Skip to content
Snippets Groups Projects
Select Git revision
0 result
Search by author
  • Any Author
0 authors
  1. Jun 27, 2017
  3. Jun 26, 2017
  5. Jun 25, 2017
    • Shawn Webb's avatar
      HBSD: Randomize top of per-thread stacks · 35593a4e
      Shawn Webb authored 
      
The per-thread stack implementation in libthr supplies a hint to
mmap(2). ASLR will get applied to it, it could be hardened still.
Provide additional hardening by randomizing the size of the per-thread
stack guard provided by libthr. This will effectively randomize the top
of the per-thread stack at a page-level granularity. Additional entropy
could be provided by introducing a random-sized gap, thus getting better
than page-level granularity.

Signed-off-by: default avatarShawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by:	SoldierX
(cherry picked from commit ff0cec6d)
      35593a4e
    • Shawn Webb's avatar
      HBSD: Do not allow non-stack mappings between bottom-most limit of stack and the top of the stack · 01c6a48b
      Shawn Webb authored 
      
The space between the bottom-most limit of the stack and the top of the
stack should not be able to be mapped via mmap(2). This should fully
mitigate Stack Clash in conjunction with the hardened stack guard.

Signed-off-by: default avatarShawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by:	SoldierX
(cherry picked from commit 7e16dbbf)
      01c6a48b
    • Shawn Webb's avatar
      HBSD: Harden per-thread stack guard · fd30a6ef
      Shawn Webb authored 
      
libthr inserts its own stack guard. Harden it for the same reasons as
commit 13971cb990b78e679ab338b4e8baf24f3e0d8730.

Signed-off-by: default avatarShawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by:	SoldierX
(cherry picked from commit da1579df)
      fd30a6ef
    • Shawn Webb's avatar
      HBSD: Harden the stack guard · 88effd28
      Shawn Webb authored 
      
The Stack Clash article shows that a single page for the stack guard
isn't sufficient. Bump the size of the stack guard up to 2MB by default.
Provide a way for the stack guard size to be configurable with either a
custom kernel configuration or via a sysctl node. The sysctl node
(security.bsd.stack_guard_size) is only exposed if PAX_HARDENING is
disabled. Otherwise, the user must recompile with a custom kernel
(kernel option: STACK_GUARD_SIZE) to modify the size. The size MUST be
divisible by PAGE_SIZE (default: 4096 bytes) and cannot be zero.

ASLR does help address the Stack Clash, especially since HardenedBSD
follows the PaX design with true stack randomization (randomizing the
top of the stack while also inserting a random-sized gap). However, ASLR
does not mitigate the Stack Clash attack. It simply makes the attacker's
job much more difficult. Without ASLR, the attacker will know in advance
where the stack starts and can easily determine the current stack
layout. Utilizing that information, the attacker can figure out how to
manipulate the address space to clash with the stack.

Signed-off-by: default avatarShawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by:	SoldierX
(cherry picked from commit 1af48f7b)
      88effd28
    • Shawn Webb's avatar
      HBSD: Enable the stack guard by default · 382e850e
      Shawn Webb authored 
      
HardenedBSD has enabled the stack guard by default. The article Stack
Clash discusses FreeBSD having the stack guard disabled by default. ASLR
will help here, but is not a full mitigation against this kind of attack.

A follow-up commit from HardenedBSD will harden the stack guard page
even more so. Once that commit is tested and considered stable, it will
be merged over into OPNsense.

Signed-off-by: default avatarShawn Webb <shawn@opnsense.org>
(cherry picked from commit ee1912f9)
      382e850e
  7. Jun 12, 2017
  9. May 06, 2017
  11. Apr 27, 2017
  13. Apr 16, 2017
  15. Mar 23, 2017
  17. Mar 20, 2017
  19. Mar 15, 2017
    • Franco Fichtner's avatar
      ipsec: skip may be zero in IPv4 handling, but must not · abe907c5
      Franco Fichtner authored 
      ae@ says skip should not be needed anymore and is supposed to
always be the size of the IPv4 header.  The IPv6 code already
handles this more robustly so simply update IPv4 accordingly.
      abe907c5
    • Shawn Webb's avatar
      HBSD: Introducing SafeStack · 0a3c1431
      Shawn Webb authored 
      
Compile world with SafeStack from clang/llvm. Right now, only
applications are compiled with SafeStack, not libraries. clang 3.9.0
does not support compiling shared libraries with SafeStack, though a
patch has been proposed that would enable support.

Note that with clang's current implementation of SafeStack, ASLR and W^X
are prerequisites. SafeStack currently requires ASLR and W^X in order to
be effective.

Signed-off-by: default avatarShawn Webb <shawn.webb@hardenedbsd.org>
      0a3c1431
  21. Mar 11, 2017
  23. Feb 28, 2017
  25. Feb 20, 2017
  27. Feb 16, 2017
  29. Feb 15, 2017
  31. Feb 06, 2017
    • loos's avatar
      The stf(4) interface name does not conform with the default naming · cffa5d67
      loos authored 
      convention for interfaces, because only one stf(4) interface can exist
in the system.

This disallow the use of unit numbers different than 0, however, it is
possible to create the clone without specify the unit number (wildcard).

In the wildcard case we must update the interface name before return.

This fix an infinite recursion in pf code that keeps track of network
interfaces and groups:

1 - a group for the cloned type of the interface is added (stf in this
    case);
2 - the system will now try to add an interface named stf (instead of
    stf0) to stf group;
3 - when pfi_kif_attach() tries to search for an already existing 'stf'
    interface, the 'stf' group is returned and thus the group is added
    as an interface of itself;

This will now cause a crash at the first attempt to traverse the groups
which the stf interface belongs (which loops over itself).

Obtained from:	pfSense
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC (Netgate)
      17.1.1
      cffa5d67
  33. Feb 05, 2017
  35. Jan 23, 2017
    • kp's avatar
      MFC r309563: pflog: Correctly initialise subrulenr · 2b43b65e
      kp authored 
      subrulenr is considered unset if it's set to -1, not if it's set to 1.
See contrib/tcpdump/print-pflog.c pflog_print() for a user.

This caused incorrect pflog output (tcpdump -n -e -ttt -i pflog0):
  rule 0..16777216(match)
instead of the correct output of
  rule 0/0(match)

PR:		214832
Submitted by:	andywhite@gmail.com
      17.1
      2b43b65e
    • ae's avatar
      MFC r309660: · a15e27d1
      ae authored 
        Convert result of hash_packet6() into host byte order.

  For IPv4 similar function uses addresses and ports in host byte order,
  but for IPv6 it used network byte order. This led to very bad hash
  distribution for IPv6 flows. Now the result looks similar to IPv4.
      a15e27d1
  37. Jan 16, 2017
    • Franco Fichtner's avatar
      netmap: manually backport multiple fixes · 17588645
      Franco Fichtner authored 
      o Restore netmap emulation mode to working order, including
  fixing the destructor panics on detach.
o Omit pipe additions to these fixes, likely problematic for
  Suricata to pass traffic like it does on 11.0 without this
  patch.
o Allow to build the module without errors in the tree.

Many thanks to Vincenzo Maffione for assistance and review!  :)

From b497fe34fd275da6b850bf271f510d02b888b8bc Mon Sep 17 00:00:00 2001
From: Giuseppe Lettieri <g.lettieri@iet.unipi.it>
Date: Thu, 2 Jun 2016 00:21:40 +0200
Subject: [PATCH] allocate only the rings requested by the user

From 09936864fa5b67b82ef4a9907819b7018e9a38f2 Mon Sep 17 00:00:00 2001
From: Giuseppe Lettieri <g.lettieri@iet.unipi.it>
Date: Wed, 20 Jul 2016 20:35:12 +0000
Subject: [PATCH] freebsd: fix const-related warning

From ab90c6c10224fefbb6a6c6e0b92e6ba80e5b694d Mon Sep 17 00:00:00 2001
From: Vincenzo Maffione <v.maffione@gmail.com>
Date: Wed, 28 Sep 2016 18:39:55 +0200
Subject: [PATCH] freebsd: generic: change mbuf allocation management

From fe811e11b2c37fc274a1134e1c10b2f6ada1a91c Mon Sep 17 00:00:00 2001
From: Vincenzo Maffione <v.maffione@gmail.com>
Date: Thu, 29 Sep 2016 08:54:52 +0200
Subject: [PATCH] freebsd: generic: call m_extadd() only once for each mbuf
      17.1.r1
      17588645
  39. Jan 12, 2017
    • Shawn Webb's avatar
      HBSD: Force -fPIC when building PIEs · 33c11a6a
      Shawn Webb authored 
      Help mitigate against CoReV attack[1]. We already force shared libraries
to be compiled with -fPIC.

[1]: https://sourceware.org/ml/libc-alpha/2016-12/msg00914.html



Signed-off-by: default avatarShawn Webb <shawn.webb@hardenedbsd.org>
MFC-to:		10-STABLE
MFC-to:		11-STABLE
(cherry picked from commit 19d38259535dbc6705d8ca3a8d644e4cc87bbf38)
      33c11a6a
    • rstone's avatar
      MFC r308580: · b85c1e36
      rstone authored 
        Don't read if_counters with if_addr_lock held

  Calling into an ifnet implementation with the if_addr_lock already
  held can cause a LOR and potentially a deadlock, as ifnet
  implementations typically can take the if_addr_lock after their
  own locks during configuration.  Refactor a sysctl handler that
  was violating this to read if_counter data in a temporary buffer
  before the if_addr_lock is taken, and then copying the data
  in its final location later, when the if_addr_lock is held.

  PR: 194109
  Reported by: Jean-Sebastien Pedron
  MFC after: 2 weeks
  Differential Revision:        https://reviews.freebsd.org/D8498
  Reviewed by: sbruno
      b85c1e36
  41. Jan 10, 2017
    • Franco Fichtner's avatar
      pf/ipfw/netinet[6]: IP forwarding rework, fixes IPv4 in pf(4) · e92bed1a
      Franco Fichtner authored 
      Based on feedback by countless users, this removes the if_output
calls in the pf code that escape pfil processing in IPv4 by going
the long way.  This is only partially applicable to FreeBSD and
we are working on fixing this in a full fashion in 12-CURRENT.

It also disables ip_tryforward() as that does not seem trivial
to convert as it is missing 12-CURRENT's nhop4/nhop6.  Maybe we
will see that in 11.1.

Many thanks to Andrey V. Elsukov (ae@) for giving this direction
and review.

Also see: https://reviews.freebsd.org/D8877
      e92bed1a
  43. Jan 11, 2017
  45. Jan 04, 2017
    • asomers's avatar
      Fix panic during lagg destruction with simultaneous status check · 939a6f97
      asomers authored 
      If you run "ifconfig lagg0 destroy" and "ifconfig lagg0" at the same time a
page fault may result. The first process will destroy ifp->if_lagg in
lagg_clone_destroy (called by if_clone_destroy). Then the second process
will observe that ifp->if_lagg is NULL at the top of lagg_port_ioctl and
goto fallback: where it will promptly dereference ifp->if_lagg anyway.

The solution is to repeat the NULL check for ifp->if_lagg

MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp
Differential Revision:	https://reviews.freebsd.org/D8512

Remove stray debugging code from r310180

Reported by:	rstone
Pointy hat to:	asomers
MFC after:	3 weeks
X-MFC-with:	310180
Sponsored by:	Spectra Logic Corp
      939a6f97
  47. Jan 03, 2017
  49. Dec 22, 2016