Re: CVS commit: src/sys

To: Ryota Ozaki <ozaki-r%netbsd.org@localhost>, "source-changes-d%netbsd.org@localhost" <source-changes-d%netbsd.org@localhost>
Subject: Re: CVS commit: src/sys
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Fri, 31 Jul 2015 13:09:37 +0200

Le 31/07/2015 12:32, Ryota Ozaki a écrit :
> On Fri, Jul 31, 2015 at 12:28 AM, Maxime Villard <maxv%netbsd.org@localhost> wrote:
>> Module Name:    src
>> Committed By:   maxv
>> Date:           Thu Jul 30 15:28:18 UTC 2015
>>
>> Modified Files:
>>         src/sys/kern: exec_elf.c kern_pax.c
>>         src/sys/sys: exec_elf.h pax.h
>>
>> Log Message:
>> Revamp PaX:
>>  - don't confuse between ELF flags and proc flags. Introduce the proc-
>>    specific P_PAX_ASLR, P_PAX_MPROTECT and P_PAX_GUARD flags.
>>  - introduce pax_setup_elf_flags(), which takes as argument the PaX flag
>>    of the ELF PaX note section, and which sets the proc flag as
>>    appropriate. Also introduce a couple of other functions used for that
>>    purpose.
>>  - modify pax_aslr_active(), and all the other similar pieces of code, so
>>    that it checks the proc flag directly, without extra ELF computation
>>
>> In addition to making PaX clearer, the combination of these changes fixes
>> the following bug: if a non-PaX'ed process is launched, and then someone
>> sets security.pax.{aslr,mprotect,segvguard}.global=1, the process becomes
>> PaX'ed while its address space hasn't been randomized, which is not likely
>> to be a good idea.
>>
>> Now, only the proc flag is checked at runtime, which means the process's
>> PaX status won't be altered during the execution.
>>
>> Also:
>>  - declare PAX_DPRINTF, makes it more readable
>>  - fix a typo in exec_elf.h
> 
> http://releng.netbsd.org/b5reports/amd64/build/2015.07.30.21.47.51/test.html#lib_libc_sys_t_mprotect_mprotect_pax
> http://releng.netbsd.org/b5reports/i386/build/2015.07.30.15.29.52/test.html#lib_libc_sys_t_mprotect_mprotect_pax
> 
> It seems that the change adds a new failure on amd64/i386.
> Any ideas?

Nice!

This test just changes the sysctl, and expects to become PaX'ed. So of
course it no longer works, since it's precisely the bug I've fixed.

I don't know how to do that, but you need to fix it this way:
 - remove the "security.pax.mprotect.global" instruction in paxinit()
 - the test being a C file - therefore, an ELF binary -, you need to
   PaX the binary this way:
       paxctl +M t_mprotect

It needs to be automatically done in the makefile, or somewhere else.


> 
> Regards,
>   ozaki-r
> 
>>
>>
>> To generate a diff of this commit:
>> cvs rdiff -u -r1.72 -r1.73 src/sys/kern/exec_elf.c
>> cvs rdiff -u -r1.28 -r1.29 src/sys/kern/kern_pax.c
>> cvs rdiff -u -r1.148 -r1.149 src/sys/sys/exec_elf.h
>> cvs rdiff -u -r1.11 -r1.12 src/sys/sys/pax.h
>>
>> Please note that diffs are not public domain; they are subject to the
>> copyright notices on the relevant files.
>>

Follow-Ups:
- Re: CVS commit: src/sys
  - From: Martin Husemann

References:
- Re: CVS commit: src/sys
  - From: Ryota Ozaki

Prev by Date: Re: CVS commit: src/sys
Next by Date: Re: CVS commit: src/sys
Previous by Thread: Re: CVS commit: src/sys
Next by Thread: Re: CVS commit: src/sys
Indexes:

Home | Main Index | Thread Index | Old Index