- Restructure the code to do the checking in the appropriate note type,
and harmonize all the checks to be positive.
- Print only the tag data being careful not to overrun the allocated buffer.
- always provide a vmspace for the new proc, initially borrowing from proc0
(this part fixes PR 46286)
- increase parallelism between parent and child if arguments allow this,
avoiding a potential deadlock on exec_lock
- add a new flag for userland to request old (lockstepped) behaviour for
better error reporting
- adapt test cases to the previous two and add a new variant to test the
diagnostics flag
- fix a few memory (and lock) leaks
- provide netbsd32 compat
(exec_free_emul_arg) to call the hook and then clear the ep_emul_arg
and ep_emul_arg_free members in the exec_package.
Change users/accessors to use these routines.
Approved by releng.
<20111022023242.BA26F14A158@mail.netbsd.org>. This change includes
the following:
An initial cleanup and minor reorganization of the entropy pool
code in sys/dev/rnd.c and sys/dev/rndpool.c. Several bugs are
fixed. Some effort is made to accumulate entropy more quickly at
boot time.
A generic interface, "rndsink", is added, for stream generators to
request that they be re-keyed with good quality entropy from the pool
as soon as it is available.
The arc4random()/arc4randbytes() implementation in libkern is
adjusted to use the rndsink interface for rekeying, which helps
address the problem of low-quality keys at boot time.
An implementation of the FIPS 140-2 statistical tests for random
number generator quality is provided (libkern/rngtest.c). This
is based on Greg Rose's implementation from Qualcomm.
A new random stream generator, nist_ctr_drbg, is provided. It is
based on an implementation of the NIST SP800-90 CTR_DRBG by
Henric Jungheim. This generator users AES in a modified counter
mode to generate a backtracking-resistant random stream.
An abstraction layer, "cprng", is provided for in-kernel consumers
of randomness. The arc4random/arc4randbytes API is deprecated for
in-kernel use. It is replaced by "cprng_strong". The current
cprng_fast implementation wraps the existing arc4random
implementation. The current cprng_strong implementation wraps the
new CTR_DRBG implementation. Both interfaces are rekeyed from
the entropy pool automatically at intervals justifiable from best
current cryptographic practice.
In some quick tests, cprng_fast() is about the same speed as
the old arc4randbytes(), and cprng_strong() is about 20% faster
than rnd_extract_data(). Performance is expected to improve.
The AES code in src/crypto/rijndael is no longer an optional
kernel component, as it is required by cprng_strong, which is
not an optional kernel component.
The entropy pool output is subjected to the rngtest tests at
startup time; if it fails, the system will reboot. There is
approximately a 3/10000 chance of a false positive from these
tests. Entropy pool _input_ from hardware random numbers is
subjected to the rngtest tests at attach time, as well as the
FIPS continuous-output test, to detect bad or stuck hardware
RNGs; if any are detected, they are detached, but the system
continues to run.
A problem with rndctl(8) is fixed -- datastructures with
pointers in arrays are no longer passed to userspace (this
was not a security problem, but rather a major issue for
compat32). A new kernel will require a new rndctl.
The sysctl kern.arandom() and kern.urandom() nodes are hooked
up to the new generators, but the /dev/*random pseudodevices
are not, yet.
Manual pages for the new kernel interfaces are forthcoming.
Rename __libc_init to _libc_init and call it explicitly from CSU code.
This enforces the constructor run order for newly linked programs.
Keep it as constructor with run-once semantic for binary compatibility.
Implement dl_iterate_phdr for statically linked programs.
This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.
static executables (such as newer versions of /sbin/ldconfig)
require this to work properly. since static executables
also don't have a PT_PHDR entry, use the same heuristic as
linux does to provide a value for AT_PHDR in this case.
if size 0 and starting after the text segments, if no data segment was
found. Unbreaks sbrk on platforms where all loaded segments are
executable (PR 43817). The cast of executable segments after data
segments is left out for now.
binaries by default with separate sections for executable, writeable
data and constants. Use the same heuristic as FreeBSD to match up the
text and data segment assumptions.
respect the alignment in the ELF phdr.
Also, for correctness, use the maximum alignment of the PT_LOAD
sections rather than just the first one found.
Also, use more meaningful types.
consistently across the code.
- Re-do note parsing code to read the section headers instead of the program
headers because the new binutils merge all the note sections in one program
header. This fixes all the pax note parsing which has been broken for all
binaries built with the new binutils.
- Add diagnostics to the note parsing code to detect malformed binaries.
- Allocate and free note scratch space only once, not once per note.
than 0. This is still not the intent of PIE, but it allows them to
run with VA 0 disabled.
(The PAX_ASLR stuff which should deal with this needs work.)
CV: ----------------------------------------------------------------------
into modules. By and large this commit:
- shuffles header files and ifdefs
- splits code out where necessary to be modular
- adds module glue for each of the components
- adds/replaces hooks for things that can be installed at runtime
specific probe function did not specify it. It picks the same address
as mmap() does for a non-fixed map at address 0. See also the comment
around a similar line of code in vm/vm_mmap.c.
it's text or data; use the entry point instead (this solves some trouble
with ELF executables with strange permissions)
* Incorporate some fixes from r_friedl@informatik.uni-kl.de sent to
netbsd-bugs a while ago