src/usr.sbin/binmiscctl/binmiscctl.c, branch stable/12 FreeBSD source tree MFC imgact_binmisc housecleaning: r367361, r367439, r367441-r367442, 2020-11-14T01:28:04+00:00 Kyle Evans kevans@FreeBSD.org 2020-11-14T01:28:04+00:00 bb80a0a8f8fe8e16b38bb939e6ca0e6933610892 r367444, r367452, r367456, r367477 r367361: imgact_binmisc: fix up some minor nits - Removed a bunch of redundant headers - Don't explicitly initialize to 0 - The !error check prior to setting imgp->interpreter_name is redundant, all error paths should and do return or go to 'done'. We have larger problems otherwise. r367439: imgact_binmisc: minor re-organization of imgact_binmisc_exec exits Notably, streamline error paths through the existing 'done' label, making it easier to quickly verify correct cleanup. Future work might add a kernel-only flag to indicate that a interpreter uses #a. Currently, all executions via imgact_binmisc pay the penalty of constructing sname/fname, even if they will not use it. qemu-user-static doesn't need it, the stock rc script for qemu-user-static certainly doesn't use it, and I suspect these are the vast majority of (if not the only) current users. r367441: binmiscctl(8): miscellaneous cleanup - Bad whitespace in Makefile. - Reordered headers, sys/ first. - Annotated fatal/usage __dead2 to help `make analyze` out a little bit. - Spell a couple of sizeof constructs as "nitems" and "howmany" instead. r367442: imgact_binmisc: validate flags coming from userland We may want to reserve bits in the future for kernel-only use, so start rejecting any that aren't the two that we're currently expecting from userland. r367444: imgact_binmisc: abstract away the list lock (NFC) This module handles relatively few execs (initial qemu-user-static, then qemu-user-static handles exec'ing itself for binaries it's already running), but all execs pay the price of at least taking the relatively expensive sx/slock to check for a match when this module is loaded. Future work will almost certainly swap this out for another lock, perhaps an rmslock. The RLOCK/WLOCK phrasing was chosen based on what the callers are really wanting, rather than using the verbiage typically appropriate for an sx. r367452: imgact_binmisc: reorder members of struct imgact_binmisc_entry (NFC) This doesn't change anything at the moment since the out-of-order elements were a pair of uint32_t, but future additions may have caused unnecessary padding by following the existing precedent. r367456: imgact_binmisc: move some calculations out of the exec path The offset we need to account for in the interpreter string comes in two variants: 1. Fixed - macros other than #a that will not vary from invocation to invocation 2. Variable - #a, which is substitued with the argv0 that we're replacing Note that we don't have a mechanism to modify an existing entry. By recording both of these offset requirements when the interpreter is added, we can avoid some unnecessary calculations in the exec path. Most importantly, we can know up-front whether we need to grab calculate/grab the the filename for this interpreter. We also get to avoid walking the string a first time looking for macros. For most invocations, it's a swift exit as they won't have any, but there's no point entering a loop and searching for the macro indicator if we already know there will not be one. While we're here, go ahead and only calculate the argv0 name length once per invocation. While it's unlikely that we'll have more than one #a, there's no reason to recalculate it every time we encounter an #a when it will not change. I have not bothered trying to benchmark this at all, because it's arguably a minor and straightforward/obvious improvement. r367477: imgact_binmisc: limit the extent of match on incoming entries imgact_binmisc matches magic/mask from imgp->image_header, which is only a single page in size mapped from the first page of an image. One can specify an interpreter that matches on, e.g., --offset 4096 --size 256 to read up to 256 bytes past the mapped first page. The limitation is that we cannot specify a magic string that exceeds a single page, and we can't allow offset + size to exceed a single page either. A static assert has been added in case someone finds it useful to try and expand the size, but it does seem a little unlikely. While this looks kind of exploitable at a sideways squinty-glance, there are a couple of mitigating factors: 1.) imgact_binmisc is not enabled by default, 2.) entries may only be added by the superuser, 3.) trying to exploit this information to read what's mapped past the end would be worse than a root canal or some other relatably painful experience, and 4.) there's no way one could pull this off without it being completely obvious. The first page is mapped out of an sf_buf, the implementation of which (or lack thereof) depends on your platform. 
r367444, r367452, r367456, r367477

r367361:
imgact_binmisc: fix up some minor nits

- Removed a bunch of redundant headers
- Don't explicitly initialize to 0
- The !error check prior to setting imgp->interpreter_name is redundant, all
  error paths should and do return or go to 'done'. We have larger problems
  otherwise.

r367439:
imgact_binmisc: minor re-organization of imgact_binmisc_exec exits

Notably, streamline error paths through the existing 'done' label, making it
easier to quickly verify correct cleanup.

Future work might add a kernel-only flag to indicate that a interpreter uses
#a. Currently, all executions via imgact_binmisc pay the penalty of
constructing sname/fname, even if they will not use it. qemu-user-static
doesn't need it, the stock rc script for qemu-user-static certainly doesn't
use it, and I suspect these are the vast majority of (if not the only)
current users.

r367441:
binmiscctl(8): miscellaneous cleanup

- Bad whitespace in Makefile.
- Reordered headers, sys/ first.
- Annotated fatal/usage __dead2 to help `make analyze` out a little bit.
- Spell a couple of sizeof constructs as "nitems" and "howmany" instead.

r367442:
imgact_binmisc: validate flags coming from userland

We may want to reserve bits in the future for kernel-only use, so start
rejecting any that aren't the two that we're currently expecting from
userland.

r367444:
imgact_binmisc: abstract away the list lock (NFC)

This module handles relatively few execs (initial qemu-user-static, then
qemu-user-static handles exec'ing itself for binaries it's already running),
but all execs pay the price of at least taking the relatively expensive
sx/slock to check for a match when this module is loaded. Future work will
almost certainly swap this out for another lock, perhaps an rmslock.

The RLOCK/WLOCK phrasing was chosen based on what the callers are really
wanting, rather than using the verbiage typically appropriate for an sx.

r367452:
imgact_binmisc: reorder members of struct imgact_binmisc_entry (NFC)

This doesn't change anything at the moment since the out-of-order elements
were a pair of uint32_t, but future additions may have caused unnecessary
padding by following the existing precedent.

r367456:
imgact_binmisc: move some calculations out of the exec path

The offset we need to account for in the interpreter string comes in two
variants:

1. Fixed - macros other than #a that will not vary from invocation to
   invocation
2. Variable - #a, which is substitued with the argv0 that we're replacing

Note that we don't have a mechanism to modify an existing entry.  By
recording both of these offset requirements when the interpreter is added,
we can avoid some unnecessary calculations in the exec path.

Most importantly, we can know up-front whether we need to grab
calculate/grab the the filename for this interpreter. We also get to avoid
walking the string a first time looking for macros. For most invocations,
it's a swift exit as they won't have any, but there's no point entering a
loop and searching for the macro indicator if we already know there will not
be one.

While we're here, go ahead and only calculate the argv0 name length once per
invocation. While it's unlikely that we'll have more than one #a, there's no
reason to recalculate it every time we encounter an #a when it will not
change.

I have not bothered trying to benchmark this at all, because it's arguably a
minor and straightforward/obvious improvement.

r367477:
imgact_binmisc: limit the extent of match on incoming entries

imgact_binmisc matches magic/mask from imgp->image_header, which is only a
single page in size mapped from the first page of an image. One can specify
an interpreter that matches on, e.g., --offset 4096 --size 256 to read up to
256 bytes past the mapped first page.

The limitation is that we cannot specify a magic string that exceeds a
single page, and we can't allow offset + size to exceed a single page
either.  A static assert has been added in case someone finds it useful to
try and expand the size, but it does seem a little unlikely.

While this looks kind of exploitable at a sideways squinty-glance, there are
a couple of mitigating factors:

1.) imgact_binmisc is not enabled by default,
2.) entries may only be added by the superuser,
3.) trying to exploit this information to read what's mapped past the end
  would be worse than a root canal or some other relatably painful
  experience, and
4.) there's no way one could pull this off without it being completely
  obvious.

The first page is mapped out of an sf_buf, the implementation of which (or
lack thereof) depends on your platform.
Don't leak resources on duplicate -m or -M arguments. Last one wins. 2017-12-28T05:32:59+00:00 Warner Losh imp@FreeBSD.org 2017-12-28T05:32:59+00:00 829ec266171e70063f2e406fea4b2f10d0206c5f CID: 1204385, 1204384 
CID: 1204385, 1204384
binmiscctl should use modfind instead of kldfind 2017-07-28T18:11:53+00:00 Sean Bruno sbruno@FreeBSD.org 2017-07-28T18:11:53+00:00 4b5e2f8ea05ad1f9f8510cff54e3b08e925263fa kldfind() only matches kernel modules, so if you link imgact_binmisc directly into the kernel, binmiscctl can't find it, tries to load it, and errors out with: Can't load imgact_binmisc kernel module: File exists A quick search of other base commands shows that the correct procedure is to call modfind(), and then try kldload() if that fails. PR: 218593 Submitted by: Dan Nelson <dnelson_1901@yahoo.com> MFC after: 1 week 
kldfind() only matches kernel modules, so if you link imgact_binmisc directly
into the kernel, binmiscctl can't find it, tries to load it, and errors
out with:
  Can't load imgact_binmisc kernel module: File exists

A quick search of other base commands shows that the correct procedure is to
call modfind(), and then try kldload() if that fails.

PR:		218593
Submitted by:	Dan Nelson <dnelson_1901@yahoo.com>
MFC after:	1 week
Another attempt at resolving CID 1305629. The test of cmd == -1 2016-05-13T17:48:04+00:00 Don Lewis truckman@FreeBSD.org 2016-05-13T17:48:04+00:00 fe579263e00c69c5d1a6f731992ef5a3f666862f may make Coverity think that other negative values of cmd (used as an index) are possible. Testing < 0 is a more common idiom in any case. Reported by: Coverity CID: 1305629 
may make Coverity think that other negative values of cmd (used
as an index) are possible.  Testing < 0 is a more common idiom
in any case.

Reported by:	Coverity
CID:		1305629
Revert r299584: 2016-05-13T05:39:29+00:00 Don Lewis truckman@FreeBSD.org 2016-05-13T05:39:29+00:00 aa60f7a6debd8c6ad0e2de51146173f63fa1f477 Mark usage() as __dead2 so that Coverity doesn't think that execution continues after the call and uses a negative array subscript. Requested by: bde 
  Mark usage() as __dead2 so that Coverity doesn't think that execution
  continues after the call and uses a negative array subscript.

Requested by:	bde
Mark usage() as __dead2 so that Coverity doesn't think that execution 2016-05-13T01:14:38+00:00 Don Lewis truckman@FreeBSD.org 2016-05-13T01:14:38+00:00 e402dde82ddac39d7327d701b059f16f3860d8f3 continues after the call and uses a negative array subscript. Reported by: Coverity CID: 1305629 
continues after the call and uses a negative array subscript.

Reported by:	Coverity
CID:		1305629
If no arguments are passed to a subcommand that requires arguments, 2015-02-15T23:58:57+00:00 Sean Bruno sbruno@FreeBSD.org 2015-02-15T23:58:57+00:00 b8fc9a86a80cf4920455867c6bfd8a8c6e487ebf error out before we deref a null pointer in the check for max length. Thanks to otis in IRC for the bug report. MFC after: 3 days 
error out before we deref a null pointer in the check for max length.

Thanks to otis in IRC for the bug report.

MFC after:	3 days
Check for invalid length or more than max length for the interpreter, instead 2015-01-28T20:22:48+00:00 Sean Bruno sbruno@FreeBSD.org 2015-01-28T20:22:48+00:00 a142c8613050cb09e3bb5130cd0ce26a2a5c0276 of the validity of the string pointer holding the interpreter. Submitted by: sson Reviewed by: dim MFC after: 3 days 
of the validity of the string pointer holding the interpreter.

Submitted by:	sson
Reviewed by:	dim
MFC after:	3 days
Add Stacey Son's binary activation patches that allow remapping of 2014-04-08T20:10:22+00:00 Sean Bruno sbruno@FreeBSD.org 2014-04-08T20:10:22+00:00 6d756449811138014276ca829c8ce12659ff00ff execution to a emumation program via parsing of ELF header information. With this kernel module and userland tool, poudriere is able to build ports packages via the QEMU userland tools (or another emulator program) in a different architecture chroot, e.g. TARGET=mips TARGET_ARCH=mips I'm not connecting this to GENERIC for obvious reasons, but this should allow the kernel module to be built by default and enable the building of the userland tool (which automatically loads the kernel module). Submitted by: sson@ Reviewed by: jhb@ 
execution to a emumation program via parsing of ELF header information.

With this kernel module and userland tool, poudriere is able to build
ports packages via the QEMU userland tools (or another emulator program)
in a different architecture chroot, e.g. TARGET=mips TARGET_ARCH=mips

I'm not connecting this to GENERIC for obvious reasons, but this should
allow the kernel module to be built by default and enable the building
of the userland tool (which automatically loads the kernel module).

Submitted by:	sson@
Reviewed by:	jhb@