|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | |  | 
| | 
| 
| 
| | Should catch more of them and closer (in time) to the WAF.  ok tb@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The basic idea is simple: one of the reasons the recent sshd bug
is potentially exploitable is that a (erroneously) freed malloc
chunk gets re-used in a different role. malloc has power of two
chunk sizes and so one page of chunks holds many different types
of allocations. Userland malloc has no knowledge of types, we only
know about sizes. So I changed that to use finer-grained chunk
sizes.
This has some performance impact as we need to allocate chunk pages
in more cases. Gain it back by allocation chunk_info pages in a
bundle, and use less buckets is !malloc option S. The chunk sizes
used are 16, 32, 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320,
384, 448, 512, 640, 768, 896, 1024, 1280, 1536, 1792, 2048 (and a
few more for sparc64 with its 8k sized pages and loongson with its
16k pages).
If malloc option S (or rather cache size 0) is used we use strict
multiple of 16 sized chunks, to get as many buckets as possible.
ssh(d) enabled malloc option S, in general security sensitive
programs should.
See the find_bucket() and bin_of() functions. Thanks to Tony Finch
for pointing me to code to compute nice bucket sizes.
ok tb@ | 
| | 
| 
| 
| | Originally from djm@.  OK deraadt@ florian@ bluhm@ | 
| | 
| 
| 
| | freeing; ok tb@ | 
| | 
| 
| 
| 
| 
| 
| | can be made immutable to provide extra protection.  Also init pools
on-demand: only pools that are actually used are initialized.
Tested by many | 
| | 
| 
| 
| 
| | any changes not taken noted on tech, but chiefly here i did not take the
cancelation - cancellation changes; | 
| | 
| 
| 
| 
| 
| 
| | uppercase.
While here use the correct idiom of casting to unsigned char.
OK millert, farewell to ultrix deraadt | 
| | 
| 
| 
| 
| | the lock, when it is correctly initialized after the lock
ok otto millert | 
| | 
| 
| 
| 
| | that the kernel and ld.so will know not to mark it immutable.  malloc
handles the read/write transitions by itself. | 
| | |  | 
| | 
| 
| 
| 
| 
| | from josiah frentsos, tweaked by schwarze
ok schwarze | 
| | 
| 
| 
| | inline use was removed in 1998 | 
| | 
| 
| 
| | Both FreeBSD and NetBSD have this behavior.  OK deraadt@ | 
| | 
| 
| 
| | ok schwarze@ | 
| | 
| 
| 
| 
| 
| | https://minnie.tuhs.org/pipermail/tuhs/2017-August/011807.html
ok schwarze@ | 
| | 
| 
| 
| | ok schwarze@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | instance would be rekeyed every 1.6MB. This makes it happen at a
random point somewhere in the 1-2MB range.
Feedback deraadt@ visa@, ok tb@ visa@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | UNIX System V mention it.  Only do so in manual pages with a
pre-existing HISTORY section.
Prompted by the comparison of System V and BSD commands and interfaces
in Sun's "System V Enhancements Overview" document.
checked against manuals on bitsavers, TUHS archive and CSRG archive CDs
ok jmc@ schwarze@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | following page(s) we've been first mquery()ing for it, mmapp()ing
w/o MAP_FIXED if available, and then munmap()ing if there was a
race.  Instead, just try it directly with
mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@ | 
| | 
| 
| 
| 
| 
| 
| | This got broken when system.c was converted from signal(3) to sigaction(2).
Also add SIGINT and SIGQUIT to the set of blocked signals and unblock
them in the parent after the signal handlers are installed.
Based on a diff from Leon Fischer.  OK deraadt@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | Use a temporary variable to store the number of bytes to be copied
(size_t) and also use it as the memcpy(3) length.  Previously we
copied "size" bytes instead of just the necessary number.
OK claudio@ tb@ | 
| | 
| 
| 
| 
| 
| 
| | jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.
ok jmc@ | 
| | 
| 
| 
| | ok jmc@ schwarze@ | 
| | 
| 
| 
| | instances in the tree.  ok deraadt@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | in size. This cache is indexed by size (in # of pages), so it is
very quick to check.  Some programs allocate and deallocate larger
allocations in a frantic way.  Accomodate those programs by also
keeping a cache of regions between 128k and 2M, in a cache of variable
sized regions.
Tested by many in snaps; ok deraadt@ | 
| | 
| 
| 
| | ok jmc@ sthen@ millert@ | 
| | 
| 
| 
| 
| 
| | from uwe@netbsd -r1.22
ok millert | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | lsearch(3) is really just lfind(3) with an additional branch to append
the key if lfind(3) fails.  If we get rid of the underlying
linear_base() function and move the search portion into lfind(3) and
the key-copying portion into lsearch(3) we get smaller and simpler
code.
Misc. notes:
- We do not need to keep the historical comment about errno.  lsearch(3)
  is pure computation and does not set errno.  That's really all you
  need to know.  The specification reserves no errors, either.
- We are using lfind(3) internally now, so it switches from
  PROTO_DEPRECATED to PROTO_NORMAL in hidden/search.h and needs
  DEF_WEAK in stdlib/lsearch.c.
With advice from guenther@ on symbol housekeeping in libc.
Thread: https://marc.info/?l=openbsd-tech&m=163885187632449&w=2
ok millert@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | If the key overlaps the end of the array, memcpy(3) mutates the key
and copies a corrupted value into the end of the array.
If we use memmove(3) instead we at least end up with a clean copy of
the key at the end of the array.  This is closer to the intended
behavior.
With input from millert@ and deraadt@.
Thread: https://marc.info/?l=openbsd-tech&m=163880307403606&w=2
ok millert@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The "lim" variable needs to be a size_t to match nmemb, otherwise we
get undefined behavior when nmemb exceeds INT_MAX.
Prompted by a blog post by Joshua Bloch:
https://ai.googleblog.com/2006/06/extra-extra-read-all-about-it-nearly.html
Fixed by Chris Torek a long time ago:
https://svnweb.freebsd.org/csrg/lib/libc/stdlib/bsearch.c?revision=51742&view=markup
ok millert@ | 
| | |  | 
| | 
| 
| 
| | to 3-term BSD license. | 
| | 
| 
| 
| | ok florian@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so.  Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8).  For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE.  It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer.  Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@ | 
| | 
| 
| 
| | from Emil Engler | 
| | 
| 
| 
| | Dunno why this ended up here, cvs is always full of surprises. | 
| | 
| 
| 
| 
| 
| | Apparently spotted by mortimer@ while working on clang 13 and amd64.
No actual change on sparc64 as this architecture still uses ld.bfd.
ok kettenis@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | 3rd (variadic) mode_t parameter is irrelevant.  Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk.  They could all be 0xdeafbeef.
ok millert | 
| | 
| 
| 
| | ok mpi@ deraadt@ | 
| | 
| 
| 
| | removed and the former is still needed, as pointed out by kettenis | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | portability annoyance since not all systems have u_char. Remove
the now unused includes sys/types.h and stdio.h.
u_char diff from Jonas Termansen
ok deraadt | 
| | 
| 
| 
| 
| 
| 
| | A tiny realpath(3) wrapper to make a porter's life easier.
Feedback kettenis deraadt cheloha sthen
OK cheloha martijn deraadt | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | This matches the documented behavior more obviously and ensures that
these aren't optimized away, although this is unlikely.
Discussed with deraadt and otto |