New accounting flag ABTCFI to indicate signal SIGILL + code ILL_BTCFI

has occurred in the process.
ok various people

diff --git a/share/man/man5/acct.5 b/share/man/man5/acct.5
index 378676e..82ea470 100644 (file)
--- a/share/man/man5/acct.5
+++ b/share/man/man5/acct.5
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: acct.5,v 1.26 2022/02/22 17:22:29 deraadt Exp $
+.\"    $OpenBSD: acct.5,v 1.27 2024/02/25 00:07:14 deraadt Exp $
 .\"    $NetBSD: acct.5,v 1.4 1995/10/22 01:40:10 ghudson Exp $
 .\"
 .\" Copyright (c) 1991, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"     @(#)acct.5     8.1 (Berkeley) 6/5/93
 .\"
-.Dd $Mdocdate: February 22 2022 $
+.Dd $Mdocdate: February 25 2024 $
 .Dt ACCT 5
 .Os
 .Sh NAME
@@ -69,14 +69,16 @@ struct acct {
        dev_t     ac_tty;       /* controlling tty, or -1 */
        pid_t     ac_pid;       /* process id */
 
-#define        AFORK   0x01            /* fork'd but not exec'd */
-#define        AMAP    0x04            /* system call or stack mapping violation */
-#define        ACORE   0x08            /* dumped core */
-#define        AXSIG   0x10            /* killed by a signal */
-#define        APLEDGE 0x20            /* killed due to pledge violation */
-#define        ATRAP   0x40            /* memory access violation */
-#define        AUNVEIL 0x80            /* unveil access violation */
        u_int32_t ac_flag;      /* accounting flags */
+#define        AFORK   0x00000001      /* fork'd but not exec'd */
+#define        AMAP    0x00000004      /* killed by syscall or stack mapping violation */
+#define        ACORE   0x00000008      /* dumped core */
+#define        AXSIG   0x00000010      /* killed by a signal */
+#define        APLEDGE 0x00000020      /* killed due to pledge violation */
+#define        ATRAP   0x00000040      /* memory access violation */
+#define        AUNVEIL 0x00000080      /* unveil access violation */
+#define APINSYS 0x00000200      /* killed by syscall pin violation */
+#define ABTCFI  0x00000400      /* BT CFI violation */
 };
 
 /*
@@ -125,6 +127,18 @@ The process attempted a file access that was prevented by
 .Xr unveil 2
 restrictions.
 Note that this does not cause the process to terminate.
+.It Dv APINSYS
+The command tried to execute a system call from the wrong
+system call instruction, see
+.Xr pinsyscalls 2 .
+.It Dv ABTCFI
+The command executed an indirect branch to a location that did not
+start with a
+.Ql BTI
+instruction, and terminated with signal
+.Dv SIGILL ,
+.Va code
+.Dv ILL_BTCFI .
 .El
 .Sh SEE ALSO
 .Xr lastcomm 1 ,

diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index f20b516..ebdc602 100644 (file)
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_sig.c,v 1.321 2024/01/17 22:22:25 kurt Exp $     */
+/*     $OpenBSD: kern_sig.c,v 1.322 2024/02/25 00:07:13 deraadt Exp $  */
 /*     $NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $   */
 
 /*
@@ -799,6 +799,11 @@ trapsignal(struct proc *p, int signum, u_long trapno, int code,
 
        switch (signum) {
        case SIGILL:
+               if (code == ILL_BTCFI) {
+                       pr->ps_acflag |= ABTCFI;
+                       break;
+               }
+               /* FALLTHROUGH */
        case SIGBUS:
        case SIGSEGV:
                pr->ps_acflag |= ATRAP;

diff --git a/sys/sys/acct.h b/sys/sys/acct.h
index dba7b5e..35f311a 100644 (file)
--- a/sys/sys/acct.h
+++ b/sys/sys/acct.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: acct.h,v 1.15 2024/01/20 12:16:55 deraadt Exp $       */
+/*     $OpenBSD: acct.h,v 1.16 2024/02/25 00:07:13 deraadt Exp $       */
 /*     $NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $    */
 
 /*-
@@ -59,15 +59,16 @@ struct acct {
        dev_t     ac_tty;               /* controlling tty, or -1 */
        pid_t     ac_pid;               /* process id */
 
-#define        AFORK   0x00000001              /* fork'd but not exec'd */
-#define        AMAP    0x00000004              /* system call or stack mapping violation */
-#define        ACORE   0x00000008              /* dumped core */
-#define        AXSIG   0x00000010              /* killed by a signal */
-#define        APLEDGE 0x00000020              /* killed due to pledge violation */
-#define        ATRAP   0x00000040              /* memory access violation */
-#define        AUNVEIL 0x00000080              /* unveil access violation */
-#define        APINSYS 0x00000200              /* syscall pin violation */
        u_int32_t ac_flag;              /* accounting flags */
+#define        AFORK   0x00000001      /* fork'd but not exec'd */
+#define        AMAP    0x00000004      /* killed by syscall or stack mapping violation */
+#define        ACORE   0x00000008      /* dumped core */
+#define        AXSIG   0x00000010      /* killed by a signal */
+#define        APLEDGE 0x00000020      /* killed due to pledge violation */
+#define        ATRAP   0x00000040      /* memory access violation */
+#define        AUNVEIL 0x00000080      /* unveil access violation */
+#define        APINSYS 0x00000200      /* killed by syscall pin violation */
+#define        ABTCFI  0x00000400      /* BT CFI violation */
 };
 
 /*

diff --git a/usr.bin/lastcomm/lastcomm.1 b/usr.bin/lastcomm/lastcomm.1
index af94230..e26b438 100644 (file)
--- a/usr.bin/lastcomm/lastcomm.1
+++ b/usr.bin/lastcomm/lastcomm.1
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: lastcomm.1,v 1.27 2024/01/19 14:25:03 deraadt Exp $
+.\"    $OpenBSD: lastcomm.1,v 1.28 2024/02/25 00:07:13 deraadt Exp $
 .\"    $NetBSD: lastcomm.1,v 1.5 1995/10/22 01:43:41 ghudson Exp $
 .\"
 .\" Copyright (c) 1980, 1990, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"    @(#)lastcomm.1  8.1 (Berkeley) 6/6/93
 .\"
-.Dd $Mdocdate: January 19 2024 $
+.Dd $Mdocdate: February 25 2024 $
 .Dt LASTCOMM 1
 .Os
 .Sh NAME
@@ -101,6 +101,14 @@ Elapsed time of the process.
 The flags are encoded as follows:
 .Pp
 .Bl -tag -width 6n -compact -offset indent
+.It Li B
+The command executed an indirect branch to a location that did not
+start with a
+.Ql BTI
+instruction, and terminated with signal
+.Dv SIGILL ,
+.Va code
+.Dv ILL_BTCFI .
 .It Li D
 The command terminated with the generation of a
 .Pa core

diff --git a/usr.bin/lastcomm/lastcomm.c b/usr.bin/lastcomm/lastcomm.c
index 9614da0..7c8f839 100644 (file)
--- a/usr.bin/lastcomm/lastcomm.c
+++ b/usr.bin/lastcomm/lastcomm.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: lastcomm.c,v 1.35 2024/01/19 14:25:03 deraadt Exp $   */
+/*     $OpenBSD: lastcomm.c,v 1.36 2024/02/25 00:07:13 deraadt Exp $   */
 /*     $NetBSD: lastcomm.c,v 1.9 1995/10/22 01:43:42 ghudson Exp $     */
 
 /*
@@ -178,6 +178,7 @@ flagbits(int f)
        BIT(ATRAP, 'T');
        BIT(AUNVEIL, 'U');
        BIT(APINSYS, 'S');
+       BIT(ABTCFI, 'B');
        *p = '\0';
        return (flags);
 }