Contributed by rueda on from the conceal my writeable calls dept.
There have been some recent security innovations previously unreported here:
- New flag "
- No syscalls from pages where
PROT_WRITEis still enabled
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2019/02/28 18:46:18 Modified files: sys/sys : mman.h sys/uvm : uvm.h uvm_extern.h uvm_map.c uvm_mmap.c uvm_unix.c Log message: New mmap(2) flag: MAP_CONCEAL. MAP_CONCEAL'd memory is not written to disk in the event of a core dump. It may grow other qualities in the future. Wanted by libressl, probably useful elsewhere, too. Prompted by deraadt@, concept from deraadt@/kettenis@. With input from deraadt@, cjeker@, kettenis@, otto@, bcook@, matthew@, guenther@, djm@, and tedu@. ok otto@ deraadt@
CVSROOT: /cvs Module name: src Changes by: email@example.com 2019/05/10 09:03:24 Modified files: include : stdlib.h lib/libc : Symbols.list shlib_version lib/libc/hidden: stdlib.h lib/libc/stdlib: malloc.3 malloc.c Log message: Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.
System Calls Prohibited from
Theo de Raadt (
an improvement to check permissions on the memory from which system calls come, and make sure they are
not in a piece of memory which is writeable at the time of the call (in addition to the existing checking of validity of the stack pointer.)
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2019/06/01 16:42:21 Modified files: sys/sys : proc.h syscall_mi.h sys/uvm : uvm_map.c uvm_map.h sys/arch/alpha/alpha: trap.c sys/arch/amd64/amd64: trap.c sys/arch/arm/arm: fault.c sys/arch/arm64/arm64: trap.c sys/arch/hppa/hppa: trap.c sys/arch/i386/i386: trap.c sys/arch/mips64/mips64: trap.c sys/arch/powerpc/powerpc: trap.c sys/arch/sparc64/sparc64: trap.c Log message: Refactor the MAP_STACK feature, and introduce another similar variation: Lookup the address that a syscall instruction is executed from, and kill the process if that page is writeable. This brings an aspect of W^X behaviour to W|X mappings (in JITs not yet adapted to W^X). The goal is to remove simple attack methods and force use of ret2libc or other more complicated means.
(Comments are closed)