exec: Check for errors when mapping the shared object

In the non-ASLR case, there is no check for an error from
vm_map_fixed(). Restore it, it was dropped in commit 939f0b6323e0a.
This bug could re

exec: Check for errors when mapping the shared object

In the non-ASLR case, there is no check for an error from
vm_map_fixed(). Restore it, it was dropped in commit 939f0b6323e0a.
This bug could result in a refcount leak of the object used to map the
VDSO page.

Reviewed by: kib
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 week
Fixes: 939f0b6323e0 ("Implement shared page address randomization")
Differential Revision: https://reviews.freebsd.org/D53065

show more ...

imgact: Mark brandinfo and note structures as const

No functional change intended.

Reviewed by: olce, kib, emaste
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D53062

kern: abstract away the vnode coredumper to allow pluggable dumpers

The default and only stock coredumper will continue to be the
traditional vnode dumper, which will dump to a vnode and issue a dev

kern: abstract away the vnode coredumper to allow pluggable dumpers

The default and only stock coredumper will continue to be the
traditional vnode dumper, which will dump to a vnode and issue a devctl
notification. With this change, one can write a kmod that injects custom
handling of user coredumps that offers richer behavior, particularly in
case one wants to add more metadata than we can tap out via devd.

The main motivation here is to pave the way for my usercore daemon to be
able to reroute coredumps before they ever touch the disk. In some
cases they may be discarded and we can avoid the overhead of writing
anything, in others they allow us to capture coredumps that would be
written into an area that's transient in nature (e.g., kyua test work
directories) without having to do more tricks to keep those alive. My
WIP kmod writes the coredump into a shmfd instead of a vnode, then
installs that into ucored(8) with every read(2) of /dev/ucore. This
also allows me to capture more metadata reliably before the process and
jail disappear.

Reviewed by: kib (earlier version), markj
Differential Revision: https://reviews.freebsd.org/D51338

show more ...

kern: move the vnode user coredumper out into its own file

This more cleanly contains the bits that are specifically relevant to
dumping coredumps out to a vnode, which will make future changes a bi

kern: move the vnode user coredumper out into its own file

This more cleanly contains the bits that are specifically relevant to
dumping coredumps out to a vnode, which will make future changes a bit
easier to review. This also makes the scope of the relevant sysctls
easier to reason about in the process, as they're not visible outside of
the vnode dumper file -- this will mostly become relevant when we allow
pluggable dumpers.

While we're here, move all of the coredump-related stuff out into its
own kern_ucoredump.c and sys/ucoredump.h. We have enough that it's
useful to separate it out and de-clutter kern_sig.c and sys/exec.h a
bit.

Reviewed by: kib, markj (both earlier version)
Differential Revision: https://reviews.freebsd.org/D51349

show more ...

kern: factor out the 'writing' bits of user process coredumping

Instead of assuming we have a vnode to dump to, pull out the bits that
describe how to write acoredump into a struct coredump_writer;

kern: factor out the 'writing' bits of user process coredumping

Instead of assuming we have a vnode to dump to, pull out the bits that
describe how to write acoredump into a struct coredump_writer; the ctx
in that is expected to be opaque, but used by write/extend functions.
This should not be a functional change- we change two callers to use the
classic vnode write/extend interface.

This opens us up to other possible targets for coredumps, such as a
shmfd.

Reviewed by: markj (earlier version), kib
Differential Revision: https://reviews.freebsd.org/D51337

show more ...

Import the Hardware Trace (HWT) framework.

The HWT framework provides infrastructure for hardware-assisted tracing. It
collects detailed information about software execution and records it as
"event

Import the Hardware Trace (HWT) framework.

The HWT framework provides infrastructure for hardware-assisted tracing. It
collects detailed information about software execution and records it as
"events" in highly compressed format into DRAM. The events cover information
about control flow changes of a program, whether branches taken or not,
exceptions taken, timing information, cycles elapsed and more. This allows
to reconstruct entire program flow of a given application.

This comes with separate machine-dependent tracing backends for trace
collection, trace decoder libraries and an instrumentation tool.

Reviewed by: kib (sys/kern bits)
Sponsored by: UKRI
Differential Revision: https://reviews.freebsd.org/D40466

show more ...

kernel: copyout extended errors to userspace and add exterrctl(2) to control it

Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.fre

kernel: copyout extended errors to userspace and add exterrctl(2) to control it

Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D50483

show more ...

exec: Remove parameter 'segflg' from exec_copyin_args()

In kern "copyin" means copy data from user address space to kernel
address space. But in the function exec_copyin_args() there is a
parameter

exec: Remove parameter 'segflg' from exec_copyin_args()

In kern "copyin" means copy data from user address space to kernel
address space. But in the function exec_copyin_args() there is a
parameter 'segflg' that is used to specify the address space of the
parameter 'fname'. In the source code there are two places where
'segflg' are not UIO_USERSPACE. In both cases the 'fname' argument are
NULL so the argument 'segflg' are not important there. So it is safe to
remove the parameter 'segflg' from the function exec_copyin_args().

Reviewed by: markj, jhb
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd-src/pull/1590

show more ...

vm_lowmem: Fix signature mismatches in vm_lowmem callbacks

This is required for kernel CFI.

Reviewed by: rrs, jhb, glebius
Differential Revision: https://reviews.freebsd.org/D49111

vm: rename MAP_STACK_GROWS_DOWN to MAP_STACK_AREA

Reviewed by: alc, dougm, markj
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D47892

ktrace: log execve(2) arguments and environment

Two new events KTR_ARGS and KTR_ENV can be used to
trace arguments of execve(2).

Reviewed by: glebius
Differential Revision: https://reviews.freebsd

ktrace: log execve(2) arguments and environment

Two new events KTR_ARGS and KTR_ENV can be used to
trace arguments of execve(2).

Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D47127

show more ...

kern_exec.c: quiet gcc -Wmaybe-uninitialized

Reported by: GCC -Wmaybe-uninitialized
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D45916

ktrace: Record namei violations with KTR_CAPFAIL

Report namei path lookups while Capsicum violation tracing with
CAPFAIL_NAMEI. vfs caching is also ignored when tracing to mimic
capability mode beha

ktrace: Record namei violations with KTR_CAPFAIL

Report namei path lookups while Capsicum violation tracing with
CAPFAIL_NAMEI. vfs caching is also ignored when tracing to mimic
capability mode behavior.

Reviewed by: markj
Approved by: markj (mentor)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D40680

show more ...

Add membarrier(2)

This is an attempt at clean-room implementation of the Linux'
membarrier(2) syscall. For documentation, you would need to read
both membarrier(2) Linux man page, the comments in L

Add membarrier(2)

This is an attempt at clean-room implementation of the Linux'
membarrier(2) syscall. For documentation, you would need to read
both membarrier(2) Linux man page, the comments in Linux
kernel/sched/membarrier.c implementation and possibly look at
actual uses.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D32360

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

pmc: Rework PROCEXEC event to support PIEs

Currently the PROCEXEC event only reports a single address, entryaddr,
which is the entry point of the interpreter in the typical dynamic case,
and used so

pmc: Rework PROCEXEC event to support PIEs

Currently the PROCEXEC event only reports a single address, entryaddr,
which is the entry point of the interpreter in the typical dynamic case,
and used solely to calculate the base address of the interpreter. For
PDEs this is fine, since the base address is known from the program
headers, but for PIEs the base address varies at run time based on where
the kernel chooses to load it, and so pmcstat has no way of knowing the
real address ranges for the executable. This was less of an issue in the
past since PIEs were rare, but now they're on by default on 64-bit
architectures it's more of a problem.

To solve this, pass through what was picked for et_dyn_addr by the
kernel, and use that as the offset for the executable's start address
just as is done for everything in the kernel. Since we're changing this
interface, sanitise the way we determine the interpreter's base address
by passing it through directly rather than indirectly via the entry
point and having to subtract off whatever the ELF header's e_entry is
(and anything that wants the entry point in future can still add that
back on as needed; this merely changes the interface to directly provide
the underlying variables involved).

This will be followed up by a bump to the pmc major version.

Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D39595

show more ...

sysentvec: Retire sv_imgact_try as unneeded anymore

The sysentvec sv_imgact_try was used by kern_exec() to allow
non-native ABI to fixup shell path according to ABI root directory.
Since the non-nat

sysentvec: Retire sv_imgact_try as unneeded anymore

The sysentvec sv_imgact_try was used by kern_exec() to allow
non-native ABI to fixup shell path according to ABI root directory.
Since the non-native ABI can now specify its root directory directly
to namei() via pwd_altroot() call this facility is not needed anymore.

Differential Revision: https://reviews.freebsd.org/D40092
MFC after: 2 month

show more ...

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

imgact_binmisc: Optionally pre-open the interpreter vnode

This allows the use of chroot and/or jail environments which depend on
interpreters registed with imgact_binmisc to use emulator binaries fr

imgact_binmisc: Optionally pre-open the interpreter vnode

This allows the use of chroot and/or jail environments which depend on
interpreters registed with imgact_binmisc to use emulator binaries from
the host to emulate programs inside the chroot.

Reviewed by: imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D37432

show more ...

vfs: always retain path buffer after lookup

This removes some of the complexity needed to maintain HASBUF and
allows for removing injecting SAVENAME by filesystems.

Reviewed by: kib (previous versi

vfs: always retain path buffer after lookup

This removes some of the complexity needed to maintain HASBUF and
allows for removing injecting SAVENAME by filesystems.

Reviewed by: kib (previous version)
Differential Revision: https://reviews.freebsd.org/D36542

show more ...

Remove struct proc p_singlethr member

It does not serve any purpose after we stopped doing
thread_single(SINGLE_ALLPROC) from stoppable user processes.

Reviewed by: markj
Tested by: pho
Sponsored b

Remove struct proc p_singlethr member

It does not serve any purpose after we stopped doing
thread_single(SINGLE_ALLPROC) from stoppable user processes.

Reviewed by: markj
Tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D36207

show more ...

Implement shared page address randomization

It used to be mapped at the top of the UVA.
If the randomization is enabled any address above .data section will be
randomly chosen and a guard page will

Implement shared page address randomization

It used to be mapped at the top of the UVA.
If the randomization is enabled any address above .data section will be
randomly chosen and a guard page will be inserted in the shared page
default location.
The shared page is now mapped in exec_map_stack, instead of
exec_new_vmspace. The latter function is called before image activator
has a chance to parse ASLR related flags.
The KERN_PROC_VM_LAYOUT sysctl was extended to provide shared page
address.
The feature is enabled by default for 64 bit applications on all
architectures.
It can be toggled kern.elf64.aslr.shared_page sysctl.

Approved by: mw(mentor)
Sponsored by: Stormshield
Obtained from: Semihalf
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D35349

show more ...

Rework how shared page related data is stored

Store the shared page address in struct vmspace.
Also instead of storing absolute addresses of various shared page
segments save their offsets with resp

Rework how shared page related data is stored

Store the shared page address in struct vmspace.
Also instead of storing absolute addresses of various shared page
segments save their offsets with respect to the shared page address.
This will be more useful when the shared page address is randomized.

Approved by: mw(mentor)
Sponsored by: Stormshield
Obtained from: Semihalf
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D35393

show more ...

Do not single-thread itself when the process single-threaded some another process

Since both self single-threading and remote single-threading rely on
suspending the thread doing thread_single(), it

Do not single-thread itself when the process single-threaded some another process

Since both self single-threading and remote single-threading rely on
suspending the thread doing thread_single(), it cannot be mixed: thread
doing thread_suspend_switch() might be subject to thread_suspend_one()
and vice versa.

In collaboration with: pho
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D35310

show more ...

vfs: NDFREE(&nd, NDF_ONLY_PNBUF) -> NDFREE_PNBUF(&nd)