45319 Commits

Author SHA1 Message Date
Pawel Dziepak
8614737f71 elf: restore correct region protection after relocation 2013-04-16 03:44:38 +02:00
Pawel Dziepak
9f3bd49737 runtime_loader: explicitly randomize rld_heap and _rld_debug_ positions 2013-04-16 02:44:47 +02:00
Pawel Dziepak
db1ca60528 runtime_loader: randomize position of runtime_loader
* make runtime_loader a dynammically linked object
 * add kernel support for loading user images that need to be relocated
 * load runtime_loader at random address
2013-04-16 02:29:05 +02:00
Pawel Dziepak
cf35dcc5bc vm: make aslr use more secure PRNG 2013-04-11 17:16:49 +02:00
Pawel Dziepak
d0a8e6ef2b vm: remove unused static function log2() 2013-04-11 12:32:32 +02:00
Pawel Dziepak
87d1bdb87c util: add secure pseudorandom number generator 2013-04-11 12:31:58 +02:00
Pawel Dziepak
69042ecd1b util: style fixes 2013-04-11 12:15:47 +02:00
Pawel Dziepak
d9fa99bb60 scheduler: let schedulers use kernel utils for random numbers 2013-04-11 04:37:23 +02:00
Pawel Dziepak
b56330de8e nfs4: let nfs4 use kernel utils for random numbers 2013-04-11 04:35:11 +02:00
Pawel Dziepak
5c455f803f vm: let aslr use kernel utils for random numbers 2013-04-11 04:35:11 +02:00
Pawel Dziepak
6003243ef3 util: introduce kernel utils for pseudorandom number generation
Currently there are two generators. The fast one is the same one the scheduler
is using. The standard one is the same algorithm libroot's rand() uses. Should
there be a need for more cryptographically PRNG MD4 or MD5 might be a good
candidates.
2013-04-11 04:34:59 +02:00
Pawel Dziepak
feae2b5a00 vm: force userland to use B_RANDOMIZED_* address specifications 2013-04-09 23:25:19 +02:00
Pawel Dziepak
bf65fc1dfe vm: remove B_RANDOMIZED_IMAGE_ADDRESS address specification
This address specification is actually not needed since PIC images can be
located anywhere. Only their size is restriced but that is the compiler and
linker concern. Thanks to Alex Smith for pointing that out.
2013-04-09 22:09:13 +02:00
Pawel Dziepak
d57105534b vm: several improvements to VMUserAddressSpace::_InsertAreaSlot implementation
* B_BASE_ADDRESS honors requested alignment
 * end of range is honored
 * B_BASE_ADDRESS reuses B_ANY_ADDRESS code
2013-04-08 23:56:10 +02:00
Pawel Dziepak
a8f8d2c057 x86_64: put user stack and team data at top of user address space 2013-04-04 20:54:56 +02:00
Pawel Dziepak
4cafc0acab runtime_loader: use long type for region delta 2013-04-04 20:54:13 +02:00
Pawel Dziepak
65ed4fa908 vm: implement B_RANDOMIZED_IMAGE_ADDRESS address specification
On some 64 bit architectures program and library images have to be mapped in
the lower 2 GB of the address space (due to instruction pointer relative
addressing). Address specification B_RANDOMIZED_IMAGE_ADDRESS ensures that
created area satisfies that requirement.
2013-04-04 20:54:02 +02:00
Pawel Dziepak
f697412ff8 vm: place commpage and team data near the top of user address space
Placing commpage and team user data somewhere at the top of the user accessible
virtual address space prevents these areas from conflicting with elf images
that require to be mapped at exact address (in most cases: runtime_loader).
2013-04-04 15:27:24 +02:00
Pawel Dziepak
ffbf0328d2 debug: update debug kit to correctly recognize commpage 2013-04-04 15:27:23 +02:00
Pawel Dziepak
e85e399fd7 commpage: randomize position of commpage
This patch introduces randomization of commpage position. From now on commpage
table contains offsets from begining to of the commpage to the particular
commpage entry. Similary addresses of symbols in ELF memory image "commpage"
are just offsets from the begining of the commpage.

This patch also updates KDL so that commpage entries are recognized and shown
correctly in stack trace. An update of Debugger is yet to be done.
2013-04-04 15:27:22 +02:00
Pawel Dziepak
966f207668 x86: enable data execution prevention
Set execute disable bit for any page that belongs to area with neither
B_EXECUTE_AREA nor B_KERNEL_EXECUTE_AREA set.

In order to take advanage of NX bit in 32 bit protected mode PAE must be
enabled. Thus, from now on it is also enabled when the CPU supports NX bit.

vm_page_fault() takes additional argument which indicates whether page fault
was caused by an illegal instruction fetch.
2013-04-04 15:22:23 +02:00
Pawel Dziepak
211f71325a x86: move x86_userspace_thread_exit() from user stack to commpage
x86_userspace_thread_exit() is a stub originally placed at the bottom of
each thread user stack that ensures any thread invokes exit_thread() upon
returning from its main higher level function.

Putting anything that is expected to be executed on a stack causes problems
when implementing data execution prevention. Code of x86_userspace_thread_exit()
is now moved to commpage which seems to be much more appropriate place for it.
2013-04-04 15:16:27 +02:00
Pawel Dziepak
537d84a07c libroot: randomize position of areas created by mmap()
When mmap() is invoked without specifying address hint B_RANDOMIZED_ANY_ADDRESS
is used.
Otherwise, unless MAP_FIXED flag is set (which requires mmap() to return an area
positioned exactly at given address), B_RANDOMIZED_BASE_ADDRESS is used.
2013-04-04 15:16:26 +02:00
Pawel Dziepak
02cceebe40 team: randomize position of team user data
When forking a process team user data area is not cloned but a new one is
created instead. However, the new one has to be at exactly the same address
parent's team user data area is. When process is exec then team user data
area may be recreated at random position.

This patch also make sure that instances of struct user_thread in team user
data are each in separate cache line in order to prevent false sharing since
these data are very likely to be accessed simultaneously from threads executing
on different CPUs. This change however reduces the number of threads process
can create. It is fixed by reserving 512kB of address space in case team user
data area needs to grow.
2013-04-04 15:16:25 +02:00
Pawel Dziepak
0cf91fc14f runtime_loader: randomize position of relocatable images
Use B_RANDOMIZED_BASE for creating areas for relocatable segments.
2013-04-04 15:16:24 +02:00
Pawel Dziepak
31eb9b8261 malloc: randomize heap position
Use B_RANDOMIZE_BASE_ADDRESS for initial heap creation as well as for resizing
it when keeping it contignuous is no longer possible.
2013-04-04 15:16:23 +02:00
Pawel Dziepak
17c189899a thread: randomize user stack position
Use B_RANDOMIZE_BASE_ADDRESS for creating both main and other threads user
stack.
2013-04-04 15:16:22 +02:00
Pawel Dziepak
b3e4c67739 vm: implement B_RANDOMIZED_ANY_ADDRESS address specification
Randomized equivalent of B_ANY_ADDRESS. When a free space is found (as in
B_ANY_ADDRESS) the base adress is then randomized using _RandomizeAddress
pretty much like it is done in B_RANDOMIZED_BASE_ADDRESS.
2013-04-04 15:16:21 +02:00
Pawel Dziepak
f9bab525f6 vm: implement B_RANDOMIZED_BASE_ADDRESS address specification
B_RAND_BASE_ADDRESS is basically B_BASE_ADDRESS with non-deterministic created
area's base address.

Initial start address is randomized and then the algorithm looks for a large
enough free space in the interval [randomized start, end]. If it fails then
the search is repeated in the interval [original start, randomized start]. In
case it also fails the algorithm falls back to B_ANY_ADDRESS
(B_RANDOMIZED_ANY_ADDRESS when it is implemented) just like B_BASE_ADDRESS does.

Randomization range is limited by kMaxRandomize and kMaxInitialRandomize.
2013-04-04 15:16:21 +02:00
Pawel Dziepak
3b4269ecf5 arch: randomize initial user stack pointer
Inside the page randomization of initial user stack pointer is not only a part
of ASLR implementation but also a performance improvement that helps
eliminating aligned 64 kB data access.

Minimal user stack size is increased to 8 kB in order to ensure that regardless
of initial stack pointer value there is still enough space on stack.
2013-04-04 15:16:20 +02:00
Ingo Weinhold
a37c845e52 FS interface API doc: More details for unmount() hrev45438 2013-04-04 12:00:08 +02:00
Axel Dörfler
4f96ace6d5 app_server: detach client allocator on quit.
* This prevents sending out notification to applications that are already
  gone, and should thus fix #9116 according to John.
hrev45437
2013-04-02 23:38:43 +02:00
Michael Lotz
a9abcc37cd Rework initial auto joining and add big TODOs.
* If we have a configured network, then we always try to connect to it
  as soon as the interface has been brought up.
* If we don't have a configured network and are auto configuring, we
  use the AutoconfigLooper to also do initial auto joins.
* Before issuing auto joins we need to wait for scan results to come
  in, so we watch for corresponding messages.

For now auto joining is a one shot attempt as the infrastructure to
properly tell reasons for scans apart is not yet there.
hrev45436
2013-04-02 04:59:44 +02:00
Michael Lotz
e484cc5098 Store the active flag if there is an initial link.
This ensures that we don't spuriously re-detect a link if we have a
race between starting to watch for link state changes and detecting the
initial link.
2013-04-02 03:16:06 +02:00
Michael Lotz
274b8be6c4 Don't try to auto-configure network interfaces with no link.
We already start watching for link state changes, so as soon as a link
is established the configuration will be triggered.
2013-04-02 02:57:14 +02:00
Michael Lotz
1b3dd41a35 Never join a network if not explicitly configured.
The scanning still occurs so that the network list is populated. But if
no SSID has been explicitly configured, we now always set the
IEEE80211_SCAN_NOJOIN flag that prevents automatically joining open
networks at the end of the scan.
hrev45435
2013-04-02 02:33:21 +02:00
Michael Lotz
6e77a76ef9 Use the SSID supplied in the MLME request not the desired SSID.
The wpa_supplicant (rightfully) supplies the SSID with this request.
However, with the code that is in place it gets ignored and the desired
SSID, as set by IEEE80211_IOC_SSID is used instead. This still works if
the wpa_supplicant is the only client in use and IEEE80211_IOC_SSID
is never used, as then the mlme.im_macaddr is used as the only
identifying element. If we used IEEE80211_IOC_SSID before though, for
example because we joined an open network from the net_server directly,
there will always be a mismatch between the desired SSID and the one
the wpa_supplicant tries to associate with using this MLME request.
No association is then possible. As there is no obvious reason why the
request supplied SSID shouldn't be used, we simply do so.
hrev45434
2013-04-02 01:18:09 +02:00
Michael Lotz
50944289c6 Use the wpa_supplicant to join open networks if it is running.
We need to make sure that the wpa_supplicant knows about our intention
even when joining an open network, as it otherwise might interfere.
Since leaving a network is not synchronous and the wpa_supplicant is
already running in that case anyway, this seems easier and more
reliable.

If the wpa_supplicant is not already running we still join ourselves.
2013-04-02 01:18:07 +02:00
Michael Lotz
0ef15eb6b9 Rename _ConfigureInterfaces() to *FromSettings().
This makes it more obvious what the function does.
2013-04-02 01:18:04 +02:00
Michael Lotz
2ac5770dc7 Don't automatically join a network if we already have a link.
The _ConfigureInterface() method is used as a backend for all
configuration tasks. That includes setting addresses manually or by
DHCP and changing flags, mtu or metric. Therefore we can't join
networks every time it is invoked. Instead we check for an existing
link first and only try to join if there is none yet.
2013-04-02 01:18:01 +02:00
Michael Lotz
8163a8e0ef Use a BMessenger to check for wpa_supplicant availabiltiy.
* Only launch it on join requests if it isn't yet valid anyway.
* Don't do any work on leave requests if it isn't running at all.
2013-04-02 01:17:58 +02:00
Michael Lotz
4e66f871e5 Launch the keystore_server on demand from BKeyStore.
This allows leaving the keystore_server closed as long as it isn't
used and still avoids having to launch it manually.
2013-04-02 01:15:29 +02:00
Michael Lotz
6de478363e Add BMessenger::SetTo() to reinitialize a BMessenger.
This allows to reuse BMessenger objects for different targets, or to
recheck validity after initial creation. With that one can use the same
BMessenger after launching an application that was previously not found
valid for example.
2013-03-31 20:16:04 +02:00
Michael Lotz
32057ce922 If a keyring is empty, store a no data flag instead of failing.
Any fully empty keyring (no keys and no applications) would fail to add
the empty flat buffer and thus prevent the whole keystore database from
being stored. This could easily happen when you used separate keyrings
but the master keyring was left unused for example.

Adding a flag that tells that there is no data allows us to distinguish
between a case where the stored data is missing due to a problem versus
an actually empty buffer.
hrev45433
2013-03-31 18:30:39 +02:00
Michael Lotz
fa21184f24 Implement leaving networks on the net_server side.
We always try to reach the wpa_supplicant first. If it isn't running
we check if this might have been a network we've connected directly
and then just disassociate using an MLME disassociation request.
hrev45432
2013-03-31 03:22:21 +02:00
Michael Lotz
93c2c2aa6b Update wpa_supplicant to version 2.0 and bring in improvements.
* Updated to version 2.0 of vendor code.
* Reliability improvements in controlling the underlying devices.
* Implement leaving networks.
* Better timeout handling.
* Usability enhancements like cancel on escape, ok button being the
  default and the password field having focus on start.
* Storing of the password using BKeyStore.
hrev45431
2013-03-31 03:01:08 +02:00
Michael Lotz
f848907875 Implement storing persistent network configurations.
The API to add persistent networks was added back in r42807 and
r42816 but storing them was still missing.
hrev45430
2013-03-31 00:43:32 +01:00
Michael Lotz
a3a541eebd Make a copy of the network config message and store that one.
Using the original message and storing that into the settings resulted
in a not yet fully understood deadlock. Presumably related to missing
and/or stray replies.
hrev45429
2013-03-30 20:17:39 +01:00
Niels Sascha Reedijk
4e4c94e314 Update translations from Pootle hrev45428 2013-03-30 06:26:39 +01:00
Rene Gollent
88e692e89f Ignore calls whose purpose is to calculate the GOT address.
- Fixes several false positives where we'd show a return value for the
  current function.
hrev45427
2013-03-29 22:33:51 -04:00