| created | 2023-02-07T20:27:36Z |
|---|---|
| begin | 2023-01-31T00:00:00Z |
| end | 2023-02-01T00:00:00Z |
| path | src/sys |
| commits | 9 |
| date | 2023-01-31T01:27:58Z | |||
|---|---|---|---|---|
| author | gkoehler | |||
| files | src/sys/arch/powerpc/include/pmap.h | log | diff | annotate |
| src/sys/arch/powerpc/include/pte.h | log | diff | annotate | |
| src/sys/arch/powerpc/powerpc/pmap.c | log | diff | annotate | |
| src/sys/arch/powerpc/powerpc/trap.c | log | diff | annotate | |
| message |
Execute-only for macppc G5 The G5 PowerPC 970 has a Data Address Compare mechanism that can trap loads and stores to pages with PTE_AC_64, while allowing instruction fetches. Use this for execute-only mappings, like we do on powerpc64. Add a check to pte_spill_v for execute-only mappings. Without this, we would forever retry reading an execute-only page. In altivec_assist, copyin would fail to read the instruction from an execute-only page. Add copyinsn to bypass x-only, like sparc64. with help from abieber@ deraadt@ kettenis@ ok deraadt@ |
|||
| date | 2023-01-31T11:47:35Z | |||
|---|---|---|---|---|
| author | mvs | |||
| files | src/sys/netinet/if_ether.c | log | diff | annotate |
| message |
Route lock was reverted, adjust forgotten commentary. No functional changes. |
|||
| date | 2023-01-31T13:41:54Z | |||
|---|---|---|---|---|
| author | mvs | |||
| files | src/sys/netinet/if_ether.c | log | diff | annotate |
| message |
Remove the last ones route lock references from comments. No functional change. |
|||
| date | 2023-01-31T15:18:51Z | |||
|---|---|---|---|---|
| author | deraadt | |||
| files | src/sys/arch/alpha/alpha/fp_complete.c | log | diff | annotate |
| src/sys/arch/alpha/alpha/locore.s | log | diff | annotate | |
| src/sys/arch/alpha/alpha/trap.c | log | diff | annotate | |
| message |
On systems without xonly mmu hardware-enforcement, we can still mitigate against classic BROP with a range-checking wrapper in front of copyin() and copyinstr() which ensures the userland source doesn't overlap the main program text, ld.so text, signal tramp text (it's mapping is hard to distinguish so it comes along for the ride), or libc.so text. ld.so tells the kernel libc.so text range with msyscall(2). The range checking for 2-4 elements is done without locking (because all 4 ranges are immutable!) and is inexpensive. write(sock, &open, 400) now fails with EFAULT. No programs have been discovered which require reading their own text segments with a system call. On a machine without mmu enforcement, a test program reports the following: userland kernel ld.so readable unreadable mmap xz unreadable unreadable mmap x readable readable mmap nrx readable readable mmap nwx readable readable mmap xnwx readable readable main readable unreadable libc unmapped? readable unreadable libc mapped readable unreadable ok kettenis, additional help from miod |
|||
| date | 2023-01-31T15:18:53Z | |||
|---|---|---|---|---|
| author | deraadt | |||
| files | src/sys/arch/alpha/include/cpu.h | log | diff | annotate |
| message |
On systems without xonly mmu hardware-enforcement, we can still mitigate against classic BROP with a range-checking wrapper in front of copyin() and copyinstr() which ensures the userland source doesn't overlap the main program text, ld.so text, signal tramp text (it's mapping is hard to distinguish so it comes along for the ride), or libc.so text. ld.so tells the kernel libc.so text range with msyscall(2). The range checking for 2-4 elements is done without locking (because all 4 ranges are immutable!) and is inexpensive. write(sock, &open, 400) now fails with EFAULT. No programs have been discovered which require reading their own text segments with a system call. On a machine without mmu enforcement, a test program reports the following: userland kernel ld.so readable unreadable mmap xz unreadable unreadable mmap x readable readable mmap nrx readable readable mmap nwx readable readable mmap xnwx readable readable main readable unreadable libc unmapped? readable unreadable libc mapped readable unreadable ok kettenis, additional help from miod |
|||
| date | 2023-01-31T15:18:54Z | |||
|---|---|---|---|---|
| author | deraadt | |||
| files | src/sys/arch/alpha/include/pmap.h | log | diff | annotate |
| src/sys/arch/amd64/amd64/copy.S | log | diff | annotate | |
| src/sys/arch/amd64/include/pmap.h | log | diff | annotate | |
| src/sys/arch/arm/arm/bcopyinout.S | log | diff | annotate | |
| src/sys/arch/arm/arm/copystr.S | log | diff | annotate | |
| src/sys/arch/arm/include/pmap.h | log | diff | annotate | |
| src/sys/arch/hppa/hppa/db_disasm.c | log | diff | annotate | |
| src/sys/arch/hppa/include/cpu.h | log | diff | annotate | |
| src/sys/arch/i386/i386/locore.s | log | diff | annotate | |
| src/sys/arch/i386/include/pmap.h | log | diff | annotate | |
| src/sys/arch/m88k/include/cpu.h | log | diff | annotate | |
| src/sys/arch/m88k/m88k/m88110_fp.c | log | diff | annotate | |
| src/sys/arch/m88k/m88k/subr.S | log | diff | annotate | |
| src/sys/arch/m88k/m88k/trap.c | log | diff | annotate | |
| message |
On systems without xonly mmu hardware-enforcement, we can still mitigate against classic BROP with a range-checking wrapper in front of copyin() and copyinstr() which ensures the userland source doesn't overlap the main program text, ld.so text, signal tramp text (it's mapping is hard to distinguish so it comes along for the ride), or libc.so text. ld.so tells the kernel libc.so text range with msyscall(2). The range checking for 2-4 elements is done without locking (because all 4 ranges are immutable!) and is inexpensive. write(sock, &open, 400) now fails with EFAULT. No programs have been discovered which require reading their own text segments with a system call. On a machine without mmu enforcement, a test program reports the following: userland kernel ld.so readable unreadable mmap xz unreadable unreadable mmap x readable readable mmap nrx readable readable mmap nwx readable readable mmap xnwx readable readable main readable unreadable libc unmapped? readable unreadable libc mapped readable unreadable ok kettenis, additional help from miod |
|||
| date | 2023-01-31T15:18:55Z | |||
|---|---|---|---|---|
| author | deraadt | |||
| files | src/sys/arch/mips64/include/pmap.h | log | diff | annotate |
| src/sys/arch/mips64/mips64/lcore_access.S | log | diff | annotate | |
| src/sys/arch/powerpc/include/pmap.h | log | diff | annotate | |
| src/sys/arch/powerpc/powerpc/pmap.c | log | diff | annotate | |
| src/sys/arch/sh/include/pmap.h | log | diff | annotate | |
| src/sys/arch/sh/sh/locore_subr.S | log | diff | annotate | |
| src/sys/arch/sparc64/include/pmap.h | log | diff | annotate | |
| src/sys/arch/sparc64/sparc64/db_interface.c | log | diff | annotate | |
| src/sys/arch/sparc64/sparc64/locore.s | log | diff | annotate | |
| src/sys/uvm/uvm_map.c | log | diff | annotate | |
| src/sys/uvm/uvm_map.h | log | diff | annotate | |
| message |
On systems without xonly mmu hardware-enforcement, we can still mitigate against classic BROP with a range-checking wrapper in front of copyin() and copyinstr() which ensures the userland source doesn't overlap the main program text, ld.so text, signal tramp text (it's mapping is hard to distinguish so it comes along for the ride), or libc.so text. ld.so tells the kernel libc.so text range with msyscall(2). The range checking for 2-4 elements is done without locking (because all 4 ranges are immutable!) and is inexpensive. write(sock, &open, 400) now fails with EFAULT. No programs have been discovered which require reading their own text segments with a system call. On a machine without mmu enforcement, a test program reports the following: userland kernel ld.so readable unreadable mmap xz unreadable unreadable mmap x readable readable mmap nrx readable readable mmap nwx readable readable mmap xnwx readable readable main readable unreadable libc unmapped? readable unreadable libc mapped readable unreadable ok kettenis, additional help from miod |
|||
| date | 2023-01-31T15:18:56Z | |||
|---|---|---|---|---|
| author | deraadt | |||
| files | src/sys/kern/exec_subr.c | log | diff | annotate |
| src/sys/kern/kern_sig.c | log | diff | annotate | |
| src/sys/kern/kern_subr.c | log | diff | annotate | |
| src/sys/sys/systm.h | log | diff | annotate | |
| message |
On systems without xonly mmu hardware-enforcement, we can still mitigate against classic BROP with a range-checking wrapper in front of copyin() and copyinstr() which ensures the userland source doesn't overlap the main program text, ld.so text, signal tramp text (it's mapping is hard to distinguish so it comes along for the ride), or libc.so text. ld.so tells the kernel libc.so text range with msyscall(2). The range checking for 2-4 elements is done without locking (because all 4 ranges are immutable!) and is inexpensive. write(sock, &open, 400) now fails with EFAULT. No programs have been discovered which require reading their own text segments with a system call. On a machine without mmu enforcement, a test program reports the following: userland kernel ld.so readable unreadable mmap xz unreadable unreadable mmap x readable readable mmap nrx readable readable mmap nwx readable readable mmap xnwx readable readable main readable unreadable libc unmapped? readable unreadable libc mapped readable unreadable ok kettenis, additional help from miod |
|||
| date | 2023-01-31T19:11:47Z | |||
|---|---|---|---|---|
| author | cheloha | |||
| files | src/sys/arch/amd64/amd64/lapic.c | log | diff | annotate |
| message |
amd64: lapic_timer_trigger: disable interrupts while configuring timer lapic_timer_oneshot() does three writes. We need to disable interrupts to ensure the timer lands in a valid state. Link: https://marc.info/?l=openbsd-tech&m=167482851403841&w=2 ok mlarkin@ |
|||