From 8788635fa4e541cf4323d99743451cf41e531926 Mon Sep 17 00:00:00 2001 From: bluhm Date: Thu, 8 Jun 2017 17:14:02 +0000 Subject: [PATCH] ASLR, W^X, and guard pages trigger processor traps that result in SIGILL, SIGBUS, SIGSEGV signals. Make such memory violations visible in lastcomm(1). This also works if a programm tries to hide them with a signal handler. Manual kill -SEGV does not generate false positives. OK deraadt@ --- share/man/man5/acct.5 | 6 ++++-- sys/kern/kern_sig.c | 10 +++++++++- sys/sys/acct.h | 3 ++- usr.bin/lastcomm/lastcomm.1 | 11 +++++++---- usr.bin/lastcomm/lastcomm.c | 3 ++- 5 files changed, 24 insertions(+), 9 deletions(-) diff --git a/share/man/man5/acct.5 b/share/man/man5/acct.5 index ec5fb0bff3e..f76943df1bd 100644 --- a/share/man/man5/acct.5 +++ b/share/man/man5/acct.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: acct.5,v 1.15 2015/09/10 17:55:21 schwarze Exp $ +.\" $OpenBSD: acct.5,v 1.16 2017/06/08 17:14:02 bluhm Exp $ .\" $NetBSD: acct.5,v 1.4 1995/10/22 01:40:10 ghudson Exp $ .\" .\" Copyright (c) 1991, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)acct.5 8.1 (Berkeley) 6/5/93 .\" -.Dd $Mdocdate: September 10 2015 $ +.Dd $Mdocdate: June 8 2017 $ .Dt ACCT 5 .Os .Sh NAME @@ -72,6 +72,8 @@ struct acct { #define ACOMPAT 0x04 /* used compatibility mode */ #define ACORE 0x08 /* dumped core */ #define AXSIG 0x10 /* killed by a signal */ +#define APLEDGE 0x20 /* killed due to pledge violation */ +#define ATRAP 0x40 /* memory access violation */ u_int8_t ac_flag; /* accounting flags */ }; diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index 9d80487026d..067b188b624 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sig.c,v 1.211 2017/04/20 12:59:36 visa Exp $ */ +/* $OpenBSD: kern_sig.c,v 1.212 2017/06/08 17:14:02 bluhm Exp $ */ /* $NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $ */ /* @@ -759,6 +759,14 @@ trapsignal(struct proc *p, int signum, u_long trapno, int code, struct sigacts *ps = pr->ps_sigacts; int mask; + switch (signum) { + case SIGILL: + case SIGBUS: + case SIGSEGV: + pr->ps_acflag |= ATRAP; + break; + } + mask = sigmask(signum); if ((pr->ps_flags & PS_TRACED) == 0 && (ps->ps_sigcatch & mask) != 0 && diff --git a/sys/sys/acct.h b/sys/sys/acct.h index efcb03e2411..4e17b45c03b 100644 --- a/sys/sys/acct.h +++ b/sys/sys/acct.h @@ -1,4 +1,4 @@ -/* $OpenBSD: acct.h,v 1.6 2017/06/07 20:53:59 bluhm Exp $ */ +/* $OpenBSD: acct.h,v 1.7 2017/06/08 17:14:02 bluhm Exp $ */ /* $NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $ */ /*- @@ -62,6 +62,7 @@ struct acct { #define ACORE 0x08 /* dumped core */ #define AXSIG 0x10 /* killed by a signal */ #define APLEDGE 0x20 /* killed due to pledge violation */ +#define ATRAP 0x40 /* memory access violation */ u_int8_t ac_flag; /* accounting flags */ }; diff --git a/usr.bin/lastcomm/lastcomm.1 b/usr.bin/lastcomm/lastcomm.1 index 12b0156e648..0fca39005b7 100644 --- a/usr.bin/lastcomm/lastcomm.1 +++ b/usr.bin/lastcomm/lastcomm.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: lastcomm.1,v 1.17 2017/06/07 20:53:59 bluhm Exp $ +.\" $OpenBSD: lastcomm.1,v 1.18 2017/06/08 17:14:02 bluhm Exp $ .\" $NetBSD: lastcomm.1,v 1.5 1995/10/22 01:43:41 ghudson Exp $ .\" .\" Copyright (c) 1980, 1990, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)lastcomm.1 8.1 (Berkeley) 6/6/93 .\" -.Dd $Mdocdate: June 7 2017 $ +.Dd $Mdocdate: June 8 2017 $ .Dt LASTCOMM 1 .Os .Sh NAME @@ -114,11 +114,14 @@ indicates the command terminated with the generation of a .Pa core file, .Sq X -indicates the command was terminated with a signal, and +indicates the command was terminated with a signal, .Sq P indicates the command was terminated due to a .Xr pledge 2 -violation. +violation, and +.Sq T +indicates the command did a memory access violation detected by a +processor trap. .Sh FILES .Bl -tag -width /var/account/acct -compact .It Pa /var/account/acct diff --git a/usr.bin/lastcomm/lastcomm.c b/usr.bin/lastcomm/lastcomm.c index 155b270d7b3..5d12ad76a6e 100644 --- a/usr.bin/lastcomm/lastcomm.c +++ b/usr.bin/lastcomm/lastcomm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lastcomm.c,v 1.25 2017/06/07 20:53:59 bluhm Exp $ */ +/* $OpenBSD: lastcomm.c,v 1.26 2017/06/08 17:14:02 bluhm Exp $ */ /* $NetBSD: lastcomm.c,v 1.9 1995/10/22 01:43:42 ghudson Exp $ */ /* @@ -174,6 +174,7 @@ flagbits(int f) BIT(ACORE, 'D'); BIT(AXSIG, 'X'); BIT(APLEDGE, 'P'); + BIT(ATRAP, 'T'); *p = '\0'; return (flags); } -- 2.20.1