the PKU feature. Marking ld.so exec-only is no longer a NOP on those systems, let's do it.
1d1793f7 2023-01-14 07:36:16 Add missing void to function definition
55822a5e 2023-01-12 07:25:29 Use proper sparc64 illtrap instruction as text sections filler, rather than the x86 one.
f14117cf 2023-01-11 17:16:33 be very paranoid like other architectures and force no-jump-tables came up in two seperate conversations with miod and kettenis
7a839740 2023-01-11 16:33:36 put LD_SCRIPT in the canonical location
c0a58aa7 2023-01-11 16:31:46 Add ld.so linker scripts on the remaining platforms.
edb83f86 2023-01-11 16:21:32 force-disable jump tables in ld.so building on sparc64, to ease the exonly transition for people building through an upcoming commit series
a291dbc8 2023-01-11 15:14:01 the kernel on mips64 (octeon, loongson) is in good enough shape to run --execute-only ld.so (meaning FLAGS (1) on the LOAD line for the text segment, in the ld.script). the linker, when using built-in linker scripts, is not ready yet for other libraries / binaries..
39b8558c 2023-01-11 01:55:17 Add retguard to amd64 syscalls. Since we got rid of padded syscalls we have enough registers to do this. ok deraadt@ ok kettenis@
7e81395c 2023-01-10 21:22:39 hppa ld.so works with executable-only text (non-readable)
571ef328 2023-01-09 15:05:49 riscv64 ld.so is ready to be xonly ok kettenis
d857960c 2023-01-09 13:52:42 Rewrite the hppa assembly code to avoid reads from .text, by using the standard PIC magic. This makes the code similar to what we already use for rcrt0.o. This makes it ready for execute-only. Build C code using -fno-jump-tables to make it ready for execute-only. ok deraadt@, miod@
4bd9ff11 2023-01-09 13:45:55 In preparation for upcoming execute-only support, change the magic branch instruction used by __canonicalize_funcptr_for_compare() from "bl" into "b". This allows __canonicalize_funcptr_for_compare() to execute the branch instead of decoding the instruction to find the address of _dl_bind(). This is the first step in the transition to a new ABI. Once an updated ld.so has been installed, we can change __canonicalize_funcptr_for_compare() (which lives in libgcc) and rebuild everything with a new libgcc. Only then we can actually make ld.so executable-only. ok deraadt@, miod@
6d9ddefd 2022-12-26 20:06:43 spelling fixes; from paul tagliamonte
41b7dcd7 2022-12-25 09:39:37 Re-enable DT_MIPS_RLD_MAP_REL tag in ld.so The linker now produces correct values for DT_MIPS_RLD_MAP_REL tags. The DT_MIPS_RLD_MAP_REL offset is relative to the entry of the original dynamic tags array. Therefore look up the tag from exe_obj->load_dyn instead of exe_obj->Dyn.info to get the correct base address. OK kettenis@ deraadt@
40627327 2022-12-24 10:52:04 Make .text (and .btext) execute-only on arm64. ok deraadt@
61923635 2022-12-18 19:33:11 cannot try the boot.data unmap until all the ld.script are commited, and fixed to identify the region correctly.
13f8c82f 2022-12-16 03:14:52 delete // debug comment chunks. If anyone wants to debug ld.so and runs into a mimmutable related concern, you want to undo this revision to get this debug back. I do not consider this suitable for hiding behind a cpp macro.
7e53a3c9 2022-12-05 07:49:07 Add linker script for hppa. The crucial bit is that hppa needs an extra segment for .plt/.got which needs to be placed correctly. ok deraadt@
9034200f 2022-12-04 15:55:26 ld.so: Disable DT_MIPS_RLD_MAP_REL The linker produces incorrect values for DT_MIPS_RLD_MAP_REL tags. Disable the handling of the tag in the dynamic loader. The linker will be fixed in a later commit when snapshots have the updated ld.so. Discussed with and OK kettenis@ deraadt@
9ba2c65f 2022-12-04 15:42:07 The next step for mimmutable(). ld.so figures out what regions of memory of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others.
fe251f38 2022-11-25 14:56:56 Add ld.so linker script for mips64 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. OK deraadt@
8fd2446c 2022-11-14 13:21:50 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the alpha version
b6feb2a9 2022-11-14 13:20:23 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the i386 version
b3a51cd3 2022-11-14 13:13:19 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the version for sparc64, tested by pascal also
e201c79b 2022-11-14 13:12:59 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the version for powerpc, tested by pascal
9044b3fc 2022-11-10 16:14:50 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order.
82e9b32a 2022-11-09 19:50:25 Now that dlopen() sets object->nodelete for RTLD_NODELETE, _dl_load_dep_libs() can consider this same as the "booting" case, and instruct lower layers to do immutability. With this change in place, the not-yet-commited library-immutable diff leaves 1 page of libc (malloc related) and 6 non-RTLD_NODELETE libraries mutable in chrome. Everything else is immutable, except for the program's transient memory allocations & file mappings. This is an unexpected result.
b75fe819 2022-11-09 18:44:11 dlopen() with RTLD_NODELETE should also set the object nodelete flag, so the mapping layer will know it can use mimmutable()
7f8a129b 2022-11-09 18:39:35 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for 32-bit arm, tested by phessler
b8b81751 2022-11-08 13:47:22 In the new scheme, the main executable object needs to be marked nodelete, so that _dl_relro() will immutable it's relro.
59d66fc3 2022-11-08 06:55:53 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for riscv64, tested by jca
8e29f60a 2022-11-08 06:47:31 Instead of unmapping boot.text, and then a future allocation could land in the gap, mmap a fresh MAP_FIXED MAP_ANON PROT_NONE and make it immutable for good measure ok guenther kettenis
cd3e981d 2022-11-07 21:12:57 Missed an ALIGN (which I will admit I do not understand, this is voodoo)
a5c19628 2022-11-07 20:41:38 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. Similar changes for other architectures coming after more testing. ok kettenis and guenther seemed to like it also
f29e23ab 2022-11-07 15:55:56 Use variable and shorter logic for NFS check No need to hardcode a parent path if we can reuse an existing variable for the specific path that is in being used. Negate the file system type in df(1) so the `|| exit 1' can be dropped in favour of the errexit option, as is done for everything else in there. Clarify the comment how this is intentionally NOT logged, i.e. the test happens before the error trap/syslog/logfile handling. OK millert
44e1f387 2022-11-07 11:03:14 Set up logger(1) traps earlier to catch logfile setup failures If /usr is mounted read-only, kernel relinking fails silently without any log trace: # /usr/libexec/reorder_kernel /usr/libexec/reorder_kernel[35]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system This stderr line does not show up anywhere because init(8) redirects stdout and stderr to /dev/null, executes rc(8) which inherits it and thus executes reorder_kernel with both streams discarded. So install the error handler first, then try to set up a log file. Introduce ERRMSG to provide error messages to users, i.e. not say "see .../relink.log" when creating this file is what failed: # ksh ./reorder_kernel.sh ./reorder_kernel.sh[40]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system # tail -n1 /var/log/message # or xconsole(1) Nov 7 10:51:00 eru reorder_kernel.sh: failed OK tb
07cf23bb 2022-11-07 10:35:26 dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis
d23cb5cd 2022-11-06 12:00:20 TEXTREL binaries are loaded without immutable on un-writeable sections. After text relocations are finished, these regions (in the binary) can become immutable. OPENBSD_MUTABLE section always overlaps writeable LOADs, so don't be afraid of that case, it's covered.
980da63b 2022-11-06 11:43:19 ld.so wants to make it's own RELRO immutable, which is obviously done right after it does mprotect PROT_READ.
118353ea 2022-11-06 11:38:54 Library RELRO sections are excluded from the immutable list, because ld.so tweaks them quite late. _dl_relro() is called when that work is done, and the final mprotect PROT_READ happens. Then we can make mark it immutable. ok kettenis
3349f56c 2022-11-06 11:34:50 When loading startup libraries, pass DF_1_NODELETE to indicate these are unloadable libraries. This allows us make consider making parts of those libraries immutable (in future commits) ok guenther kettenis
1916ec13 2022-11-05 18:48:31 The /var/run/ld.so.hints file is mapped into memory. It is never replaced, so the mapping can be immutable. ok kettenis
baca2ca6 2022-11-05 18:44:09 teach ld.so how to call the mimmutable() system call ok kettenis
c0929e80 2022-10-28 15:07:25 Implement support for DT_MIPS_RLD_MAP_REL. ok deraadt@
6d0d199e 2022-10-23 06:12:06 add a little spacing and fix Nd;
81390b64 2022-10-23 01:15:33 sort Xr; remove '.' after Nd text
39a25297 2022-10-23 01:10:50 new sentence, new line
181c1305 2022-10-16 13:33:10 don't use | operator where || was intended ok gnezdo@ kn@ martijn@
71bb1f4c 2022-09-05 20:09:24 Do not perform out-of-bounds arrray accesses for bogus relocation type values.
3e492f6e 2022-09-02 06:19:04 Use a shorter system call invocation template for system calls in the range 0-127, where immediate addressing can be used to load the system call number in r0, rather than performing a memory load using pc-relative addressing. No functional change, but rm(1) runs a couple cycles faster per file now.
411fe3cb 2022-09-01 14:22:55 Hook up snmpd_metrics OK tb@, sthen@
5e39b809 2022-09-01 14:20:32 Import snmpd_metrics. This contains snmpd's mib.c (and friends) adjusted for libagentx. This standalone binary is to be used by snmpd to achieve privilege separation. If people need net-snmpd, but want some of the base snmpd metrics they can start this binary as a normal daemon and connect to net-snmpd's agentx socket. Tested, Feedback, and OK sthen@ Release build test, and OK tb@
07c7d596 2022-08-29 02:08:13 use ansi volatile keyword, not __volatile__ ok miod@ guenther@
ab4d5173 2022-08-20 14:11:31 Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@
aa6c9a01 2022-07-29 13:56:36 Mention that ttyflags needs to be run to update per-device flags. Also includes some minor cleanup inspired by the NetBSD version. OK jmc@ sthen@
8b7b35eb 2022-06-14 09:56:07 Document search order Explain when and how LD_LIBRARY_PATH, DT_RUNPATH and DT_RPATH are used. Input OK guenther
42d2c245 2022-05-24 17:15:22 Address the clang 13 "changed binding to STB_WEAK" warning on arm (32bit): * add _?ENTRY_NB to arm/asm.h * make sure ld.so's arm asm bits see the same includes as libc * switch libc's arm bits to the generic DEFS.h * switch arm ASM bits from ENTRY to ENTRY_NB as necessary ok kettenis@ miod@
2f20f629 2022-05-13 13:20:16 If $KERNEL_DIR.tgz exists, reorder_kernel updates the destination for logged stdout output, but forgot to handle stderr. Fix that so that the error log includes stderr output in that case (otherwise the log is usually empty). From Lauri Tirkkonen, plus comment adjusted. ok tb
92d6eede 2022-05-10 20:23:57 Prevent out-of-bounds array access with binaries that use unsupported relocations. ok guenther@
eabe4e05 2022-05-01 11:03:48 Prevent out-of-bounds array access with binaries that use unsupported relocations. ok guenther@
41ce3b17 2022-03-31 17:27:13 man pages: add missing commas between subordinate and main clauses jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
b9664cab 2022-03-31 09:05:15 'e' is no longer an optional element for ober_scanf_elements. This caused the last attribute to be dropped. Reported by Allan Streib (astreib <at> fastmail <dot> fm) Reminded by Raf Czlonka (rczlonka <at> gmail <dot> com) OK tb@ claudio@
2eb64536 2022-02-22 08:20:35 disable further calls to unveil(2) pointed out by brynet@
12dbdd46 2022-02-21 19:49:46 unveil(2) "/dev" read-only instead of using chroot(2)/chdir(2). after calling the latter the program then also calls stat(2) and therefore it never actually worked correctly since they were added almost 20 years now. while here remove an implementation detail from the manpage which covered the chroot part. pointed out by and ok deraadt@