account stack map and syscall writable

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

account stack map and syscall writable

Alexander Bluhm
Hi,

To find more violators of our shiny security features, I would like
to add stack map and system call write protection to process
accounting.

stackpivot -MDXT   bluhm                            ttyp3      0.00 secs Fri Sep  6 10:20 (0:00:00.00)

PDP-11 compatibility on VAX is not used anymore, so recycle the bit.

ok?

bluhm

Index: sys/sys/acct.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/sys/acct.h,v
retrieving revision 1.8
diff -u -p -r1.8 acct.h
--- sys/sys/acct.h 25 Jul 2019 09:37:32 -0000 1.8
+++ sys/sys/acct.h 6 Sep 2019 07:52:20 -0000
@@ -58,7 +58,7 @@ struct acct {

 #define AFORK 0x01 /* fork'd but not exec'd */
 #define ASU 0x02 /* used super-user permissions */
-#define ACOMPAT 0x04 /* used compatibility mode */
+#define AMAP 0x04 /* system call or stack mapping violation */
 #define ACORE 0x08 /* dumped core */
 #define AXSIG 0x10 /* killed by a signal */
 #define APLEDGE 0x20 /* killed due to pledge violation */
Index: sys/uvm/uvm_map.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/uvm/uvm_map.c,v
retrieving revision 1.246
diff -u -p -r1.246 uvm_map.c
--- sys/uvm/uvm_map.c 14 Jun 2019 05:52:43 -0000 1.246
+++ sys/uvm/uvm_map.c 6 Sep 2019 07:52:20 -0000
@@ -86,6 +86,7 @@

 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/acct.h>
 #include <sys/mman.h>
 #include <sys/proc.h>
 #include <sys/malloc.h>
@@ -1872,6 +1873,7 @@ uvm_map_inentry(struct proc *p, struct p
  if (!ok) {
  printf(fmt, p->p_p->ps_comm, p->p_p->ps_pid, p->p_tid,
     addr, ie->ie_start, ie->ie_end);
+ p->p_p->ps_acflag |= AMAP;
  sv.sival_ptr = (void *)PROC_PC(p);
  trapsignal(p, SIGSEGV, 0, SEGV_ACCERR, sv);
  }
Index: share/man/man5/acct.5
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/share/man/man5/acct.5,v
retrieving revision 1.19
diff -u -p -r1.19 acct.5
--- share/man/man5/acct.5 30 Jul 2019 05:41:21 -0000 1.19
+++ share/man/man5/acct.5 6 Sep 2019 07:36:43 -0000
@@ -69,7 +69,7 @@ struct acct {

 #define AFORK 0x01 /* fork'd but not exec'd */
 #define ASU 0x02 /* used super-user permissions */
-#define ACOMPAT 0x04 /* used compatibility mode */
+#define AMAP 0x04 /* system call or stack mapping violation */
 #define ACORE 0x08 /* dumped core */
 #define AXSIG 0x10 /* killed by a signal */
 #define APLEDGE 0x20 /* killed due to pledge violation */
Index: usr.bin/lastcomm/lastcomm.1
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/lastcomm/lastcomm.1,v
retrieving revision 1.23
diff -u -p -r1.23 lastcomm.1
--- usr.bin/lastcomm/lastcomm.1 11 Aug 2019 15:48:08 -0000 1.23
+++ usr.bin/lastcomm/lastcomm.1 6 Sep 2019 07:48:20 -0000
@@ -101,9 +101,6 @@ Elapsed time of the process.
 The flags are encoded as follows:
 .Pp
 .Bl -tag -width 6n -compact -offset indent
-.It Li C
-The command was run in PDP-11 compatibility mode
-(VAX only).
 .It Li D
 The command terminated with the generation of a
 .Pa core
@@ -112,6 +109,9 @@ file.
 The command ran after
 a fork, but without a following
 .Xr execve 2 .
+.It Li M
+The command did a system call from writable memory or the stack
+pointer was not in stack memory.
 .It Li P
 The command was terminated due to a
 .Xr pledge 2
Index: usr.bin/lastcomm/lastcomm.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/lastcomm/lastcomm.c,v
retrieving revision 1.28
diff -u -p -r1.28 lastcomm.c
--- usr.bin/lastcomm/lastcomm.c 25 Jul 2019 13:13:53 -0000 1.28
+++ usr.bin/lastcomm/lastcomm.c 6 Sep 2019 07:50:25 -0000
@@ -169,7 +169,7 @@ flagbits(int f)

  p = flags + 1;
  BIT(AFORK, 'F');
- BIT(ACOMPAT, 'C');
+ BIT(AMAP, 'M');
  BIT(ACORE, 'D');
  BIT(AXSIG, 'X');
  BIT(APLEDGE, 'P');
Index: etc/daily
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/etc/daily,v
retrieving revision 1.92
diff -u -p -r1.92 daily
--- etc/daily 25 Jul 2019 13:13:53 -0000 1.92
+++ etc/daily 6 Sep 2019 07:54:37 -0000
@@ -74,7 +74,7 @@ if [ -f /var/account/acct ]; then
  mv -f /var/account/acct.0 /var/account/acct.1
  cp -f /var/account/acct /var/account/acct.0
  sa -sq
- lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[PTU]'
+ lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[MPTU]'
 fi

 # If ROOTBACKUP is set to 1 in the environment, and