Handle sections that specify alignment as 0 when loading an ELF interpreter
(i.e. ld.so). Since the smallest possible alignment actually is a the
page size just start with that and only increase it if a larger alignment
is requested. Also reject interpreters without loadable segments, just
like we did for ld.so a few weeks ago.
Distilled from a report by Andrew Griffiths.
ok jsg@, deraadt@
Validate size of chunks copied to piglet during hibernate unpack
Ensure that the compressed size of the chunk read from the hibernate image
will fit into the reserved space in the piglet for such chunks. Prevents
chunks with invalid sizes from overrunning the piglet. Such corrupted
chunks could be present in tampered or corrupt on-disk hibernate images.
Reported by Frank Denis
Validate sizes against integer overflow when reading chunks in unhibernate
Validate that chunk sizes stored in the chunktable don't result in integer
overflow. Such invalid chunk sizes could be present in tampered or corrupt
on-disk hibernate images.
Reported by Frank Denis
Prevent overread when reading the chunktable in unhibernate
Ensure we don't read past the end of the chunktable, which could happen
with a tampered or corrupted on-disk hibernate image.
Reported by Frank Denis
Disable builtins in strlcpytest.c. Otherwise, clang w/ optimizations
enabled will treat strlcpy(NULL, ...) as undefined behavior and optimize
the invocation away.
Regression introduced after the llvm 22 upgrade.
Disable kbind() and pinsyscalls() for static binaries at the correct
time, which is inside exec_elf_makecmds(). Amusingly, it looks like
these protection mechanisms are not needed because other process state
protects against kbind use since we completed the switch to static pie.
Also any priviledged static binary (which we ship, setuid or daemon) is
not going to contain a pinsyscall or kbind slot in the loaded pinsyscalls
table, so they cannot perform those. Only synthetic binaries with their
own pinsyscalls table could play, but of course they won't run with
priviledge..
from Andrew Griffiths at Calif
ok kettenis, andrew also approves of this approach
But the NVMe controller integrated on Apple silicon (M1, M2, etc.)
advertises support for 128-byte submission queue entries but only works
with 64-byte entries. So let aplns(4) override the size.
ok jcs@
Update clzdi2.c to pull in the following commit neede because of a change
in clang brought in with the llvm 22 update:
commit 5d0e26e571c08dc4c0b2a25ed6c9f845f054fa76
Author: Koakuma <koachan at protonmail.com>
Date: Tue Apr 29 07:36:32 2025 +0700
[compiler-rt] Make sure __clzdi2 doesn't call itself recursively on sparc64 (#136737)
On 64-bit platforms, libgcc doesn't ship with __clzsi2, so __builtin_clz
gets lowered to __clzdi2. A check already exists for GCC, but as of
commit 8210ca019839fc5430b3a95d7caf5c829df3232a clang also lowers
__builtin_clz to __clzdi2 on sparc64.
Update the check so that building __clzdi2 with clang/sparc64 also
works.
ok tb@, deraadt@
Unbreak and update powerpc retguard for llvm 22
For RETGUARD_LOAD_COOKIE when -fno-pie (as in macppc kernels), change
a relocation in -fno-pie (as in macppc kernels) from unusual S_HIGHA
"__retguard_3671 at higha" to usual S_HA "__retguard_3671 at ha". This
prevents an error from lld 22,
ld: error: rasops15.o:(function rasops15_init: .text+0x2): unknown \
relocation (111) against symbol __retguard_3671
For RETGUARD_LOAD_PC in PIC code, change an instruction from 'bl .+4'
to 'bcl 20,31,.+4' to fix branch prediction. This follows the same
change in upstream llvm,
https://github.com/llvm/llvm-project/issues/128644
ok jca@ naddy@
