From nobody Tue Jul 19 09:57:53 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LnDm21w8rz4WvQw; Tue, 19 Jul 2022 09:57:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LnDm20V0tz45cV; Tue, 19 Jul 2022 09:57:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658224674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xn8lIqW1CpGjI1dEkTkRbyUQO9yX/xRVjU85LXpIhzk=; b=lVVaWTbIiW0ymIH7zANjUXgcDWlwij9EHGT4FKgyJFua714FcQ6kmILtiNJeM0Kon8j26S 1igo6J8RahJ7cKkbZdarPynohjfcjOAJ87vQAI/BNnoUaVgsgcT0LFP7MKjOe1L5MXMN/Z uKzZoYdbStHEa6EngeYltrkrLjQFVwaWZLJXIHhG6yvvTP0wXut7ObCwywQZHx6k0m+WfE QMV4jLIQvG72kawsEwblPOoFENm8a4bPZis0BDYM8+Jgnbt9W+qbdZr+wLbzGflDAdIPK3 HsbBMyVC7yOc6ubu8bhfMW+GLK8I/NjKDRjQDF1IUWbP2rl1B5CI4/yBg4458w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LnDm16SR9zFfr; Tue, 19 Jul 2022 09:57:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26J9vr8a013111; Tue, 19 Jul 2022 09:57:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26J9vr2R013110; Tue, 19 Jul 2022 09:57:53 GMT (envelope-from git) Date: Tue, 19 Jul 2022 09:57:53 GMT Message-Id: <202207190957.26J9vr2R013110@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: =?utf-8?Q?Kornel=20Dul=C4=99ba?= Subject: git: 10192e77cfac - stable/13 - Enable ASLR by default for 64-bit executables List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kd X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 10192e77cfacd1f27601882af61883be4d3ec58d Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658224674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xn8lIqW1CpGjI1dEkTkRbyUQO9yX/xRVjU85LXpIhzk=; b=RoobtAxucpueBqv2/TtOjol38ccTw5z1MZXz4Yu2iqgGKdcnicZxiYg7U9gTVXap9Toe+U 3Dbe9fywwP87zxHP0hWlhemdEJ1m0fRqTt26moXe1DORV37uoDNfOc0hiNsa4JBiQNxu80 CShOTa2LYVWp9S3gRJIP6lqShFHCZesaAKyArisAdPtjV/tJaTStqKnRLtzGtrP92DR0a/ 9UYqmraXprXi32d1tAdObueBsr03INWWt9yygaBFe+zqSEWC+kM9+aUvJ5oEM22EaYZe+z W/hT/R02MfklxPY3DpGBolDA7mnyv7wOhqUC1ihwexcG7WmAi7XMVsUBzOBfpA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1658224674; a=rsa-sha256; cv=none; b=EN/rqGknejhRx+gS681jYf72JsQaqOYBzS9EkL/5eBxhhsZAsXpH3V+GfDlS/fSrjip5Lh IPtro2LqHxwzdUGrG8NQHSYAH73lOJ8ZUSRtVaY0iQcXGTZ9UajDyCIR2QlxcON6tDMlqp DL6trjYXamDYC55iNuLNJW0TGall+3bR+OLh68Nu8fozYEgySjltAKTe9T6I8VGLfwrrQ5 VR77iqCKTy1bMQwT7NuQp5Z6yG9bIqudUnzQIXk8QUXDQXZCABKAHFg15Mks40UAqtnELD ItTbVW785JEk1UjcVywas1jHAFG99U6+GhWfKwcs/l2AHuosMP4mhIkTpofmww== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by kd: URL: https://cgit.FreeBSD.org/src/commit/?id=10192e77cfacd1f27601882af61883be4d3ec58d commit 10192e77cfacd1f27601882af61883be4d3ec58d Author: Marcin Wojtas AuthorDate: 2021-10-24 14:53:06 +0000 Commit: Kornel Dulęba CommitDate: 2022-07-19 09:37:25 +0000 Enable ASLR by default for 64-bit executables Address Space Layout Randomization (ASLR) is an exploit mitigation technique implemented in the majority of modern operating systems. It involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process's address space. Although over the years ASLR proved to not guarantee full OS security on its own, this mechanism can make exploitation more difficult. Tests on the tier 1 64-bit architectures demonstrated that the ASLR is stable and does not result in noticeable performance degradation, therefore it should be safe to enable this mechanism by default. Moreover its effectiveness is increased for PIE (Position Independent Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE by default on 64-bit architectures"), building from src is not necessary to have PIE binaries. It is enough to control usage of ASLR in the OS solely by setting the appropriate sysctls. This patch toggles the kernel settings to use address map randomization for PIE & non-PIE 64-bit binaries. It also disables SBRK, in order to allow utilization of the bss grow region for mappings. The latter has no effect if ASLR is disabled, so apply it to all architectures. As for the drawbacks, a consequence of using the ASLR is more significant VM fragmentation, hence the issues may be encountered in the systems with a limited address space in high memory consumption cases, such as buildworld. As a result, although the tests on 32-bit architectures with ASLR enabled were mostly on par with what was observed on 64-bit ones, the defaults for the former are not changed at this time. Also, for the sake of safety keep the feature disabled for 32-bit executables on 64-bit machines, too. The committed change affects the overall OS operation, so the following should be taken into consideration: * Address space fragmentation. * A changed ABI due to modified layout of address space. * More complicated debugging due to: * Non-reproducible address space layout between runs. * Some debuggers automatically disable ASLR for spawned processes, making target's environment different between debug and non-debug runs. In order to confirm/rule-out the dependency of any encountered issue on ASLR it is strongly advised to re-run the test with the feature disabled - it can be done by setting the following sysctls in the /etc/sysctl.conf file: kern.elf64.aslr.enable=0 kern.elf64.aslr.pie_enable=0 Co-developed by: Dawid Gorecki Reviewed by: emaste, kib Obtained from: Semihalf Sponsored by: Stormshield MFC after: 1 month Differential revision: https://reviews.freebsd.org/D27666 (cherry picked from commit b014e0f15bc73d80ef49b64fd1f8c29f469467cb) --- sys/kern/imgact_elf.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 3723b3faebbb..bee3524537d9 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -172,19 +172,33 @@ SYSCTL_NODE(__CONCAT(_kern_elf, __ELF_WORD_SIZE), OID_AUTO, aslr, ""); #define ASLR_NODE_OID __CONCAT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), _aslr) -static int __elfN(aslr_enabled) = 0; +/* + * While for 64-bit machines ASLR works properly, there are + * still some problems when using 32-bit architectures. For this + * reason ASLR is only enabled by default when running native + * 64-bit non-PIE executables. + */ +static int __elfN(aslr_enabled) = __ELF_WORD_SIZE == 64; SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, enable, CTLFLAG_RWTUN, &__elfN(aslr_enabled), 0, __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": enable address map randomization"); -static int __elfN(pie_aslr_enabled) = 0; +/* + * Enable ASLR only for 64-bit PIE binaries by default. + */ +static int __elfN(pie_aslr_enabled) = __ELF_WORD_SIZE == 64; SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, pie_enable, CTLFLAG_RWTUN, &__elfN(pie_aslr_enabled), 0, __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": enable address map randomization for PIE binaries"); -static int __elfN(aslr_honor_sbrk) = 1; +/* + * Sbrk is now deprecated and it can be assumed, that in most + * cases it will not be used anyway. This setting is valid only + * for the ASLR enabled and allows for utilizing the bss grow region. + */ +static int __elfN(aslr_honor_sbrk) = 0; SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, honor_sbrk, CTLFLAG_RW, &__elfN(aslr_honor_sbrk), 0, __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": assume sbrk is used");