This reverts commit b7b19ffccfb139fc731dca94655b3531a50c61ca. The
per-thread stack randomization needs more thought. It's likely that this
implementation is being too aggressive.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
(cherry picked from commit 5d741f44acf944a48dd14390fec663b42f962e96)
(cherry picked from commit 233c617c4908a4249a70af89dcbea31575f0dc87)
The per-thread stack implementation in libthr supplies a hint to
mmap(2). ASLR will get applied to it, it could be hardened still.
Provide additional hardening by randomizing the size of the per-thread
stack guard provided by libthr. This will effectively randomize the top
of the per-thread stack at a page-level granularity. Additional entropy
could be provided by introducing a random-sized gap, thus getting better
than page-level granularity.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by: SoldierX
The space between the bottom-most limit of the stack and the top of the
stack should not be able to be mapped via mmap(2). This should fully
mitigate Stack Clash in conjunction with the hardened stack guard.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by: SoldierX
libthr inserts its own stack guard. Harden it for the same reasons as
commit 13971cb990b78e679ab338b4e8baf24f3e0d8730.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by: SoldierX
The Stack Clash article shows that a single page for the stack guard
isn't sufficient. Bump the size of the stack guard up to 2MB by default.
Provide a way for the stack guard size to be configurable with either a
custom kernel configuration or via a sysctl node. The sysctl node
(security.bsd.stack_guard_size) is only exposed if PAX_HARDENING is
disabled. Otherwise, the user must recompile with a custom kernel
(kernel option: STACK_GUARD_SIZE) to modify the size. The size MUST be
divisible by PAGE_SIZE (default: 4096 bytes) and cannot be zero.
ASLR does help address the Stack Clash, especially since HardenedBSD
follows the PaX design with true stack randomization (randomizing the
top of the stack while also inserting a random-sized gap). However, ASLR
does not mitigate the Stack Clash attack. It simply makes the attacker's
job much more difficult. Without ASLR, the attacker will know in advance
where the stack starts and can easily determine the current stack
layout. Utilizing that information, the attacker can figure out how to
manipulate the address space to clash with the stack.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by: SoldierX
HardenedBSD has enabled the stack guard by default. The article Stack
Clash discusses FreeBSD having the stack guard disabled by default. ASLR
will help here, but is not a full mitigation against this kind of attack.
A follow-up commit from HardenedBSD will harden the stack guard page
even more so. Once that commit is tested and considered stable, it will
be merged over into OPNsense.
Signed-off-by: Shawn Webb <shawn@opnsense.org>
TOS value 0 is valid, so use 256 as an invalid value rather than zero.
This allows users to enforce TOS == 0 with pf.
Reported by: Radek Krejča <radek.krejca@starnet.cz>
Ignore the ECN bits on 'tos' and 'set-tos' and allow to use
DCSP names instead of having to embed their TOS equivalents
as plain numbers.
Obtained from: OpenBSD
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D8165
* As per the recommendations outlined in Network Operations Division
Cryptographic Requirements published on Wikileaks on March 2017.
We discard more bytes of the first keysteam
to reduce the possibility of non-random bytes.
Similar to the already patched:
contrib/ntp/sntp/libevent/arc4random.c
in opnsense repository
* Format patch according to current:
9395fdf886
ae@ says skip should not be needed anymore and is supposed to
always be the size of the IPv4 header. The IPv6 code already
handles this more robustly so simply update IPv4 accordingly.
The way I was doing it prevented cross-building from working. By only
setting SHLIBDIR, bsd.lib.mk will create the proper symlinks for me.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by: SoldierX
Discussed-with: Bryan Drewery
MFC-to: 11-STABLE
(cherry picked from commit 1dfc1328ceabe5b68f3a5c46b7808735a0243d8e)
Fix system hang when booting when PCI-express HotPlug is enabled.
[EN-17:01]
Fix NIS master updates are not pushed to NIS slave. [EN-17:02]
Fix compatibility with Hyper-V/storage after KB3172614 or
KB3179574. [EN-17:03]
Make makewhatis output reproducible. [EN-17:04]
Approved by: so
OPNsense doesn't use procfs by default, but in case users try to use it,
prevent an interesting attack where an attacker can abuse procfs to
modify application execution state.
This commit also introduces the PAX_HARDENING kernel option.
Signed-off-by: Shawn Webb <shawn@opnsense.org>
This is required for systems where /usr is on a different filesystem.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
github-issue: #229
MFC-to: 11-STABLE
(cherry picked from commit cbf6cad428258f0ac894742b5a907b815bf25bd9)
(cherry picked from commit e6c0333fae2e6d2f042d34481649a2c1afa4c513)
SafeStack isn't ready for architectures other than amd64.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
(cherry picked from commit c2aa81995f2d279ec24697b4f94a669bee096c5e)
(cherry picked from commit 52996a3565a03ef16e80c757ba89132282e3988f)
(cherry picked from commit 46cb6a0954aca39f5ca263633c364eb5dfc5e424)
This is only for COMPAT_LIB32 on amd64. SafeStack doesn't apply in this
case.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
(cherry picked from commit dab578c527eaf4f98cf1d6aa99e9e90d7cb6b920)
(cherry picked from commit c04fd9f1a8ea65590c1d03080917961fa5225611)
(cherry picked from commit 905a6804f37346bbc481489076270dd59455ea61)
Compile world with SafeStack from clang/llvm. Right now, only
applications are compiled with SafeStack, not libraries. clang 3.9.0
does not support compiling shared libraries with SafeStack, though a
patch has been proposed that would enable support.
This is very much still a work-in-progress. More research is needed.
Note that with clang's current implementation of SafeStack, ASLR and W^X
are prerequisites. SafeStack currently requires ASLR and W^X in order to
be effective.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
(cherry picked from commit bb9e4981334b2988325c3334fc88c89b76fea91f)
(cherry picked from commit 3b3b0b08f19ec7c2f4fad06baa72e0ce2b5ac801)
(cherry picked from commit 0c2abce516fcfd80a7e2424807839ad64b5cb263)
convention for interfaces, because only one stf(4) interface can exist
in the system.
This disallow the use of unit numbers different than 0, however, it is
possible to create the clone without specify the unit number (wildcard).
In the wildcard case we must update the interface name before return.
This fix an infinite recursion in pf code that keeps track of network
interfaces and groups:
1 - a group for the cloned type of the interface is added (stf in this
case);
2 - the system will now try to add an interface named stf (instead of
stf0) to stf group;
3 - when pfi_kif_attach() tries to search for an already existing 'stf'
interface, the 'stf' group is returned and thus the group is added
as an interface of itself;
This will now cause a crash at the first attempt to traverse the groups
which the stf interface belongs (which loops over itself).
Obtained from: pfSense
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC (Netgate)
The old code did this while violating the pfil chain, but now we
need to look up the interface correctly. Maybe this check should
be bubbled up in the future, but for now we should keep this with
pf(4) until we upstream these changes.
subrulenr is considered unset if it's set to -1, not if it's set to 1.
See contrib/tcpdump/print-pflog.c pflog_print() for a user.
This caused incorrect pflog output (tcpdump -n -e -ttt -i pflog0):
rule 0..16777216(match)
instead of the correct output of
rule 0/0(match)
PR: 214832
Submitted by: andywhite@gmail.com
