stack_guard hardening bsdinstall option in STABLE and 11.1
Hello list, the stack_guard hardening option in bsdinstall is now setting 512 pages of it in CURRENT, as of r320674. It's said to MFC after 1 day (on Jul 5th), but STABLE hasn't got it yet. Is this simply an omission (understandable as the RELEASE is being prepared so things are a bit hectic I guess), or is there another reason? Can we assume that in 11.1 the sysctl is integer and can we safely set >1 number of pages, say 512 like the installer in CURRENT suggests? Thanks! -- Vlad K. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: stack_guard hardening bsdinstall option in STABLE and 11.1
On 2017-07-17 15:33, Glen Barber wrote: No, this is not available in the 11.1 installer. Glen Thanks but that's why I asked why's that. r320674 said MFC after 1 day. Is it too late for 11.1-RELEASE, so it'll be applied to 11-STABLE, or is there another reason? If its' too late, does that mean it's too late for the installer, but the new stack_guard code is there in STABLE and I am guessing will be part of 11.1, so we can assume the sysctl to be an integer (as opposed to enable/disable semantics of the sysctl in 11.0)? In other words, is it safe to ramp up the gap size in 11.1? -- Vlad K. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: stack_guard hardening bsdinstall option in STABLE and 11.1
On 2017-07-17 16:11, Glen Barber wrote: kib gave feedback on this in an earlier reply (which I missed before replying myself). Neither of which answered my questions, I'm sorry. My question was not about stack sizes in 32 or 64 bit installations, nor about the quality of the fix (if I parse the rm libtrh comment correctly). I simply asked if it's safe to assume the sysctl to be an integer in 11.1 (I'm guessing yes looking at the commits to STABLE, but wanted to be sure), and I also asked why wasn't the bsdinstall-er option change MFC'd after 1 day, two weeks ago, whether it's by omission, simply ENOTIME, or something else... -- Vlad K. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: stack_guard hardening bsdinstall option in STABLE and 11.1
On 2017-07-18 00:09, Mark Millard wrote: (Although I expect Konstantin Belousov's note here is the first public description of the problem's details.) Thanks for explaining the problem. I guess this was the reason why I failed to parse kib's reply, this was the first bit of info I encountered on that patch being effectively "broken" that way. I agree that you did not get an answer for the other part: I simply asked if it's safe to assume the sysctl to be an integer in 11.1 I've not gone through any draft 11.1-release code to check. It appears to be, the code is MFC'd with (if I'm correct) r320666. I've ran some tests in -RC3 and indeed it works, though probably for the reason you explained above (guard page eating into the stack), raising the stack_guard_pages sufficiently high (eg. 512 pages like the bsdinstaller in CURRENT defaults to) crashes threaded programs. If that is so, though, I wonder why it's not reverted, or at least the sysctl temporarily patched to remain boolean (or turned off completely). And the bsdinstaller option in CURRENT now essentially enables buggy and unstable behavior. If this is a known issue, why default to it in CURRENT. Anyway thanks for taking time to explain, this answers my questions. -- Vlad K. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
