New accounting flag ABTCFI to indicate signal SIGILL + code ILL_BTCFI

has occurred in the process. ok various people
2024-12-21 23:18:00 -08:00 · 2024-02-25 00:07:13 +00:00 · 2024-02-25 00:07:13 +00:00 · fd5846a355
commit fd5846a355
parent 9751739cb3
5 changed files with 51 additions and 22 deletions
--- a/share/man/man5/acct.5
+++ b/share/man/man5/acct.5
@ -1,4 +1,4 @@
-.\"	$OpenBSD: acct.5,v 1.26 2022/02/22 17:22:29 deraadt Exp $
+.\"	$OpenBSD: acct.5,v 1.27 2024/02/25 00:07:14 deraadt Exp $
 .\"	$NetBSD: acct.5,v 1.4 1995/10/22 01:40:10 ghudson Exp $
 .\"
 .\" Copyright (c) 1991, 1993
@ -30,7 +30,7 @@
 .\"
 .\"     @(#)acct.5	8.1 (Berkeley) 6/5/93
 .\"
-.Dd $Mdocdate: February 22 2022 $
+.Dd $Mdocdate: February 25 2024 $
 .Dt ACCT 5
 .Os
 .Sh NAME
@ -69,14 +69,16 @@ struct acct {
 	dev_t	  ac_tty;	/* controlling tty, or -1 */
 	pid_t	  ac_pid;	/* process id */

-#define	AFORK	0x01		/* fork'd but not exec'd */
-#define	AMAP	0x04		/* system call or stack mapping violation */
-#define	ACORE	0x08		/* dumped core */
-#define	AXSIG	0x10		/* killed by a signal */
-#define	APLEDGE	0x20		/* killed due to pledge violation */
-#define	ATRAP	0x40		/* memory access violation */
-#define	AUNVEIL	0x80		/* unveil access violation */
 	u_int32_t ac_flag;	/* accounting flags */
+#define	AFORK	0x00000001	/* fork'd but not exec'd */
+#define	AMAP	0x00000004	/* killed by syscall or stack mapping violation */
+#define	ACORE	0x00000008	/* dumped core */
+#define	AXSIG	0x00000010	/* killed by a signal */
+#define	APLEDGE	0x00000020	/* killed due to pledge violation */
+#define	ATRAP	0x00000040	/* memory access violation */
+#define	AUNVEIL	0x00000080	/* unveil access violation */
+#define APINSYS 0x00000200      /* killed by syscall pin violation */
+#define ABTCFI  0x00000400      /* BT CFI violation */
 };

 /*
@ -125,6 +127,18 @@ The process attempted a file access that was prevented by
 .Xr unveil 2
 restrictions.
 Note that this does not cause the process to terminate.
+.It Dv APINSYS
+The command tried to execute a system call from the wrong
+system call instruction, see
+.Xr pinsyscalls 2 .
+.It Dv ABTCFI
+The command executed an indirect branch to a location that did not
+start with a
+.Ql BTI
+instruction, and terminated with signal
+.Dv SIGILL ,
+.Va code
+.Dv ILL_BTCFI .
 .El
 .Sh SEE ALSO
 .Xr lastcomm 1 ,
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sig.c,v 1.321 2024/01/17 22:22:25 kurt Exp $	*/
+/*	$OpenBSD: kern_sig.c,v 1.322 2024/02/25 00:07:13 deraadt Exp $	*/
 /*	$NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $	*/

 /*
@ -799,6 +799,11 @@ trapsignal(struct proc *p, int signum, u_long trapno, int code,

 	switch (signum) {
 	case SIGILL:
+		if (code == ILL_BTCFI) {
+			pr->ps_acflag |= ABTCFI;
+			break;
+		}
+		/* FALLTHROUGH */
 	case SIGBUS:
 	case SIGSEGV:
 		pr->ps_acflag |= ATRAP;
--- a/sys/sys/acct.h
+++ b/sys/sys/acct.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: acct.h,v 1.15 2024/01/20 12:16:55 deraadt Exp $	*/
+/*	$OpenBSD: acct.h,v 1.16 2024/02/25 00:07:13 deraadt Exp $	*/
 /*	$NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $	*/

 /*-
@ -59,15 +59,16 @@ struct acct {
 	dev_t	  ac_tty;		/* controlling tty, or -1 */
 	pid_t	  ac_pid;		/* process id */

-#define	AFORK	0x00000001		/* fork'd but not exec'd */
-#define	AMAP	0x00000004		/* system call or stack mapping violation */
-#define	ACORE	0x00000008		/* dumped core */
-#define	AXSIG	0x00000010		/* killed by a signal */
-#define	APLEDGE	0x00000020		/* killed due to pledge violation */
-#define	ATRAP	0x00000040		/* memory access violation */
-#define	AUNVEIL	0x00000080		/* unveil access violation */
-#define	APINSYS	0x00000200		/* syscall pin violation */
 	u_int32_t ac_flag;		/* accounting flags */
+#define	AFORK	0x00000001	/* fork'd but not exec'd */
+#define	AMAP	0x00000004	/* killed by syscall or stack mapping violation */
+#define	ACORE	0x00000008	/* dumped core */
+#define	AXSIG	0x00000010	/* killed by a signal */
+#define	APLEDGE	0x00000020	/* killed due to pledge violation */
+#define	ATRAP	0x00000040	/* memory access violation */
+#define	AUNVEIL	0x00000080	/* unveil access violation */
+#define	APINSYS	0x00000200	/* killed by syscall pin violation */
+#define	ABTCFI	0x00000400	/* BT CFI violation */
 };

 /*
--- a/usr.bin/lastcomm/lastcomm.1
+++ b/usr.bin/lastcomm/lastcomm.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: lastcomm.1,v 1.27 2024/01/19 14:25:03 deraadt Exp $
+.\"	$OpenBSD: lastcomm.1,v 1.28 2024/02/25 00:07:13 deraadt Exp $
 .\"	$NetBSD: lastcomm.1,v 1.5 1995/10/22 01:43:41 ghudson Exp $
 .\"
 .\" Copyright (c) 1980, 1990, 1993
@ -30,7 +30,7 @@
 .\"
 .\"	@(#)lastcomm.1	8.1 (Berkeley) 6/6/93
 .\"
-.Dd $Mdocdate: January 19 2024 $
+.Dd $Mdocdate: February 25 2024 $
 .Dt LASTCOMM 1
 .Os
 .Sh NAME
@ -101,6 +101,14 @@ Elapsed time of the process.
 The flags are encoded as follows:
 .Pp
 .Bl -tag -width 6n -compact -offset indent
+.It Li B
+The command executed an indirect branch to a location that did not
+start with a
+.Ql BTI
+instruction, and terminated with signal
+.Dv SIGILL ,
+.Va code
+.Dv ILL_BTCFI .
 .It Li D
 The command terminated with the generation of a
 .Pa core
--- a/usr.bin/lastcomm/lastcomm.c
+++ b/usr.bin/lastcomm/lastcomm.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: lastcomm.c,v 1.35 2024/01/19 14:25:03 deraadt Exp $	*/
+/*	$OpenBSD: lastcomm.c,v 1.36 2024/02/25 00:07:13 deraadt Exp $	*/
 /*	$NetBSD: lastcomm.c,v 1.9 1995/10/22 01:43:42 ghudson Exp $	*/

 /*
@ -178,6 +178,7 @@ flagbits(int f)
 	BIT(ATRAP, 'T');
 	BIT(AUNVEIL, 'U');
 	BIT(APINSYS, 'S');
+	BIT(ABTCFI, 'B');
 	*p = '\0';
 	return (flags);
 }