Move all non-emulation-specific coredump code into the coredump module,
and remove all #ifdef COREDUMP conditional compilation. Now, the
coredump module is completely separated from the emulation modules, and
they can all be independently loaded and unloaded.

Welcome to 9.99.18 !

The argument length is in bytes; don't use howmany()

branches: 1.141.4; 1.141.8; 1.141.12;
1) On 64bit systems, don't add the 32bit execsw[] to the global exec array.
exec_elf32 works on 32bit systems only, and will crash 32bit binaries on
64bit systems.
2) Now that exec_elf32 is dormant, we can give the native ELF loaders the
highest priority.

Binaries will load faster now (system boot, compilation, etc.).

With the help of njloy@. Discussed a bit on tech-kern@, no disagreement.

whitespace.

branches: 1.139.2;
c99 initializers for struct execsw

exec modules need to be of the exec kind

branches: 1.137.16; 1.137.26; 1.137.30;
Make the emulations, exec formats, coredump, NFS, and the NFS server
into modules. By and large this commit:

- shuffles header files and ifdefs
- splits code out where necessary to be modular
- adds module glue for each of the components
- adds/replaces hooks for things that can be installed at runtime

branches: 1.136.2; 1.136.8;
Replace intptr_t with uintptr_t in few more places.
OK by <matt>.

fix debugging printf

branches: 1.134.2; 1.134.4;
Don't use proc specificdata for the PAX stuff. Speeds up mmap() and others.

branches: 1.133.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.132.6; 1.132.8; 1.132.10;
malloc -> kmem_alloc

- elf_load_file: return ENOEXEC instead of 0 in the case of
e_phnum > MAXPHNUM.
- exec_elf_makecmds: return an interesting error rather than
always using ENOEXEC.
- reject e_phnum==0.

Provide 8 more bits of stack randomization, from the PaX author.

While here, don't make too much use of one random value, and call
arc4random() directly. Allows for the removal of 'ep_random' from the
exec_package.

Prompted by and okay christos@.

PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.

Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
1. The data segment
2. The stack

For PIE executables(*) randomization is enabled for:
1. The program itself
2. All shared libraries
3. The data segment
4. The stack

(*) To generate a PIE executable:
- compile everything with -fPIC
- link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.

branches: 1.127.6;
- add an elf aux vector entry for implementing $ORIGIN.
- the code to convert from a vnode to a path is commented out now until
a better solution is implemented. Only absolute paths work for now
(which is most of the cases).

requested by core

Remove the "struct lwp *" argument from all VFS and VOP interfaces.
The general trend is to remove it from all kernel interfaces and
this is a start. In case the calling lwp is desired, curlwp should
be used.

quick consensus on tech-kern

branches: 1.125.2;
machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h

branches: 1.124.2; 1.124.8; 1.124.10; 1.124.14;
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

Change the way that emulations locate files within the emulation root to
avoid having to allocate space in the 'stackgap'
- which is very LWP unfriendly.
The additional code for non-emulation namei() is trivial, the reduction for
the emulations is massive.
The vnode for a processes emulation root is saved in the cwdi structure
during process exec.
If the emulation root the TRYEMULROOT flag are set, namei() will do an initial
search for absolute pathnames in the emulation root, if that fails it will
retry from the normal root.
".." at the emulation root will always go to the real root, even in the middle
of paths and when expanding symlinks.
Absolute symlinks found using absolute paths in the emulation root will be
relative to the emulation root (so /usr/lib/xxx.so -> /lib/xxx.so links
inside the emulation root don't need changing).
If the root of the emulation would be returned (for an emulation lookup), then
the real root is returned instead (matching the behaviour of emul_lookup,
but being a cheap comparison here) so that programs that scan "../.."
looking for the root dircetory don't loop forever.
The target for symbolic links is no longer mangled (it used to get the
CHECK_ALT_xxx() treatment, so could get /emul/xxx prepended).
CHECK_ALT_xxx() are no more. Most of the change is deleting them, and adding
TRYEMULROOT to the flags to NDINIT().
A lot of the emulation system call stubs could now be deleted.

branches: 1.122.2; 1.122.4;
netbsd_elf_signature: fix a caddr_t removal botch which
causes "init: not found".

die, caddr_t, die.

branches: 1.120.2; 1.120.4; 1.120.8;
Put back break mistakenly removed in previous commit.

Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).

Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.

remove some __unused from function parameters.

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

branches: 1.115.4; 1.115.6;
Use the LWP cached credentials where sane.

don't break lkms; pointed out by hannken@ and he@, thanks!

Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.

integrate kauth.

KNF

Found by coverity issue 887. Check for NULL before using base_ph so
an interpreter that does not have PT_LOAD in the program header doesn't
crash the system.

branches: 1.109.2; 1.109.4; 1.109.6;
for some random places, use PNBUF_GET/PUT rather than
- on-stack buffer
- malloc(MAXPATHLEN)

branches: 1.108.2; 1.108.4; 1.108.6;
merge ktrace-lwp.

branches: 1.107.4;
Add a hack to deal with MIPS relocatable shared-linker problem on
COMPAT_16 and earlier that results in a current shared linker running at
address 0 (and thus allows NULL pointer derefs to work).

As noted by Matthias Drochner, this "fix" just checks the first psection
and not the first loadable psection. This isn't a problem with the
binutils up to now, but might be in the future.

More cosmetic changes.

Make code prettier.

branches: 1.104.2;
- add const.
- remove unnecessary casts.
- add __UNCONST casts and mark them with XXXUNCONST as necessary.

Fix some things regarding COMPAT_NETBSD32 and limits/VM addresses.

* For sparc64 and amd64, define *SIZ32 VM constants.
* Add a new function pointer to struct emul, pointing at a function
that will return the default VM map address. The default function
is uvm_map_defaultaddr, which just uses the VM_DEFAULT_ADDRESS
macro. This gives emulations control over the default map address,
and allows things to be mapped at the right address (in 32bit range)
for COMPAT_NETBSD32.
* Add code to adjust the data and stack limits when a COMPAT_NETBSD32
or COMPAT_SVR4_32 binary is executed.
* Don't use USRSTACK in kern_resource.c, use p_vmspace->vm_minsaddr
instead (emulations might have set it differently)
* Since this changes struct emul, bump kernel version to 3.99.2

Tested on amd64, compile-tested on sparc64.

branches: 1.102.2;
Copyright maintenance.

nuke trailing whitespace

Allow 32K instead of 1K of section headers. Solaris opera binary has 15K
section headers. We only allocate memory for those headers on compat_linux
and compat_ibcs2 while we probe, and although 32K is not such a big number,
we could fix the code in those two places to read section-by-section instead
of all the sections at once as it does now, if we really felt like it.

branches: 1.99.4; 1.99.6;
We emulate more than SVR4, and IBCS2 on the i386 and Linux on the i386
and the Alpha there days. Remove this statement in a comment.

bump the number of allowed sections to 1024; e.g. SuSE 9.1 packaged
Mozilla 1.6 has 726 sections

branches: 1.97.2;
Back out >2 PT_LOAD changes from rev 1.96. They cause older GCC3-compiled
PowerPC binaries to fail. The compiler has since been fixed, but
compatibility with older binaries needs to be maintained.

PR kern/23758.

add support for more than 2 PT_LOAD sections. from OpenBSD.

-fix ELF_INTERP_NON_RELOCATABLE:
-obey ELF_LINK_ADDR in ELF_load_file()
-set ELF_LINK_ADDR in the probe() function if needed
-make ELF_NULL_ADDR the default, so that probe() functions dont need
to set it explicitely
-allocate buffer for interpreter name only if needed

GC: exec_foo_setup_stack; use exec_setup_stack, and provide a way for
emulations to override it.

Make elf{32|64}_check_header public, as it will be used by irix_elf32_probe.
While we are there, cut to 80 chars, and ANSIfy prototypes

branches: 1.92.2;
Back out the lwp/ktrace changes. They contained a lot of colateral damage,
and need to be examined and discussed more.

Pass lwp pointers throughtout the kernel, as required, so that the lwpid can
be inserted into ktrace records. The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.

Bump the kernel rev up to 1.6V

Limit the number of program headers we accept to avoid resource exhaustion
by a hand-crafted elf binary.

If we are doing TOPDOWN, we want to truncate the address downwards. If not,
we want to round the address upwards. I hope this is the last change.

Make sure that the initial address is aligned correctly. Note that before
this alignment would have been backward into the dataspace covered by
MAXDSIZ. Now the alignment is done forward. XXX It is expected that
in the TOPDOWN case, VM_DEFAULT_ADDRESS will make sure any address it
returns has the proper alignment for that architecure.

When aligned to > PAGE_SIZE boundary, don't map any pages before where the
psection starts. Allocate unused VA space between psections as unreadable.

Remove MAXDSIZ since VM_DEFAULT_ADDRESS adds it. Sigh. It was correct.

Note only trunc_page the psection vaddr, but truncate it accordoring to its
psection alignment. XXX If the psection alignment is greater than the page
alignment, extra pages may be mapped that will never be needed. This is
inefficient and wasteful of swap space and needs to be fixed.

Fix a c&p bug when moving VM_DEFAULT_ADDRESS. (restore MAXDSIZ)

Remove VMCMD_TOPDOWN since it's no longer. Redo my last rework. Move
VM_DEFAULT_ADDRESS from elf*_makecmds to elf*_load_file. In load_file,
actually determine ahead of time how much space will be needed and pass
that to VM_DEFAULT_ADDRESS. Now we have a relatistic starting address
so we can do the loading of psections normally with no extra topdown
code in load_psection. Also, if there is a gap in betweeen psections
zero map an inaccessible region between (just like ld.elf_so does) to
avoid inadvertant mmaps in the gap.

Make elf32 load_file work properly with TOPDOWN by mapping psections in
reverse order. Remove TOPDOWN support from VMCMDs since elf32 does the
right stuff now. With these changes, VAX can now use TOPDOWN.

In topdown mode, subtract the page rounded memory size of the psection,
not the rounded file size. Otherwise if BSS needs more pages beyond
data you'll extend too far.

Introduce "top down" memory management for mmap()ed allocations. This
means that the dynamic linker gets mapped in at the top of available
user virtual memory (typically just below the stack), shared libraries
get mapped downwards from that point, and calls to mmap() that don't
specify a preferred address will get mapped in below those.

This means that the heap and the mmap()ed allocations will grow
towards each other, allowing one or the other to grow larger than
before. Previously, the heap was limited to MAXDSIZ by the placement
of the dynamic linker (and the process's rlimits) and the space
available to mmap was hobbled by this reservation.

This is currently only enabled via an *option* for the i386 platform
(though other platforms are expected to follow). Add "options
USE_TOPDOWN_VM" to your kernel config file, rerun config, and rebuild
your kernel to take advantage of this.

Note that the pmap_prefer() interface has not yet been modified to
play nicely with this, so those platforms require a bit more work
(most notably the sparc) before they can use this new memory
arrangement.

This change also introduces a VM_DEFAULT_ADDRESS() macro that picks
the appropriate default address based on the size of the allocation or
the size of the process's text segment accordingly. Several drivers
and the SYSV SHM address assignment were changed to use this instead
of each one picking their own "default".

Two small changes to the ELF exec code:

(1) ELFNAME(load_file)() now takes a pointer to the entry point
offset, instead of taking a pointer to the entry point itself. This
allows proper adjustment of the ultimate entry point at a higher level
if the object containing the entry point is moved before the exec is
finished.

(2) Introduce VMCMD_FIXED, which means the address at which a given
vmcmd describes a mapping is fixed (ie, should not be moved). Don't
set this for entries pertaining to ld.so.

Also some minor comment/whitespace tweaks.

Remove variable that is only assigned too but not referenced.

branches: 1.77.2;
ELF copyargs: at the time this is executed, process's ucred doesn't
contain the new uid/gid for suid/sgid binaries yet; determine AT_EUID
and AT_EGID by checking executed program vnode attributes in this case

count executable image pages as executable for vm-usage purposes.
also, always do the VTEXT vs. v_writecount mutual exclusion
(which we previously skipped if the text or data segment was empty).

Remove unnecessary code.

remove trailing \n in panic(). approved perry.

The entry point address for the interpreter must be adjusted by the text
section VMA on all platforms. It just happens to 0 normally on everything but
MIPS.

- Implement passing AT_{R,E}{U,G}ID in the elf aux vector.
- Pass struct proc to copyargs
- fix svr4_copyargs functions

Use "#ifdef __mips__" instead of "#ifdef mips"; shared libraries work
for kernels compiled with gcc 3.x.

branches: 1.70.8; 1.70.10;
Define ELF32_EHDR_FLAGS_OK()/ELF64_EHDR_FLAGS_OK() and use it
as an added measure to make sure that we can execute a binary.
These default to (1) if elf_machdep.h does not override them.

On Sun2, ELF32_EHDR_FLAGS_OK() checks for the presense of EF_M68000,
since the 68010 cannot run binaries for the 68020-and-up.

add RCSIDs

- Add a new vnode flag VEXECMAP, which indicates that a vnode has
executable mappings. Stop overloading VTEXT for this purpose (VTEXT
also has another meaning).
- Rename vn_marktext() to vn_markexec(), and use it when executable
mappings of a vnode are established.
- In places where we want to set VTEXT, set it in v_flag directly, rather
than making a function call to do this (it no longer makes sense to
use a function call, since we no longer overload VTEXT with VEXECMAP's
meaning).

VEXECMAP suggested by Chuq Silvers.

branches: 1.67.4;
simplify an expression.

adjust to the new copyargs footprint

Fix problem reported by Greg Woods, with ld -n generated binaries.
Now if the requested alignment of the psection is less than PAGE_SIZE
we use readvn, not pagedvn and we don't adjust sizes.

- add exec_read_from and make exec_elf32 use it.
- add a macho probe function

branches: 1.63.2;
In the check_header() function, bump the number of allowed section headers
to 512. Apparently, there are ELF binaries with more than 128 section
headers - an example is one of Linux Word Perfect 8 utilities.

This fixes kern/12455 by Mark Davies.

branches: 1.62.2;
*NEVER* cast a reference parameter (unless you're using C++).

Tighten up the ELF signature checks, and actually look for the ABI tag added
in newer glibc versions.

Introduce 2 new flags in types.h:
* __HAVE_SYSCALL_INTERN. If this is defined, e_syscall is replaced by
e_syscall_intern, which is called at key places in the kernel. This can be
used to set a MD syscall handler pointer. This obsoletes and replaces the
*_HAS_SEPARATED_SYSCALL flags.
* __HAVE_MINIMAL_EMUL. If this is defined, certain (deprecated) elements in
struct emul are omitted.

backout part of execsw/LKM changes: netbsd_elf32_signature() is used by
the compat/netbsd32 code so de-static it again.

restructure struct emul and execsw, in preparation to make emulations LKMable:
* move all exec-type specific information from struct emul to execsw[] and
provide single struct emul per emulation
* elf:
- kern/exec_elf32.c:probe_funcs[] is gone, execsw[] how has one entry
per emulation and contains pointer to respective probe function
- interp is allocated via MALLOC() rather than on stack
- elf_args structure is allocated via MALLOC() rather than malloc()
* ecoff: the per-emulation hooks moved from alpha and mips specific code
to OSF1 and Ultrix compat code as appropriate, execsw[] has one entry per
emulation supporting ecoff with appropriate probe function
* the makecmds/probe functions don't set emulation, pointer to emulation is
part of appropriate execsw[] entry
* constify couple of structures

NBPG -> PAGE_SIZE.

change the type of *syscallnames[] array to 'const char * const foo[]'

remove unneeded includes.

ANSI'ify.

modify load_file to load at relative vms'a as specified in the phdr's.

Add back a failure return statement in check_header() which I accidently
deleted in rev. 1.46; pointed out by Chris Demetriou.

remove include of <vm/vm.h>

remove redundant vm includes.

branches: 1.49.2;
defopt SYSCALL_DEBUG.

branches: 1.48.2;
add a new function vn_marktext() for exec code to let others know
that the vnode is now being used as process text.

Update for compat_netbsd32.

Update to match new SVR4-style definition names in <sys/exec_elf.h>.

branches: 1.45.2; 1.45.4; 1.45.6;
Allow execution of shared objects. This is silly, but is allowed in,
for example, Solaris and Linux, and at least one Linux ldd implementation
even depends on it.

ep_arglen is in units of 'sizeof (char *)', not in units of bytes. use
howmany(value, sizeof (char *)) to get the right value.

branches: 1.43.4;
Use of casts as lvalues is a GNU C extension; rearrange slightly.

PR/6962: Paul Shupak: FreeBSD elf support.

Fix 3 problems with the new signature code:
- don't set position to 0, set it to NO_ADDR (cgd)
- no need to malloc size + 1 bytes (cgd)
- fix calculation of minimum note size section.

Add support for parsing OS type note fields.

update for linux file move.

Move elf function name macros to exec_elf.h. COMPAT_LINUX is no longer limited to ELFSIZE==32.

Make copyrights consistent; fix weird/trailing spaces add missing (c) etc.

Assign copyright to TNF.

Abolition of bcopy, ovbcopy, bcmp, and bzero, phase one.
bcopy(x, y, z) -> memcpy(y, x, z)
ovbcopy(x, y, z) -> memmove(y, x, z)
bcmp(x, y, z) -> memcmp(x, y, z)
bzero(x, y) -> memset(x, 0, y)

fix sizeofs so they comply with the KNF style guide. yes, it is pedantic.

branches: 1.33.2;
Change the "aresid" argument of vn_rdwr() from an int * to a size_t *,
to match the new uio_resid type.

defopt COMPAT_SVR4

defopt COMPAT_IBCS2

defopt COMPAT_LINUX

Fix some arithmetics lossage on typeless pointers.

Merge with Lite2 + local changes

added support for SCO UNIX (derived from iBCS2)

branches: 1.26.8;
Pass the vnode type to vaccess(), and use it when checking VEXEC. Make sure
that the mode bits passed to vaccess() and returned by foo_getattr() contain
only permission bits.

GC some code.

va_mode contains stat bits. Use S_IS[UG]ID rather than VS[UG]ID.

Probe linux emul before svr4 emul. From Christos.

always provide at least a minimal aux vector. (The minimal version
is one entry long, with the entry's id being AUX_null.)

Make previous change in interpreter entry point calculation dependant on
a 'mips' define. XXX

Just a temporary patch to get things going again for Linux ELF binaries,
needs to be solved properly.

Elf32 fixes for mips shared libraries:

* handle interpreters with nonzero virtual address of entry-point:
subtract p_vaddr from computed entrypoint, as the mips elf exec did.

* Add #ifdef ELF_INTERP_NON_RELOCATABLE/#endif around the code
that tries to choose a `good' address at which to load an interpreter,
if none was set by the emul probe function.
(the address chosen could be improved to avoid fragmenting the
process virtual address space).

* define ELF_INTERP_NON_RELOCATABLE in machine/elf_machdep.h for mips CPUs,
which currently use a GNU-derived ld.so.

ELF_INTERP_NON_RELOCATABLE is not necessary for native NetBSD/alpha ELF
binaries. It may be required for GNU-derived ELF dynamic loaders (Linux/i386?)

deal more sanely with ELF binaries with only a single program header
section. Patch come up with by Bob Baron <rvb+@cs.cmu.edu> and myself.
This entire bit of code (the code which sets daddr/dsize and taddr/tsize)
is very bogus, but it's not clear what the 'right' way to fix it is
and this patch fixes a problem preventing some ELF executables from
being run.

replace ELF_ALIGN with ELF_TRUNC (round to lower alignment boundary) and
ELF_ROUND (round to higher alignment boundary), and use them properly.
Also, change a bit of code in elf_load_psection to use the next ELF_ROUND
macro. This fixes a bug found by Robert Baron <rvb+@cs.cmu.edu> where
elf_load_psection, if given a properly aligned address at which to load
the section, would round actually load it at the next highest alignment
boundary.

KNF, de-static the functions that were static (so they'll show up
in ddb, etc.)

don't include <machine/exec.h> explicitly. No other changes needed, since
<sys/exec.h> was already being included.

clean up a comment added in the last commit

when loading interpreter: check its vnode type, check its mount point
for NOEXEC and NOSUID, and make sure the interpreter file is executable.
The mount point checks are done because, even though the interpreter
is not the program being 'executed', code from the interpreter is being
executed, and so the mount point's flags should be respected.

Remove the implicit inclusion of EXEC_ELF32 when COMPAT_LINUX and/or
COMPAT_SVR4 is included.

exec vnode locking protocol changes: in a nutshell, don't keep vnodes
locked for any longer than we have to.

make the check_header and load_file functions static

add and use a machine-dependent header, which currently defines some
macros to use to remove #ifdefs from the machine ID case check.
Eventually, these headers will contain other information, e.g.
machine-dependent relocation information, etc.

add support and reorganize for 64-bit ELF, included by EXEC_ELF64
option. (Also, make EXEC_ELF32 option a way to explicitly include
32-bit ELF support.)

Merge pagedvn changes from OpenBSD and added mips defines. Also added
ELF_MAP_PAGE_ZERO define. The entry point computation is different than
the one OpenBSD uses.

- Pass the Elf exec header in the emulation dependent probe functions.
- remove static from elf_read_from().

More proto fixes

Use a default, 'safe' address to map the loader to in case the an emulation-
specific probe function did not specify it. It picks the same address
as mmap() does for a non-fixed map at address 0. See also the comment
around a similar line of code in vm/vm_mmap.c.

* Don't rely on the protection bits of segments anymore to decide whether
it's text or data; use the entry point instead (this solves some trouble
with ELF executables with strange permissions)
* Incorporate some fixes from r_friedl@informatik.uni-kl.de sent to
netbsd-bugs a while ago

s/memcmp/bcmp/

Remove unused define

Generic mi ELF loader; delete Linux and Svr4 compat conf entries and
add generic ELF entry to exec_conf.c

The argument length is in bytes; don't use howmany()

1) On 64bit systems, don't add the 32bit execsw[] to the global exec array.
exec_elf32 works on 32bit systems only, and will crash 32bit binaries on
64bit systems.
2) Now that exec_elf32 is dormant, we can give the native ELF loaders the
highest priority.

Binaries will load faster now (system boot, compilation, etc.).

With the help of njloy@. Discussed a bit on tech-kern@, no disagreement.

whitespace.

branches: 1.139.2;
c99 initializers for struct execsw

exec modules need to be of the exec kind

branches: 1.137.16; 1.137.26; 1.137.30;
Make the emulations, exec formats, coredump, NFS, and the NFS server
into modules. By and large this commit:

- shuffles header files and ifdefs
- splits code out where necessary to be modular
- adds module glue for each of the components
- adds/replaces hooks for things that can be installed at runtime

branches: 1.136.2; 1.136.8;
Replace intptr_t with uintptr_t in few more places.
OK by <matt>.

fix debugging printf

branches: 1.134.2; 1.134.4;
Don't use proc specificdata for the PAX stuff. Speeds up mmap() and others.

branches: 1.133.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.132.6; 1.132.8; 1.132.10;
malloc -> kmem_alloc

- elf_load_file: return ENOEXEC instead of 0 in the case of
e_phnum > MAXPHNUM.
- exec_elf_makecmds: return an interesting error rather than
always using ENOEXEC.
- reject e_phnum==0.

Provide 8 more bits of stack randomization, from the PaX author.

While here, don't make too much use of one random value, and call
arc4random() directly. Allows for the removal of 'ep_random' from the
exec_package.

Prompted by and okay christos@.

PAX_ASLR_DELTA_PROG_LEN -> PAX_ASLR_DELTA_EXEC_LEN, and put it in pax.h.
Export randomized bits # for stack and exec base too via sysctl.

okay christos@.

Add PaX ASLR (Address Space Layout Randomization) [from elad and myself]

For regular (non PIE) executables randomization is enabled for:
1. The data segment
2. The stack

For PIE executables(*) randomization is enabled for:
1. The program itself
2. All shared libraries
3. The data segment
4. The stack

(*) To generate a PIE executable:
- compile everything with -fPIC
- link with -shared-libgcc -Wl,-pie

This feature is experimental, and might change. To use selectively add
options PAX_ASLR=0
in your kernel.

Currently we are using 12 bits for the stack, program, and data segment and
16 or 24 bits for mmap, depending on __LP64__.

branches: 1.127.6;
- add an elf aux vector entry for implementing $ORIGIN.
- the code to convert from a vnode to a path is commented out now until
a better solution is implemented. Only absolute paths work for now
(which is most of the cases).

requested by core

Remove the "struct lwp *" argument from all VFS and VOP interfaces.
The general trend is to remove it from all kernel interfaces and
this is a start. In case the calling lwp is desired, curlwp should
be used.

quick consensus on tech-kern

branches: 1.125.2;
machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h

branches: 1.124.2; 1.124.8; 1.124.10; 1.124.14;
Use an elf note to handle pax arguments. This is a temporary solution to
avoid wasting OS flag bits. In the future we'll probably use fileassoc to
achieve this (once there is a way to make fileassoc persistent) or in the
shorter term libelf, so that we can add and remove the note on demand instead
of burning bits on each binary. Of course since this is a tool, this means
that we'll need to think about how to handle libelf...

Change the way that emulations locate files within the emulation root to
avoid having to allocate space in the 'stackgap'
- which is very LWP unfriendly.
The additional code for non-emulation namei() is trivial, the reduction for
the emulations is massive.
The vnode for a processes emulation root is saved in the cwdi structure
during process exec.
If the emulation root the TRYEMULROOT flag are set, namei() will do an initial
search for absolute pathnames in the emulation root, if that fails it will
retry from the normal root.
".." at the emulation root will always go to the real root, even in the middle
of paths and when expanding symlinks.
Absolute symlinks found using absolute paths in the emulation root will be
relative to the emulation root (so /usr/lib/xxx.so -> /lib/xxx.so links
inside the emulation root don't need changing).
If the root of the emulation would be returned (for an emulation lookup), then
the real root is returned instead (matching the behaviour of emul_lookup,
but being a cheap comparison here) so that programs that scan "../.."
looking for the root dircetory don't loop forever.
The target for symbolic links is no longer mangled (it used to get the
CHECK_ALT_xxx() treatment, so could get /emul/xxx prepended).
CHECK_ALT_xxx() are no more. Most of the change is deleting them, and adding
TRYEMULROOT to the flags to NDINIT().
A lot of the emulation system call stubs could now be deleted.

branches: 1.122.2; 1.122.4;
netbsd_elf_signature: fix a caddr_t removal botch which
causes "init: not found".

die, caddr_t, die.

branches: 1.120.2; 1.120.4; 1.120.8;
Put back break mistakenly removed in previous commit.

Initial implementation of PaX Segvguard (this is still work-in-progress,
it's just to get it out of my local tree).

Make PaX MPROTECT use specificdata(9), freeing up two P_* flags.
While here, make more generic for upcoming PaX features.

remove some __unused from function parameters.

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

branches: 1.115.4; 1.115.6;
Use the LWP cached credentials where sane.

don't break lkms; pointed out by hannken@ and he@, thanks!

Introduce PaX MPROTECT -- mprotect(2) restrictions used to strengthen
W^X mappings.

Disabled by default.

First proposed in:

http://mail-index.netbsd.org/tech-security/2005/12/18/0000.html

More information in:

http://pax.grsecurity.net/docs/mprotect.txt

Read relevant parts of options(4) and sysctl(3) before using!

Lots of thanks to the PaX author and Matt Thomas.

integrate kauth.

KNF

Found by coverity issue 887. Check for NULL before using base_ph so
an interpreter that does not have PT_LOAD in the program header doesn't
crash the system.

branches: 1.109.2; 1.109.4; 1.109.6;
for some random places, use PNBUF_GET/PUT rather than
- on-stack buffer
- malloc(MAXPATHLEN)

branches: 1.108.2; 1.108.4; 1.108.6;
merge ktrace-lwp.

branches: 1.107.4;
Add a hack to deal with MIPS relocatable shared-linker problem on
COMPAT_16 and earlier that results in a current shared linker running at
address 0 (and thus allows NULL pointer derefs to work).

As noted by Matthias Drochner, this "fix" just checks the first psection
and not the first loadable psection. This isn't a problem with the
binutils up to now, but might be in the future.

More cosmetic changes.

Make code prettier.

branches: 1.104.2;
- add const.
- remove unnecessary casts.
- add __UNCONST casts and mark them with XXXUNCONST as necessary.

Fix some things regarding COMPAT_NETBSD32 and limits/VM addresses.

* For sparc64 and amd64, define *SIZ32 VM constants.
* Add a new function pointer to struct emul, pointing at a function
that will return the default VM map address. The default function
is uvm_map_defaultaddr, which just uses the VM_DEFAULT_ADDRESS
macro. This gives emulations control over the default map address,
and allows things to be mapped at the right address (in 32bit range)
for COMPAT_NETBSD32.
* Add code to adjust the data and stack limits when a COMPAT_NETBSD32
or COMPAT_SVR4_32 binary is executed.
* Don't use USRSTACK in kern_resource.c, use p_vmspace->vm_minsaddr
instead (emulations might have set it differently)
* Since this changes struct emul, bump kernel version to 3.99.2

Tested on amd64, compile-tested on sparc64.

branches: 1.102.2;
Copyright maintenance.

nuke trailing whitespace

Allow 32K instead of 1K of section headers. Solaris opera binary has 15K
section headers. We only allocate memory for those headers on compat_linux
and compat_ibcs2 while we probe, and although 32K is not such a big number,
we could fix the code in those two places to read section-by-section instead
of all the sections at once as it does now, if we really felt like it.

branches: 1.99.4; 1.99.6;
We emulate more than SVR4, and IBCS2 on the i386 and Linux on the i386
and the Alpha there days. Remove this statement in a comment.

bump the number of allowed sections to 1024; e.g. SuSE 9.1 packaged
Mozilla 1.6 has 726 sections

branches: 1.97.2;
Back out >2 PT_LOAD changes from rev 1.96. They cause older GCC3-compiled
PowerPC binaries to fail. The compiler has since been fixed, but
compatibility with older binaries needs to be maintained.

PR kern/23758.

add support for more than 2 PT_LOAD sections. from OpenBSD.

-fix ELF_INTERP_NON_RELOCATABLE:
-obey ELF_LINK_ADDR in ELF_load_file()
-set ELF_LINK_ADDR in the probe() function if needed
-make ELF_NULL_ADDR the default, so that probe() functions dont need
to set it explicitely
-allocate buffer for interpreter name only if needed

GC: exec_foo_setup_stack; use exec_setup_stack, and provide a way for
emulations to override it.

Make elf{32|64}_check_header public, as it will be used by irix_elf32_probe.
While we are there, cut to 80 chars, and ANSIfy prototypes

branches: 1.92.2;
Back out the lwp/ktrace changes. They contained a lot of colateral damage,
and need to be examined and discussed more.

Pass lwp pointers throughtout the kernel, as required, so that the lwpid can
be inserted into ktrace records. The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.

Bump the kernel rev up to 1.6V

Limit the number of program headers we accept to avoid resource exhaustion
by a hand-crafted elf binary.

If we are doing TOPDOWN, we want to truncate the address downwards. If not,
we want to round the address upwards. I hope this is the last change.

Make sure that the initial address is aligned correctly. Note that before
this alignment would have been backward into the dataspace covered by
MAXDSIZ. Now the alignment is done forward. XXX It is expected that
in the TOPDOWN case, VM_DEFAULT_ADDRESS will make sure any address it
returns has the proper alignment for that architecure.

When aligned to > PAGE_SIZE boundary, don't map any pages before where the
psection starts. Allocate unused VA space between psections as unreadable.

Remove MAXDSIZ since VM_DEFAULT_ADDRESS adds it. Sigh. It was correct.

Note only trunc_page the psection vaddr, but truncate it accordoring to its
psection alignment. XXX If the psection alignment is greater than the page
alignment, extra pages may be mapped that will never be needed. This is
inefficient and wasteful of swap space and needs to be fixed.

Fix a c&p bug when moving VM_DEFAULT_ADDRESS. (restore MAXDSIZ)

Remove VMCMD_TOPDOWN since it's no longer. Redo my last rework. Move
VM_DEFAULT_ADDRESS from elf*_makecmds to elf*_load_file. In load_file,
actually determine ahead of time how much space will be needed and pass
that to VM_DEFAULT_ADDRESS. Now we have a relatistic starting address
so we can do the loading of psections normally with no extra topdown
code in load_psection. Also, if there is a gap in betweeen psections
zero map an inaccessible region between (just like ld.elf_so does) to
avoid inadvertant mmaps in the gap.

Make elf32 load_file work properly with TOPDOWN by mapping psections in
reverse order. Remove TOPDOWN support from VMCMDs since elf32 does the
right stuff now. With these changes, VAX can now use TOPDOWN.

In topdown mode, subtract the page rounded memory size of the psection,
not the rounded file size. Otherwise if BSS needs more pages beyond
data you'll extend too far.

Introduce "top down" memory management for mmap()ed allocations. This
means that the dynamic linker gets mapped in at the top of available
user virtual memory (typically just below the stack), shared libraries
get mapped downwards from that point, and calls to mmap() that don't
specify a preferred address will get mapped in below those.

This means that the heap and the mmap()ed allocations will grow
towards each other, allowing one or the other to grow larger than
before. Previously, the heap was limited to MAXDSIZ by the placement
of the dynamic linker (and the process's rlimits) and the space
available to mmap was hobbled by this reservation.

This is currently only enabled via an *option* for the i386 platform
(though other platforms are expected to follow). Add "options
USE_TOPDOWN_VM" to your kernel config file, rerun config, and rebuild
your kernel to take advantage of this.

Note that the pmap_prefer() interface has not yet been modified to
play nicely with this, so those platforms require a bit more work
(most notably the sparc) before they can use this new memory
arrangement.

This change also introduces a VM_DEFAULT_ADDRESS() macro that picks
the appropriate default address based on the size of the allocation or
the size of the process's text segment accordingly. Several drivers
and the SYSV SHM address assignment were changed to use this instead
of each one picking their own "default".

Two small changes to the ELF exec code:

(1) ELFNAME(load_file)() now takes a pointer to the entry point
offset, instead of taking a pointer to the entry point itself. This
allows proper adjustment of the ultimate entry point at a higher level
if the object containing the entry point is moved before the exec is
finished.

(2) Introduce VMCMD_FIXED, which means the address at which a given
vmcmd describes a mapping is fixed (ie, should not be moved). Don't
set this for entries pertaining to ld.so.

Also some minor comment/whitespace tweaks.

Remove variable that is only assigned too but not referenced.

branches: 1.77.2;
ELF copyargs: at the time this is executed, process's ucred doesn't
contain the new uid/gid for suid/sgid binaries yet; determine AT_EUID
and AT_EGID by checking executed program vnode attributes in this case

count executable image pages as executable for vm-usage purposes.
also, always do the VTEXT vs. v_writecount mutual exclusion
(which we previously skipped if the text or data segment was empty).

Remove unnecessary code.

remove trailing \n in panic(). approved perry.

The entry point address for the interpreter must be adjusted by the text
section VMA on all platforms. It just happens to 0 normally on everything but
MIPS.

- Implement passing AT_{R,E}{U,G}ID in the elf aux vector.
- Pass struct proc to copyargs
- fix svr4_copyargs functions

Use "#ifdef __mips__" instead of "#ifdef mips"; shared libraries work
for kernels compiled with gcc 3.x.

branches: 1.70.8; 1.70.10;
Define ELF32_EHDR_FLAGS_OK()/ELF64_EHDR_FLAGS_OK() and use it
as an added measure to make sure that we can execute a binary.
These default to (1) if elf_machdep.h does not override them.

On Sun2, ELF32_EHDR_FLAGS_OK() checks for the presense of EF_M68000,
since the 68010 cannot run binaries for the 68020-and-up.

add RCSIDs

- Add a new vnode flag VEXECMAP, which indicates that a vnode has
executable mappings. Stop overloading VTEXT for this purpose (VTEXT
also has another meaning).
- Rename vn_marktext() to vn_markexec(), and use it when executable
mappings of a vnode are established.
- In places where we want to set VTEXT, set it in v_flag directly, rather
than making a function call to do this (it no longer makes sense to
use a function call, since we no longer overload VTEXT with VEXECMAP's
meaning).

VEXECMAP suggested by Chuq Silvers.

branches: 1.67.4;
simplify an expression.

adjust to the new copyargs footprint

Fix problem reported by Greg Woods, with ld -n generated binaries.
Now if the requested alignment of the psection is less than PAGE_SIZE
we use readvn, not pagedvn and we don't adjust sizes.

- add exec_read_from and make exec_elf32 use it.
- add a macho probe function

branches: 1.63.2;
In the check_header() function, bump the number of allowed section headers
to 512. Apparently, there are ELF binaries with more than 128 section
headers - an example is one of Linux Word Perfect 8 utilities.

This fixes kern/12455 by Mark Davies.

branches: 1.62.2;
*NEVER* cast a reference parameter (unless you're using C++).

Tighten up the ELF signature checks, and actually look for the ABI tag added
in newer glibc versions.

Introduce 2 new flags in types.h:
* __HAVE_SYSCALL_INTERN. If this is defined, e_syscall is replaced by
e_syscall_intern, which is called at key places in the kernel. This can be
used to set a MD syscall handler pointer. This obsoletes and replaces the
*_HAS_SEPARATED_SYSCALL flags.
* __HAVE_MINIMAL_EMUL. If this is defined, certain (deprecated) elements in
struct emul are omitted.

backout part of execsw/LKM changes: netbsd_elf32_signature() is used by
the compat/netbsd32 code so de-static it again.

restructure struct emul and execsw, in preparation to make emulations LKMable:
* move all exec-type specific information from struct emul to execsw[] and
provide single struct emul per emulation
* elf:
- kern/exec_elf32.c:probe_funcs[] is gone, execsw[] how has one entry
per emulation and contains pointer to respective probe function
- interp is allocated via MALLOC() rather than on stack
- elf_args structure is allocated via MALLOC() rather than malloc()
* ecoff: the per-emulation hooks moved from alpha and mips specific code
to OSF1 and Ultrix compat code as appropriate, execsw[] has one entry per
emulation supporting ecoff with appropriate probe function
* the makecmds/probe functions don't set emulation, pointer to emulation is
part of appropriate execsw[] entry
* constify couple of structures

NBPG -> PAGE_SIZE.

change the type of *syscallnames[] array to 'const char * const foo[]'

remove unneeded includes.

ANSI'ify.

modify load_file to load at relative vms'a as specified in the phdr's.

Add back a failure return statement in check_header() which I accidently
deleted in rev. 1.46; pointed out by Chris Demetriou.

remove include of <vm/vm.h>

remove redundant vm includes.

branches: 1.49.2;
defopt SYSCALL_DEBUG.

branches: 1.48.2;
add a new function vn_marktext() for exec code to let others know
that the vnode is now being used as process text.

Update for compat_netbsd32.

Update to match new SVR4-style definition names in <sys/exec_elf.h>.

branches: 1.45.2; 1.45.4; 1.45.6;
Allow execution of shared objects. This is silly, but is allowed in,
for example, Solaris and Linux, and at least one Linux ldd implementation
even depends on it.

ep_arglen is in units of 'sizeof (char *)', not in units of bytes. use
howmany(value, sizeof (char *)) to get the right value.

branches: 1.43.4;
Use of casts as lvalues is a GNU C extension; rearrange slightly.

PR/6962: Paul Shupak: FreeBSD elf support.

Fix 3 problems with the new signature code:
- don't set position to 0, set it to NO_ADDR (cgd)
- no need to malloc size + 1 bytes (cgd)
- fix calculation of minimum note size section.

Add support for parsing OS type note fields.

update for linux file move.

Move elf function name macros to exec_elf.h. COMPAT_LINUX is no longer limited to ELFSIZE==32.

Make copyrights consistent; fix weird/trailing spaces add missing (c) etc.

Assign copyright to TNF.

Abolition of bcopy, ovbcopy, bcmp, and bzero, phase one.
bcopy(x, y, z) -> memcpy(y, x, z)
ovbcopy(x, y, z) -> memmove(y, x, z)
bcmp(x, y, z) -> memcmp(x, y, z)
bzero(x, y) -> memset(x, 0, y)

fix sizeofs so they comply with the KNF style guide. yes, it is pedantic.

branches: 1.33.2;
Change the "aresid" argument of vn_rdwr() from an int * to a size_t *,
to match the new uio_resid type.

defopt COMPAT_SVR4

defopt COMPAT_IBCS2

defopt COMPAT_LINUX

Fix some arithmetics lossage on typeless pointers.

Merge with Lite2 + local changes

added support for SCO UNIX (derived from iBCS2)

branches: 1.26.8;
Pass the vnode type to vaccess(), and use it when checking VEXEC. Make sure
that the mode bits passed to vaccess() and returned by foo_getattr() contain
only permission bits.

GC some code.

va_mode contains stat bits. Use S_IS[UG]ID rather than VS[UG]ID.

Probe linux emul before svr4 emul. From Christos.

always provide at least a minimal aux vector. (The minimal version
is one entry long, with the entry's id being AUX_null.)

Make previous change in interpreter entry point calculation dependant on
a 'mips' define. XXX

Just a temporary patch to get things going again for Linux ELF binaries,
needs to be solved properly.

Elf32 fixes for mips shared libraries:

* handle interpreters with nonzero virtual address of entry-point:
subtract p_vaddr from computed entrypoint, as the mips elf exec did.

* Add #ifdef ELF_INTERP_NON_RELOCATABLE/#endif around the code
that tries to choose a `good' address at which to load an interpreter,
if none was set by the emul probe function.
(the address chosen could be improved to avoid fragmenting the
process virtual address space).

* define ELF_INTERP_NON_RELOCATABLE in machine/elf_machdep.h for mips CPUs,
which currently use a GNU-derived ld.so.

ELF_INTERP_NON_RELOCATABLE is not necessary for native NetBSD/alpha ELF
binaries. It may be required for GNU-derived ELF dynamic loaders (Linux/i386?)

deal more sanely with ELF binaries with only a single program header
section. Patch come up with by Bob Baron <rvb+@cs.cmu.edu> and myself.
This entire bit of code (the code which sets daddr/dsize and taddr/tsize)
is very bogus, but it's not clear what the 'right' way to fix it is
and this patch fixes a problem preventing some ELF executables from
being run.

replace ELF_ALIGN with ELF_TRUNC (round to lower alignment boundary) and
ELF_ROUND (round to higher alignment boundary), and use them properly.
Also, change a bit of code in elf_load_psection to use the next ELF_ROUND
macro. This fixes a bug found by Robert Baron <rvb+@cs.cmu.edu> where
elf_load_psection, if given a properly aligned address at which to load
the section, would round actually load it at the next highest alignment
boundary.

KNF, de-static the functions that were static (so they'll show up
in ddb, etc.)

don't include <machine/exec.h> explicitly. No other changes needed, since
<sys/exec.h> was already being included.

clean up a comment added in the last commit

when loading interpreter: check its vnode type, check its mount point
for NOEXEC and NOSUID, and make sure the interpreter file is executable.
The mount point checks are done because, even though the interpreter
is not the program being 'executed', code from the interpreter is being
executed, and so the mount point's flags should be respected.

Remove the implicit inclusion of EXEC_ELF32 when COMPAT_LINUX and/or
COMPAT_SVR4 is included.

exec vnode locking protocol changes: in a nutshell, don't keep vnodes
locked for any longer than we have to.

make the check_header and load_file functions static

add and use a machine-dependent header, which currently defines some
macros to use to remove #ifdefs from the machine ID case check.
Eventually, these headers will contain other information, e.g.
machine-dependent relocation information, etc.

add support and reorganize for 64-bit ELF, included by EXEC_ELF64
option. (Also, make EXEC_ELF32 option a way to explicitly include
32-bit ELF support.)

Merge pagedvn changes from OpenBSD and added mips defines. Also added
ELF_MAP_PAGE_ZERO define. The entry point computation is different than
the one OpenBSD uses.

- Pass the Elf exec header in the emulation dependent probe functions.
- remove static from elf_read_from().

More proto fixes

Use a default, 'safe' address to map the loader to in case the an emulation-
specific probe function did not specify it. It picks the same address
as mmap() does for a non-fixed map at address 0. See also the comment
around a similar line of code in vm/vm_mmap.c.

* Don't rely on the protection bits of segments anymore to decide whether
it's text or data; use the entry point instead (this solves some trouble
with ELF executables with strange permissions)
* Incorporate some fixes from r_friedl@informatik.uni-kl.de sent to
netbsd-bugs a while ago

s/memcmp/bcmp/

Remove unused define

Generic mi ELF loader; delete Linux and Svr4 compat conf entries and
add generic ELF entry to exec_conf.c