From: deraadt Date: Tue, 12 Dec 2023 15:44:00 +0000 (+0000) Subject: To avoid kbind(2) becoming a powerful gadget, it is called inline to a X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=876ab33d5561c46eca0c22f9b5e53b79431b81c6;p=openbsd To avoid kbind(2) becoming a powerful gadget, it is called inline to a function. Therefore we cannot create a precise pinsyscall label. Instead create a duplicate entry (using inline asm) to force the kernel's pinsyscall code to skip validation, rather than labelling it illegal. kbind(2) remains safe because it self-protects by checking its calling address. ok kettenis --- diff --git a/libexec/ld.so/loader.c b/libexec/ld.so/loader.c index 52e7b03e945..016bfa33633 100644 --- a/libexec/ld.so/loader.c +++ b/libexec/ld.so/loader.c @@ -1,4 +1,4 @@ -/* $OpenBSD: loader.c,v 1.214 2023/08/15 06:26:34 guenther Exp $ */ +/* $OpenBSD: loader.c,v 1.215 2023/12/12 15:44:00 deraadt Exp $ */ /* * Copyright (c) 1998 Per Fogelstrom, Opsycon AB @@ -466,6 +466,29 @@ _dl_self_relro(long loff) (((X) & PF_W) ? PROT_WRITE : 0) | \ (((X) & PF_X) ? PROT_EXEC : 0)) +/* + * To avoid kbind(2) becoming a powerful gadget, it is called inline to a + * function. Therefore we cannot create a precise pinsyscall label. Instead + * create a duplicate entry to force the kernel's pinsyscall code to skip + * validation, rather than labelling it illegal. kbind(2) remains safe + * because it self-protects by checking its calling address. + */ +#define __STRINGIFY(x) #x +#define STRINGIFY(x) __STRINGIFY(x) +#ifdef __arm__ +__asm__(".pushsection openbsd.syscalls,\"\",%progbits;" + ".p2align 2;" + ".long 0;" + ".long " STRINGIFY(SYS_kbind) ";" + ".popsection"); +#else +__asm__(".pushsection openbsd.syscalls,\"\",@progbits;" + ".long 0;" + ".p2align 2;" + ".long " STRINGIFY(SYS_kbind) ";" + ".popsection"); +#endif + /* * This is the dynamic loader entrypoint. When entering here, depending * on architecture type, the stack and registers are set up according