Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Add PAX_MPROTECT_DEBUG
details: https://anonhg.NetBSD.org/src/rev/fb3b30ef5fa0
branches: trunk
changeset: 344611:fb3b30ef5fa0
user: christos <christos%NetBSD.org@localhost>
date: Thu Apr 07 03:31:12 2016 +0000
description:
Add PAX_MPROTECT_DEBUG
diffstat:
sys/kern/exec_subr.c | 16 +++++-----------
sys/kern/kern_pax.c | 39 ++++++++++++++++++++++++++++++---------
sys/sys/pax.h | 19 +++++++++++++++++--
sys/uvm/uvm_mmap.c | 8 +++-----
sys/uvm/uvm_unix.c | 8 +++-----
5 files changed, 58 insertions(+), 32 deletions(-)
diffs (229 lines):
diff -r 43b9af285fdf -r fb3b30ef5fa0 sys/kern/exec_subr.c
--- a/sys/kern/exec_subr.c Thu Apr 07 03:22:15 2016 +0000
+++ b/sys/kern/exec_subr.c Thu Apr 07 03:31:12 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: exec_subr.c,v 1.72 2015/09/26 16:12:24 maxv Exp $ */
+/* $NetBSD: exec_subr.c,v 1.73 2016/04/07 03:31:12 christos Exp $ */
/*
* Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.72 2015/09/26 16:12:24 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.73 2016/04/07 03:31:12 christos Exp $");
#include "opt_pax.h"
@@ -184,9 +184,7 @@
prot = cmd->ev_prot;
maxprot = UVM_PROT_ALL;
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
/*
* check the file system's opinion about mmapping the file
@@ -266,9 +264,7 @@
prot = cmd->ev_prot;
maxprot = VM_PROT_ALL;
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
#ifdef PMAP_NEED_PROCWR
/*
@@ -326,9 +322,7 @@
prot = cmd->ev_prot;
maxprot = UVM_PROT_ALL;
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
error = uvm_map(&p->p_vmspace->vm_map, &cmd->ev_addr,
round_page(cmd->ev_len), NULL, UVM_UNKNOWN_OFFSET, 0,
diff -r 43b9af285fdf -r fb3b30ef5fa0 sys/kern/kern_pax.c
--- a/sys/kern/kern_pax.c Thu Apr 07 03:22:15 2016 +0000
+++ b/sys/kern/kern_pax.c Thu Apr 07 03:31:12 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_pax.c,v 1.37 2016/04/04 16:47:39 christos Exp $ */
+/* $NetBSD: kern_pax.c,v 1.38 2016/04/07 03:31:12 christos Exp $ */
/*
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.37 2016/04/04 16:47:39 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.38 2016/04/07 03:31:12 christos Exp $");
#include "opt_pax.h"
@@ -114,6 +114,9 @@
static int pax_mprotect_global = PAX_MPROTECT;
static bool pax_mprotect_elf_flags_active(uint32_t);
#endif /* PAX_MPROTECT */
+#ifdef PAX_MPROTECT_DEBUG
+int pax_mprotect_debug;
+#endif
#ifdef PAX_SEGVGUARD
#ifndef PAX_SEGVGUARD_EXPIRY
@@ -189,6 +192,14 @@
"all processes."),
NULL, 0, &pax_mprotect_global, 0,
CTL_CREATE, CTL_EOL);
+#ifdef PAX_MPROTECT_DEBUG
+ sysctl_createv(clog, 0, &rnode, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "debug",
+ SYSCTL_DESCR("print mprotect changes."),
+ NULL, 0, &pax_mprotect_debug, 0,
+ CTL_CREATE, CTL_EOL);
+#endif
#endif /* PAX_MPROTECT */
#ifdef PAX_SEGVGUARD
@@ -354,7 +365,11 @@
}
void
-pax_mprotect(struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot)
+pax_mprotect_adjust(
+#ifdef PAX_MPROTECT_DEBUG
+ const char *file, size_t line,
+#endif
+ struct lwp *l, vm_prot_t *prot, vm_prot_t *maxprot)
{
uint32_t flags;
@@ -363,18 +378,24 @@
return;
if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) {
-#ifdef DIAGNOSTIC
+#ifdef PAX_MPROTECT_DEBUG
struct proc *p = l->l_proc;
- printf("%s: %d.%d (%s): clearing execute bit\n", __func__,
- p->p_pid, l->l_lid, p->p_comm);
+ if (pax_mprotect_debug) {
+ printf("%s: %s,%zu: %d.%d (%s): -x\n",
+ __func__, file, line,
+ p->p_pid, l->l_lid, p->p_comm);
+ }
#endif
*prot &= ~VM_PROT_EXECUTE;
*maxprot &= ~VM_PROT_EXECUTE;
} else {
-#ifdef DIAGNOSTIC
+#ifdef PAX_MPROTECT_DEBUG
struct proc *p = l->l_proc;
- printf("%s: %d.%d (%s): clearing write bit\n", __func__,
- p->p_pid, l->l_lid, p->p_comm);
+ if (pax_mprotect_debug) {
+ printf("%s: %s,%zu: %d.%d (%s): -w\n",
+ __func__, file, line,
+ p->p_pid, l->l_lid, p->p_comm);
+ }
#endif
*prot &= ~VM_PROT_WRITE;
*maxprot &= ~VM_PROT_WRITE;
diff -r 43b9af285fdf -r fb3b30ef5fa0 sys/sys/pax.h
--- a/sys/sys/pax.h Thu Apr 07 03:22:15 2016 +0000
+++ b/sys/sys/pax.h Thu Apr 07 03:31:12 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pax.h,v 1.18 2016/03/20 14:58:11 khorben Exp $ */
+/* $NetBSD: pax.h,v 1.19 2016/04/07 03:31:12 christos Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
@@ -54,7 +54,22 @@
void pax_init(void);
void pax_setup_elf_flags(struct exec_package *, uint32_t);
-void pax_mprotect(struct lwp *, vm_prot_t *, vm_prot_t *);
+void pax_mprotect_adjust(
+#ifdef PAX_MPROTECT_DEBUG
+ const char *, size_t,
+#endif
+ struct lwp *, vm_prot_t *, vm_prot_t *);
+#ifndef PAX_MPROTECT
+# define PAX_MPROTECT_ADJUST(a, b, c)
+#else
+# ifdef PAX_MPROTECT_DEBUG
+# define PAX_MPROTECT_ADJUST(a, b, c) \
+ pax_mprotect_adjust(__FILE__, __LINE__, (a), (b), (c))
+# else
+# define PAX_MPROTECT_ADJUST(a, b, c) \
+ pax_mprotect_adjust((a), (b), (c))
+# endif
+#endif
int pax_segvguard(struct lwp *, struct vnode *, const char *, bool);
#define PAX_ASLR_DELTA(delta, lsb, len) \
diff -r 43b9af285fdf -r fb3b30ef5fa0 sys/uvm/uvm_mmap.c
--- a/sys/uvm/uvm_mmap.c Thu Apr 07 03:22:15 2016 +0000
+++ b/sys/uvm/uvm_mmap.c Thu Apr 07 03:31:12 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_mmap.c,v 1.154 2015/11/26 13:15:34 martin Exp $ */
+/* $NetBSD: uvm_mmap.c,v 1.155 2016/04/07 03:31:12 christos Exp $ */
/*
* Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -46,7 +46,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_mmap.c,v 1.154 2015/11/26 13:15:34 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_mmap.c,v 1.155 2016/04/07 03:31:12 christos Exp $");
#include "opt_compat_netbsd.h"
#include "opt_pax.h"
@@ -418,9 +418,7 @@
pos = 0;
}
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
#ifdef PAX_ASLR
pax_aslr_mmap(l, &addr, orig_addr, flags);
diff -r 43b9af285fdf -r fb3b30ef5fa0 sys/uvm/uvm_unix.c
--- a/sys/uvm/uvm_unix.c Thu Apr 07 03:22:15 2016 +0000
+++ b/sys/uvm/uvm_unix.c Thu Apr 07 03:31:12 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_unix.c,v 1.45 2014/09/05 05:36:49 matt Exp $ */
+/* $NetBSD: uvm_unix.c,v 1.46 2016/04/07 03:31:12 christos Exp $ */
/*
* Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -45,7 +45,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_unix.c,v 1.45 2014/09/05 05:36:49 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_unix.c,v 1.46 2016/04/07 03:31:12 christos Exp $");
#include "opt_pax.h"
@@ -103,9 +103,7 @@
vm_prot_t prot = UVM_PROT_READ | UVM_PROT_WRITE;
vm_prot_t maxprot = UVM_PROT_ALL;
-#ifdef PAX_MPROTECT
- pax_mprotect(l, &prot, &maxprot);
-#endif /* PAX_MPROTECT */
+ PAX_MPROTECT_ADJUST(l, &prot, &maxprot);
error = uvm_map(&vm->vm_map, &obreak, nbreak - obreak, NULL,
UVM_UNKNOWN_OFFSET, 0,
Home |
Main Index |
Thread Index |
Old Index