Contributed by rueda on 2019-06-04 from the conceal my writeable calls dept.

Introduction

There have been some recent security innovations previously unreported here:

New flag " MAP_CONCEAL " for mmap(2) allocations No syscalls from pages where PROT_WRITE is still enabled

New mmap(2) flag: MAP_CONCEAL

Scott Soule Cheloha ( cheloha@ ) committed code changes to support a new " MAP_CONCEAL " flag for mmap(2) :

CVSROOT: /cvs Module name: src Changes by: cheloha@cvs.openbsd.org 2019/02/28 18:46:18 Modified files: sys/sys : mman.h sys/uvm : uvm.h uvm_extern.h uvm_map.c uvm_mmap.c uvm_unix.c Log message: New mmap(2) flag: MAP_CONCEAL. MAP_CONCEAL'd memory is not written to disk in the event of a core dump. It may grow other qualities in the future. Wanted by libressl, probably useful elsewhere, too. Prompted by deraadt@, concept from deraadt@/kettenis@. With input from deraadt@, cjeker@, kettenis@, otto@, bcook@, matthew@, guenther@, djm@, and tedu@. ok otto@ deraadt@

This was followed by th addition of malloc_conceal(3) and calloc_conceal(3) by Otto Moerbeek ( otto@ ):

CVSROOT: /cvs Module name: src Changes by: otto@cvs.openbsd.org 2019/05/10 09:03:24 Modified files: include : stdlib.h lib/libc : Symbols.list shlib_version lib/libc/hidden: stdlib.h lib/libc/stdlib: malloc.3 malloc.c Log message: Inroduce malloc_conceal() and calloc_conceal(). Similar to their counterparts but return memory in pages marked MAP_CONCEAL and on free() freezero() is actually called.

This was then used in smtpd(8) as the first user of those functions, as seen in this commit to reduce chances of leaking SSL data.

System Calls Prohibited from PROT_WRITE Memory

Theo de Raadt ( deraadt@ ) committed an improvement to check permissions on the memory from which system calls come, and make sure they are not in a piece of memory which is writeable at the time of the call (in addition to the existing checking of validity of the stack pointer.)