From nobody Tue Oct 24 22:32:09 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFRd60Zjrz4xcWG; Tue, 24 Oct 2023 22:32:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SFRd607dyz3Hdk; Tue, 24 Oct 2023 22:32:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698186730; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ineFqTnXuIcN0pELr2F1mosxBWbvb9IblWVdKdGdblY=; b=FZxt95HBahYLXCiPo6m763X/6xVo6OgS71vtTBSvCqIl5K3QFUZ/tWHGmiXF+nyqjDdCAQ 7qxs78Z3fuv3kNihcGU+EH2EpCg6Mjc/puawLt/WWUuMpPhUD90cQOX/FocZxJsm3Uvrrq +x/ZI7O9olUR/IkCrGCDVp0hbSU7aUyACnYH6E4lm3ac5iTzNcNVASOeZvuh0mXbZ3bBzj fvrBPsta2Tgs6+TdwNM14HK448r82FQMOc0PIeIm2FjJ7ztidKbnQOSOW9Cdx+vrTkba4j A9NlaumfW7escb9zTIFnlCBC+9JUcqk5pIrZmFDqwumsWxKsA4BbyNRvhAJg8Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698186730; a=rsa-sha256; cv=none; b=MtvMmru8v7rQZ6Cl5FfrGCiN644yZ2JuwbQuu4il4mOVdLYhVwabCa5aWbaORiE/gvQL6M jc3pi37fDkp+5G4LeRtjEqyGRLHgll3yqnljgNhj/a/7MeY+WHXvmVSHvbllUqP3zKYiZ1 gwiE0U5H5FVOC7yooU1X9gJVVVIolMKUvNnEmPIIUDoq0wiw1GRrSIi1F+BHMRseAEYRA3 Jl7jaGcPBwXU9hepEpEYyWhvNt8vN62j8pkQB3K/uBBl6vpEmLV1BCPGVFkoE5AhTlnaG+ lqmmFEc+KXXc4cbh24tTK+5mWFRyU5VdzrSS5q4Jh4RmB06Qz/E4CSP96XMcCA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698186730; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ineFqTnXuIcN0pELr2F1mosxBWbvb9IblWVdKdGdblY=; b=aMH8z3Vxwm83jvzzLbQ88VxY2VVNNXMorN2PREkfht6Ynb7/+dLYaSR4+xSxPn0qwMnCEC wXbG91X9CkFYaZNpwv1PSZIIbsIexdvKoiB9TSuzZeOy41oHgTiXw45x3Wumg40PNBbN1K Ym/zIM6eUTO3lS5FxwwGoPN6enwRj5wQbNzMGZjfEUZqArHGERGsKB/SHWzrqsvJY/QsGb M2rSxryovZcO2kyrXNJ4OBKszHIHW6jM0/BoXoRFkBHEYzNytIUnKU4zMEnJhPqUwMEvQg xh/r3bjV06gHBPZZ3C60w+D4iWwe3VIgVYitNOQlk5qoE2fd2r2WiAGST8DwSQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SFRd56J7yzg44; Tue, 24 Oct 2023 22:32:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39OMW9IH089887; Tue, 24 Oct 2023 22:32:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39OMW9a1089884; Tue, 24 Oct 2023 22:32:09 GMT (envelope-from git) Date: Tue, 24 Oct 2023 22:32:09 GMT Message-Id: <202310242232.39OMW9a1089884@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: d521abdff236 - main - Update ASLR stack sysctl description in security.7 and mitigations.7 List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d521abdff2367a5c72a773a815fc3d99403274f5 Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=d521abdff2367a5c72a773a815fc3d99403274f5 commit d521abdff2367a5c72a773a815fc3d99403274f5 Author: Ed Maste AuthorDate: 2023-10-24 22:06:59 +0000 Commit: Ed Maste CommitDate: 2023-10-24 22:29:25 +0000 Update ASLR stack sysctl description in security.7 and mitigations.7 In an earlier implementation the stack (gap) was randomized when the enable sysctl was set and ASLR was also enabled (in general) for the binary. In the current implementation the sysctl operates independently. Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42357 --- share/man/man7/mitigations.7 | 4 ++-- share/man/man7/security.7 | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7 index fed16d7b325f..950d84042c71 100644 --- a/share/man/man7/mitigations.7 +++ b/share/man/man7/mitigations.7 @@ -120,7 +120,7 @@ Reserve the legacy .Xr sbrk 2 region for compatibility with older binaries. .It Va kern.elf32.aslr.stack -If ASLR is enabled for a process, also randomize the stack location. +Randomize the stack location for 32-bit ELF binaries. .El .Pp Global controls for 64-bit processes: @@ -135,7 +135,7 @@ Reserve the legacy .Xr sbrk 2 region for compatibility with older binaries. .It Va kern.elf64.aslr.stack -If ASLR is enabled for a process, also randomize the stack location. +Randomize the stack location for 64-bit ELF binaries. .El .Pp To execute a command with ASLR enabled or disabled: diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 index a48e3607f0e5..71107b29ba11 100644 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -1065,8 +1065,7 @@ position-independent (PIE) 32-bit binaries. Makes ASLR less aggressive and more compatible with old binaries relying on the sbrk area. .It Dv kern.elf32.aslr.stack -If ASLR is enabled for a binary, a non-zero value enables randomization -of the stack. +Enable randomization of the stack for 32-bit binaries. Otherwise, the stack is mapped at a fixed location determined by the process ABI. .It Dv kern.elf64.aslr.enable