Contributed by Peter N. M. Hansteen on from the mutable no more dept.
tech@titled immutable userland mappings, Theo de Raadt (
deraadt@) gave us a preview of code that may soon land in -current. The message leads in,
In the last few years, I have been improving the strictness of userland memory layout. An example is the recent addition of MAP_STACK and msyscall(). The first one marks pages that are stack, so that upon entry to the kernel we can check if the stack-pointer is pointing in the stack range. If it isn't, the most obvious conclusion is that a ROP pivot has occured, and we kills the process. The second one marks the region which contains syscall traps, if upon entry to the kernel the PC is not in that region, we know somone is trying to do system calls via an unapproved method.
My next attempt is to lock memory mappings. The current working name is mimmutable(void *addr, size_t len). This identifies all current mapped memory in a region, and tags the mappings. Such mappings can never be unmapped. No new mmap can be done on top of the mappings. And the permissions cannot be changed. Other than that, the underlying storage memory works fine, it is just the mapping that is locked.
This is about work that is upcoming, still not committed. The post includes a patch which is sort of a snapshot of work in progress.
You can read the full message and any followups starting here, and please do test if you feel up to it.
(Comments are closed)
By John McCue (jmcunx) email@example.com on
A little bit over my head, but does this mean memory leak checking will get more strict ? BTW, if so, that sounds great to me :)
By Solène Rapenne (solene) firstname.lastname@example.org on https://dataswamp.org/~solene/
Does someone know how it is beneficial for end users? I understand it's another layer for protecting the memory and programs, but I can't figure the benefits of it.
By Peter J. Philipp (pjp) email@example.com on
If I understand this correctly it will benefit my DNS server software (authoritative server) that I'm programming. In this post a few months ago I wrote this: https://blog.delphinusdns.org/c?article=1654526276
I think if I do the protections with guard pages in the memory and then immutable the entire shared region the guard pages can't be changed back making this better. Looks like a neat addition I'll have to see if I can put it in by december when I have the 1.7 release.
One question I would have is what happens on violation, soft error or tear down of program?
By rueda (rueda) on https://www.openbsdfoundation.org/donations.html
Followup post from