HardenedBSD/lib
Kirk McKusick 75e3597abb Continuing efforts to provide hardening of FFS, this change adds a
check hash to cylinder groups. If a check hash fails when a cylinder
group is read, no further allocations are attempted in that cylinder
group until it has been fixed by fsck. This avoids a class of
filesystem panics related to corrupted cylinder group maps. The
hash is done using crc32c.

Check hases are added only to UFS2 and not to UFS1 as UFS1 is primarily
used in embedded systems with small memories and low-powered processors
which need as light-weight a filesystem as possible.

Specifics of the changes:

sys/sys/buf.h:
    Add BX_FSPRIV to reserve a set of eight b_xflags that may be used
    by individual filesystems for their own purpose. Their specific
    definitions are found in the header files for each filesystem
    that uses them. Also add fields to struct buf as noted below.

sys/kern/vfs_bio.c:
    It is only necessary to compute a check hash for a cylinder
    group when it is actually read from disk. When calling bread,
    you do not know whether the buffer was found in the cache or
    read. So a new flag (GB_CKHASH) and a pointer to a function to
    perform the hash has been added to breadn_flags to say that the
    function should be called to calculate a hash if the data has
    been read. The check hash is placed in b_ckhash and the B_CKHASH
    flag is set to indicate that a read was done and a check hash
    calculated. Though a rather elaborate mechanism, it should
    also work for check hashing other metadata in the future. A
    kernel internal API change was to change breada into a static
    fucntion and add flags and a function pointer to a check-hash
    function.

sys/ufs/ffs/fs.h:
    Add flags for types of check hashes; stored in a new word in the
    superblock. Define corresponding BX_ flags for the different types
    of check hashes. Add a check hash word in the cylinder group.

sys/ufs/ffs/ffs_alloc.c:
    In ffs_getcg do the dance with breadn_flags to get a check hash and
    if one is provided, check it.

sys/ufs/ffs/ffs_vfsops.c:
    Copy across the BX_FFSTYPES flags in background writes.
    Update the check hash when writing out buffers that need them.

sys/ufs/ffs/ffs_snapshot.c:
    Recompute check hash when updating snapshot cylinder groups.

sys/libkern/crc32.c:
lib/libufs/Makefile:
lib/libufs/libufs.h:
lib/libufs/cgroup.c:
    Include libkern/crc32.c in libufs and use it to compute check
    hashes when updating cylinder groups.

Four utilities are affected:

sbin/newfs/mkfs.c:
    Add the check hashes when building the cylinder groups.

sbin/fsck_ffs/fsck.h:
sbin/fsck_ffs/fsutil.c:
    Verify and update check hashes when checking and writing cylinder groups.

sbin/fsck_ffs/pass5.c:
    Offer to add check hashes to existing filesystems.
    Precompute check hashes when rebuilding cylinder group
    (although this will be done when it is written in fsutil.c
    it is necessary to do it early before comparing with the old
    cylinder group)

sbin/dumpfs/dumpfs.c
    Print out the new check hash flag(s)

sbin/fsdb/Makefile:
    Needs to add libufs now used by pass5.c imported from fsck_ffs.

Reviewed by: kib
Tested by: Peter Holm (pho)
2017-09-22 12:45:15 +00:00
..
atf Add HAS_TESTS to all Makefiles that are currently using the 2017-08-02 08:50:42 +00:00
clang Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 2017-09-06 21:21:13 +00:00
csu Don't include GNU object attributes when building with clang. 2017-08-30 19:19:31 +00:00
lib80211
libalias
libarchive Add HAS_TESTS to all Makefiles that are currently using the 2017-08-02 08:50:42 +00:00
libauditd
libbegemot
libblacklist
libblocksruntime
libbluetooth
libbsdstat
libbsm
libbsnmp
libbz2
libc rename(2): document capability mode errors 2017-09-15 20:12:38 +00:00
libc_nonshared
libc++
libc++experimental
libcalendar
libcam Add HAS_TESTS to all Makefiles that use the SUBDIR.${MK_TESTS}+= tests idiom 2017-08-02 08:14:06 +00:00
libcapsicum capsicum_helpers: Add FIODTYPE to default ioctls allowed 2017-08-09 18:15:07 +00:00
libcasper Add supporting changes for Add limited sandbox capability to "make check" 2017-08-14 19:21:37 +00:00
libclang_rt
libcom_err
libcompat
libcompiler_rt Follow-up to r323001: if the actually selected CPUTYPE is capable of 2017-08-30 07:05:29 +00:00
libcrypt MFhead@r321916 2017-08-02 09:00:59 +00:00
libcuse
libcxxrt
libdevctl
libdevdctl
libdevinfo
libdevstat
libdl
libdpv
libdwarf
libedit libedit: raise the warning level to 3. 2017-09-14 19:50:07 +00:00
libefivar Minor fixes to edge cases in efi_get_next_variable_name 2017-09-13 04:32:23 +00:00
libelf
libelftc
libevent
libexecinfo
libexpat
libfetch In fetch_resolve(), if the port number or service name is included in 2017-08-18 18:20:36 +00:00
libfigpar
libgcc_eh
libgcc_s
libgeom libgeom: Remove redundant and duplicated code 2017-09-08 15:44:52 +00:00
libgpio
libgssapi
libiconv_modules
libifconfig
libipsec
libjail
libkiconv
libkvm Add HAS_TESTS to all Makefiles that use the SUBDIR.${MK_TESTS}+= tests idiom 2017-08-02 08:14:06 +00:00
libldns
liblzma
libmagic MFV r323678: file 5.32 2017-09-17 19:14:38 +00:00
libmd
libmemstat
libmilter
libmp Add HAS_TESTS to all Makefiles that are currently using the 2017-08-02 08:50:42 +00:00
libmt
libnandfs
libnetbsd
libnetgraph
libngatm
libnv Remove redundant initialization. Don't use variable - just return the value. 2017-09-21 10:00:16 +00:00
libopenbsd
libopie
libpam
libpathconv Add HAS_TESTS to all Makefiles that are currently using the 2017-08-02 08:50:42 +00:00
libpcap
libpe
libpjdlog
libpmc Skylake server core PMC support for hwpmc(4). 2017-09-06 17:19:48 +00:00
libproc Avoid keeping a dangling pointer when the mappings array is resized. 2017-09-06 16:24:34 +00:00
libprocstat
libradius
librpcsec_gss
librpcsvc
librss
librt Add HAS_TESTS to all Makefiles that are currently using the 2017-08-02 08:50:42 +00:00
librtld_db
libsbuf Add HAS_TESTS to all Makefiles that use the SUBDIR.${MK_TESTS}+= tests idiom 2017-08-02 08:14:06 +00:00
libsdp
libsm
libsmb
libsmdb
libsmutil
libsqlite3
libstand libstand: tftp_open() can leak pkt on error 2017-09-12 13:51:18 +00:00
libstdbuf
libstdthreads
libsysdecode libsysdecode: report invalid cap_rights_t 2017-09-17 14:03:54 +00:00
libtacplus
libtelnet
libthr Add HAS_TESTS to all Makefiles that are currently using the 2017-08-02 08:50:42 +00:00
libthread_db
libucl
libufs Continuing efforts to provide hardening of FFS, this change adds a 2017-09-22 12:45:15 +00:00
libugidfw
libulog
libunbound
libusb libusb(3): Expose device caps as libusb_bos_descriptor::dev_capability 2017-08-09 18:06:27 +00:00
libusbhid
libutil Add caveat to kinfo_getvmmap(3) explaining high CPU utilisation. 2017-08-18 16:42:58 +00:00
libvgl
libvmmapi
libwrap
libxo MFhead@r322023 2017-08-03 18:07:01 +00:00
liby
libypclnt
libz
libzstd
msun lib/msun: add more csqrt unit tests for precision and overflow 2017-08-29 22:37:24 +00:00
ncurses Hide sccsid under #if 0, per example in style(9) 2017-08-12 22:20:08 +00:00
tests
Makefile
Makefile.inc