execl(3) and its variants use a sentinel to terminate the variadic
argument list, in the form of a null pointer constant of type pointer to
char. POSIX mandates that NULL is a null pointer constant of type
pointer to void, which is not of an equivalent type to that required by
execl(3) and its variants, resulting in undefined behaviour.
This commit casts all such instances of NULL to pointer to char type.
For consistency, it also adds const-qualification to any such instances
which had already been casted, and were not const-qualified.
Add short options for most long options. Rename the -i option to -H, but
support -i for compatibility until the next release cycle, where -i will
become the short option of --identifier. Rename --include to --headers
and support --include until the next release cycle.
Add carray(1) manual page which makes --help unnecessary, and remove
--version as it surely matches your local Sortix version.
This change hardens against invalid calls to sigreturn, which is a very
useful gadget when compromising a process. The system call now verifies
it is a real return from a signal and aborts the process otherwise. This
should render such attacks impossible in threads that are not servicing a
signal, and infeasible in threads that are handling signals they are yet to
return from.
The kernel now keeps track for each thread how many signals are being
handled but haven't returned yet.
Each thread now has a random signal value. It is re-randomized when the
thread handles a signal and the current signal counter is zero. This is
xorred with the context address and used as canary on the stack during
signal dispatch, protecting the saved context on the stack. This works
mostly like the regular stack protector.
The kernel now keeps track of the stack pointer for a single handled
signal per thread. It doesn't seem worth it to keep track of multiple
handled signals, as more than one is rare. Note that each delivered signal
will not necessarily result in a sigreturn because it is valid for a thread
to longjmp(3) out of a signal handler to a valid jmp_buf.
The sigreturn system call will abort if either:
- It was not called from the kernel sigreturn page.
- The thread is not currently processing a signal.
- The thread is processing a single signal, and the stack pointer did not
have the expected value.
- It fails to read the context on the stack.
- The canary is wrong.
This properly avoids problems where the compiler is unaware that this is the
implementation and assumes it can rely on the implementation. For instance,
it might implement calloc using a call to calloc.
Restructure the code that wrongly assumed __STDC_HOSTED__ meant userspace.
Jonas 'Sortie' Termansen
Ralph Holmes
rocketpenguin1
Nicholas De Nova