| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an initial take on documenting vulnerability mitigations.
Connect mitigations(7) to the build
Also add some cross references.
Reviewed by: gbe (earlier)
Sponsored by: The FreeBSD Foundation
Co-authored-by: Olivier Certner <olce.freebsd@certner.fr>
Differential Revision: https://reviews.freebsd.org/D41794
(cherry picked from commit b6a61ac2d475fba9c45f7f407549a522f60dea18)
(cherry picked from commit 6e5dcc6113da649a79e5bc2c3ea9329bcd1d85d5)
(cherry picked from commit a2b289608d6b54b6e1ce85096560807e551bb5ac)
(cherry picked from commit 272bc4597d0b41eebdfa7c108778070665acb431)
Approved by: re (gjb)
|
| |
|
|
| |
Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
|
| |
|
|
| |
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| |
|
|
| |
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
| |
|
|
|
|
|
|
| |
In most cases, usage does not return, so mark them as __dead2. For the
cases where they do return, they have not been marked __dead2.
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/735
|
| |
|
|
|
|
|
|
|
| |
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
|
| |
|
|
| |
Reported by: jrm (in review D34283)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously an invocation like
elfctl -e +feature1,feature2 file1 file2
would set both feature flags in file 1 but only feature1 in file2 (due
to the string being modified by strsep()).
Reported by: jrm
Tested by: jrm
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34283
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Validate the operation prior to parsing the feature string, so that e.g.
-e 0x1 reports invalid operation '0' rather than invalid feature 'x11'.
Also make it an error rather than a warning, so that it is not repeated
if multiple files are specified.
(Previously an invalid operation resulted in a segfault.)
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
| |
Reported by: jrm
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
| |
Reported by: Mark Millard on freebsd-current@
Fixes: c763f99d11fd ("elfctl: prefix disable flags with "no"")
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ASLR stack randomization will reappear in a forthcoming commit. Rather
than inserting a random gap into the stack mapping, the entire stack
mapping itself will be randomized in the same way that other mappings
are when ASLR is enabled.
No functional change intended, as the stack gap implementation is
currently disabled by default.
Reviewed by: kib
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33704
|
| |
|
|
|
|
|
|
| |
Suggested by: brooks
Reviewed by: brooks, markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D30452
|
| |
|
|
|
|
|
|
|
|
|
| |
Detect if host endian is different than target endian and swap
byte order of ELF note fields instead of failing.
Submitted by: Dawid Gorecki <dgr@semihalf.com>
Reviewed by: imp
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D29550
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Target value for val has uint32_t type, not uint, adjust used constant.
Change val type to unsigned so that left and right sides of comparision
operator do not expose different signed types of same range [*].
Switch to unsigned long long and strtoll(3) so that 0x80000000 is
accepted by conversion function [**].
Reported by: kargl [*]
Noted by: emaste [**]
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28301
|
| |
|
|
|
| |
Reported by: jkim
Fixes: 86f33b5fcf6087bf4439881011b920ff99e6e300
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This will allow elfctl on older releases to set bits that are not yet
known there, so that the binary will have the correct settings applied
if run on a later FreeBSD version.
PR: 252629 (related)
Suggested by: kib
Reviewed by: gbe (manpage, earlier), kib
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28284
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some ELF feature flags indicate a request to opt-out of some feature,
for example NT_FREEBSD_FCTL_ASLR_DISABLE indicates that ASLR should be
disabled for the tagged binary. Using "aslr" as the short name for the
flag is confusing as it seems to indicate a request for ASLR to be
enabled. Rename "noaslr", and make a similar change for other opt-out
flags.
Reviewed by: bapt, manu, markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28139
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I am going to prefix opt-out ELF feature flag names with "no" to make
their meaning more clear (review D28139), but there are some uses of the
existing names already (e.g., the PR referenced below).
For now accept the older, unprefixed name as well, and emit a warning.
We can revert this after FreeBSD 13 branches.
% elfctl -e +aslr foo
elfctl: interpreting aslr as noaslr; please specify noaslr
PR: 239873 (related)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28140
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This may allow an identical elfctl invocation to be used on multiple
FreeBSD versions, with features not implemented on older releases being
silently ignored.
PR: 252629 (related)
Reviewed by: kib
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28130
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Also centralize and unify checks to enable ASLR stack gap in a new
helper exec_stackgap().
PR: 239873
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Notes:
svn path=/head/; revision=368772
|
| |
|
|
|
|
|
|
|
| |
Tested by: pho
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D25273
Notes:
svn path=/head/; revision=364517
|
| |
|
|
|
|
|
|
|
|
|
| |
elfctl has been merged to stable/12, and so will appear in FreeBSD 12.2
Reported by: Dewayne Geraghty
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=360676
|
| |
|
|
|
|
|
|
|
| |
CID: 1420356
Reported by: Coverity Scan
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=358889
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will be used to tag binaries that require W+X mappings, in advance
of the ability to prevent W^X in mmap/mprotect.
There is still some discussion about the flag's name, but the ABI won't
change even if the name does (as kib pointed out in the review).
Reviewed by: csjp, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D23909
Notes:
svn path=/head/; revision=358631
|
| |
|
|
|
|
|
|
|
| |
CID: 1420212, 1420213
Reported by: Coverity Scan
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=358623
|
| |
|
|
|
|
|
| |
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=358622
|
| |
|
|
| |
Notes:
svn path=/head/; revision=358546
|
| |
|
|
|
|
|
|
|
| |
GCC points out a couple levels down in convert_to_features that this may be
used uninitialized. Indeed, this is true- initialize it to NULL so that we
at least deref a null pointer.
Notes:
svn path=/head/; revision=358518
|
|
|
elfctl is a tool for modifying the NT_FREEBSD_FEATURE_CTL ELF note,
which contains a set of flags for enabling or disabling vulnerability
mitigations and other features.
Reviewed by: csjp, kib
MFC after: 2 weeks
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D23910
Notes:
svn path=/head/; revision=358512
|
