Inform about system call memory write protection and stack mapping

mirror of https://github.com/openbsd/src.git synced 2026-06-19 07:43:34 +02:00

violations in system accounting.  This will help to find missbehaving
programs and possible attacks.  The flags bit field is full, so
recycle the PDP-11 compatibility on VAX.  lastcomm(1) prints the
AMAP flag as 'M'.  daily(8) prints a list of affected processes.
OK deraadt@

This commit is contained in:

bluhm

2019-09-09 20:02:26 +00:00

parent d5982ef3bb

commit dd06cfbcff

6 changed files with 17 additions and 15 deletions

etc/daily

+2 -2

View File

@@ -1,5 +1,5 @@
 #
 #	$OpenBSD: daily,v 1.92 2019/07/25 13:13:53 bluhm Exp $
 #	$OpenBSD: daily,v 1.93 2019/09/09 20:02:26 bluhm Exp $
 #	From: @(#)daily	8.2 (Berkeley) 1/25/94
 #
 # For local additions, create the file /etc/daily.local.
@@ -74,7 +74,7 @@ if [ -f /var/account/acct ]; then
 		mv -f /var/account/acct.0 /var/account/acct.1
 	cp -f /var/account/acct /var/account/acct.0
 	sa -sq
 	lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[PTU]'
 	lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[MPTU]'
 fi
 # If ROOTBACKUP is set to 1 in the environment, and

share/man/man5/acct.5

+3 -3

View File

@@ -1,4 +1,4 @@
 .\"	$OpenBSD: acct.5,v 1.19 2019/07/30 05:41:21 jmc Exp $
 .\"	$OpenBSD: acct.5,v 1.20 2019/09/09 20:02:26 bluhm Exp $
 .\"	$NetBSD: acct.5,v 1.4 1995/10/22 01:40:10 ghudson Exp $
 .\"
 .\" Copyright (c) 1991, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"     @(#)acct.5	8.1 (Berkeley) 6/5/93
 .\"
 .Dd $Mdocdate: July 30 2019 $
 .Dd $Mdocdate: September 9 2019 $
 .Dt ACCT 5
 .Os
 .Sh NAME
@@ -69,7 +69,7 @@ struct acct {
 #define	AFORK	0x01		/* fork'd but not exec'd */
 #define	ASU	0x02		/* used super-user permissions */
 #define	ACOMPAT	0x04		/* used compatibility mode */
 #define	AMAP	0x04		/* system call or stack mapping violation */
 #define	ACORE	0x08		/* dumped core */
 #define	AXSIG	0x10		/* killed by a signal */
 #define	APLEDGE	0x20		/* killed due to pledge violation */

									
										sys/sys/acct.h
									
		+2
		-2
	
												View File
												
				@@ -1,4 +1,4 @@

				/*	$OpenBSD: acct.h,v 1.8 2019/07/25 09:37:32 bluhm Exp $	*/

				/*	$OpenBSD: acct.h,v 1.9 2019/09/09 20:02:26 bluhm Exp $	*/

				/*	$NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $	*/

				/*-

				@@ -58,7 +58,7 @@ struct acct {

				#define	AFORK	0x01		/* fork'd but not exec'd */

				#define	ASU	0x02		/* used super-user permissions */

				#define	ACOMPAT	0x04		/* used compatibility mode */

				#define	AMAP	0x04		/* system call or stack mapping violation */

				#define	ACORE	0x08		/* dumped core */

				#define	AXSIG	0x10		/* killed by a signal */

				#define	APLEDGE	0x20		/* killed due to pledge violation */

									
										sys/uvm/uvm_map.c
									
		+3
		-1
	
												View File
												
				@@ -1,4 +1,4 @@

				/*	$OpenBSD: uvm_map.c,v 1.246 2019/06/14 05:52:43 deraadt Exp $	*/

				/*	$OpenBSD: uvm_map.c,v 1.247 2019/09/09 20:02:26 bluhm Exp $	*/

				/*	$NetBSD: uvm_map.c,v 1.86 2000/11/27 08:40:03 chs Exp $	*/

				/*

				@@ -86,6 +86,7 @@

				#include <sys/param.h>

				#include <sys/systm.h>

				#include <sys/acct.h>

				#include <sys/mman.h>

				#include <sys/proc.h>

				#include <sys/malloc.h>

				@@ -1872,6 +1873,7 @@ uvm_map_inentry(struct proc *p, struct p_inentry *ie, vaddr_t addr,

						if (!ok) {

							printf(fmt, p->p_p->ps_comm, p->p_p->ps_pid, p->p_tid,

							    addr, ie->ie_start, ie->ie_end);

							p->p_p->ps_acflag |= AMAP;

							sv.sival_ptr = (void *)PROC_PC(p);

							trapsignal(p, SIGSEGV, 0, SEGV_ACCERR, sv);

						}

									
										usr.bin/lastcomm/lastcomm.1
									
		+5
		-5
	
												View File
												
				@@ -1,4 +1,4 @@

				.\"	$OpenBSD: lastcomm.1,v 1.23 2019/08/11 15:48:08 deraadt Exp $

				.\"	$OpenBSD: lastcomm.1,v 1.24 2019/09/09 20:02:26 bluhm Exp $

				.\"	$NetBSD: lastcomm.1,v 1.5 1995/10/22 01:43:41 ghudson Exp $

				.\"

				.\" Copyright (c) 1980, 1990, 1993

				@@ -30,7 +30,7 @@

				.\"

				.\"	@(#)lastcomm.1	8.1 (Berkeley) 6/6/93

				.\"

				.Dd $Mdocdate: August 11 2019 $

				.Dd $Mdocdate: September 9 2019 $

				.Dt LASTCOMM 1

				.Os

				.Sh NAME

				@@ -101,9 +101,6 @@ Elapsed time of the process.

				The flags are encoded as follows:

				.Pp

				.Bl -tag -width 6n -compact -offset indent

				.It Li C

				The command was run in PDP-11 compatibility mode

				(VAX only).

				.It Li D

				The command terminated with the generation of a

				.Pa core

				@@ -112,6 +109,9 @@ file.

				The command ran after

				a fork, but without a following

				.Xr execve 2 .

				.It Li M

				The command did a system call from writable memory or the stack

				pointer was not in stack memory.

				.It Li P

				The command was terminated due to a

				.Xr pledge 2

									
										usr.bin/lastcomm/lastcomm.c
									
		+2
		-2
	
												View File
												
				@@ -1,4 +1,4 @@

				/*	$OpenBSD: lastcomm.c,v 1.28 2019/07/25 13:13:53 bluhm Exp $	*/

				/*	$OpenBSD: lastcomm.c,v 1.29 2019/09/09 20:02:27 bluhm Exp $	*/

				/*	$NetBSD: lastcomm.c,v 1.9 1995/10/22 01:43:42 ghudson Exp $	*/

				/*

				@@ -169,7 +169,7 @@ flagbits(int f)

					p = flags + 1;

					BIT(AFORK, 'F');

					BIT(ACOMPAT, 'C');

					BIT(AMAP, 'M');

					BIT(ACORE, 'D');

					BIT(AXSIG, 'X');

					BIT(APLEDGE, 'P');