From fd5846a355854dd3cb29e61d5880a68005684f8f Mon Sep 17 00:00:00 2001 From: deraadt Date: Sun, 25 Feb 2024 00:07:13 +0000 Subject: [PATCH] New accounting flag ABTCFI to indicate signal SIGILL + code ILL_BTCFI has occurred in the process. ok various people --- share/man/man5/acct.5 | 32 +++++++++++++++++++++++--------- sys/kern/kern_sig.c | 7 ++++++- sys/sys/acct.h | 19 ++++++++++--------- usr.bin/lastcomm/lastcomm.1 | 12 ++++++++++-- usr.bin/lastcomm/lastcomm.c | 3 ++- 5 files changed, 51 insertions(+), 22 deletions(-) diff --git a/share/man/man5/acct.5 b/share/man/man5/acct.5 index 378676ed9c7..82ea470b8b9 100644 --- a/share/man/man5/acct.5 +++ b/share/man/man5/acct.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: acct.5,v 1.26 2022/02/22 17:22:29 deraadt Exp $ +.\" $OpenBSD: acct.5,v 1.27 2024/02/25 00:07:14 deraadt Exp $ .\" $NetBSD: acct.5,v 1.4 1995/10/22 01:40:10 ghudson Exp $ .\" .\" Copyright (c) 1991, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)acct.5 8.1 (Berkeley) 6/5/93 .\" -.Dd $Mdocdate: February 22 2022 $ +.Dd $Mdocdate: February 25 2024 $ .Dt ACCT 5 .Os .Sh NAME @@ -69,14 +69,16 @@ struct acct { dev_t ac_tty; /* controlling tty, or -1 */ pid_t ac_pid; /* process id */ -#define AFORK 0x01 /* fork'd but not exec'd */ -#define AMAP 0x04 /* system call or stack mapping violation */ -#define ACORE 0x08 /* dumped core */ -#define AXSIG 0x10 /* killed by a signal */ -#define APLEDGE 0x20 /* killed due to pledge violation */ -#define ATRAP 0x40 /* memory access violation */ -#define AUNVEIL 0x80 /* unveil access violation */ u_int32_t ac_flag; /* accounting flags */ +#define AFORK 0x00000001 /* fork'd but not exec'd */ +#define AMAP 0x00000004 /* killed by syscall or stack mapping violation */ +#define ACORE 0x00000008 /* dumped core */ +#define AXSIG 0x00000010 /* killed by a signal */ +#define APLEDGE 0x00000020 /* killed due to pledge violation */ +#define ATRAP 0x00000040 /* memory access violation */ +#define AUNVEIL 0x00000080 /* unveil access violation */ +#define APINSYS 0x00000200 /* killed by syscall pin violation */ +#define ABTCFI 0x00000400 /* BT CFI violation */ }; /* @@ -125,6 +127,18 @@ The process attempted a file access that was prevented by .Xr unveil 2 restrictions. Note that this does not cause the process to terminate. +.It Dv APINSYS +The command tried to execute a system call from the wrong +system call instruction, see +.Xr pinsyscalls 2 . +.It Dv ABTCFI +The command executed an indirect branch to a location that did not +start with a +.Ql BTI +instruction, and terminated with signal +.Dv SIGILL , +.Va code +.Dv ILL_BTCFI . .El .Sh SEE ALSO .Xr lastcomm 1 , diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index f20b516bab0..ebdc6026df7 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sig.c,v 1.321 2024/01/17 22:22:25 kurt Exp $ */ +/* $OpenBSD: kern_sig.c,v 1.322 2024/02/25 00:07:13 deraadt Exp $ */ /* $NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $ */ /* @@ -799,6 +799,11 @@ trapsignal(struct proc *p, int signum, u_long trapno, int code, switch (signum) { case SIGILL: + if (code == ILL_BTCFI) { + pr->ps_acflag |= ABTCFI; + break; + } + /* FALLTHROUGH */ case SIGBUS: case SIGSEGV: pr->ps_acflag |= ATRAP; diff --git a/sys/sys/acct.h b/sys/sys/acct.h index dba7b5ed61c..35f311a603b 100644 --- a/sys/sys/acct.h +++ b/sys/sys/acct.h @@ -1,4 +1,4 @@ -/* $OpenBSD: acct.h,v 1.15 2024/01/20 12:16:55 deraadt Exp $ */ +/* $OpenBSD: acct.h,v 1.16 2024/02/25 00:07:13 deraadt Exp $ */ /* $NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $ */ /*- @@ -59,15 +59,16 @@ struct acct { dev_t ac_tty; /* controlling tty, or -1 */ pid_t ac_pid; /* process id */ -#define AFORK 0x00000001 /* fork'd but not exec'd */ -#define AMAP 0x00000004 /* system call or stack mapping violation */ -#define ACORE 0x00000008 /* dumped core */ -#define AXSIG 0x00000010 /* killed by a signal */ -#define APLEDGE 0x00000020 /* killed due to pledge violation */ -#define ATRAP 0x00000040 /* memory access violation */ -#define AUNVEIL 0x00000080 /* unveil access violation */ -#define APINSYS 0x00000200 /* syscall pin violation */ u_int32_t ac_flag; /* accounting flags */ +#define AFORK 0x00000001 /* fork'd but not exec'd */ +#define AMAP 0x00000004 /* killed by syscall or stack mapping violation */ +#define ACORE 0x00000008 /* dumped core */ +#define AXSIG 0x00000010 /* killed by a signal */ +#define APLEDGE 0x00000020 /* killed due to pledge violation */ +#define ATRAP 0x00000040 /* memory access violation */ +#define AUNVEIL 0x00000080 /* unveil access violation */ +#define APINSYS 0x00000200 /* killed by syscall pin violation */ +#define ABTCFI 0x00000400 /* BT CFI violation */ }; /* diff --git a/usr.bin/lastcomm/lastcomm.1 b/usr.bin/lastcomm/lastcomm.1 index af942301f3b..e26b4380de6 100644 --- a/usr.bin/lastcomm/lastcomm.1 +++ b/usr.bin/lastcomm/lastcomm.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: lastcomm.1,v 1.27 2024/01/19 14:25:03 deraadt Exp $ +.\" $OpenBSD: lastcomm.1,v 1.28 2024/02/25 00:07:13 deraadt Exp $ .\" $NetBSD: lastcomm.1,v 1.5 1995/10/22 01:43:41 ghudson Exp $ .\" .\" Copyright (c) 1980, 1990, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)lastcomm.1 8.1 (Berkeley) 6/6/93 .\" -.Dd $Mdocdate: January 19 2024 $ +.Dd $Mdocdate: February 25 2024 $ .Dt LASTCOMM 1 .Os .Sh NAME @@ -101,6 +101,14 @@ Elapsed time of the process. The flags are encoded as follows: .Pp .Bl -tag -width 6n -compact -offset indent +.It Li B +The command executed an indirect branch to a location that did not +start with a +.Ql BTI +instruction, and terminated with signal +.Dv SIGILL , +.Va code +.Dv ILL_BTCFI . .It Li D The command terminated with the generation of a .Pa core diff --git a/usr.bin/lastcomm/lastcomm.c b/usr.bin/lastcomm/lastcomm.c index 9614da0190b..7c8f8391a60 100644 --- a/usr.bin/lastcomm/lastcomm.c +++ b/usr.bin/lastcomm/lastcomm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lastcomm.c,v 1.35 2024/01/19 14:25:03 deraadt Exp $ */ +/* $OpenBSD: lastcomm.c,v 1.36 2024/02/25 00:07:13 deraadt Exp $ */ /* $NetBSD: lastcomm.c,v 1.9 1995/10/22 01:43:42 ghudson Exp $ */ /* @@ -178,6 +178,7 @@ flagbits(int f) BIT(ATRAP, 'T'); BIT(AUNVEIL, 'U'); BIT(APINSYS, 'S'); + BIT(ABTCFI, 'B'); *p = '\0'; return (flags); } -- 2.20.1