Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/kern - make pax aslr stack eat up to 1/8 of the max stac...
details: https://anonhg.NetBSD.org/src/rev/ec9107a01faa
branches: trunk
changeset: 345227:ec9107a01faa
user: christos <christos%NetBSD.org@localhost>
date: Fri May 13 17:33:43 2016 +0000
description:
- make pax aslr stack eat up to 1/8 of the max stack space insted of 1/4
and reduce the length of the randomization bits since this is unused.
- call the pax aslr stack function sooner so we don't need to re-adjust the
stack size.
- adjust the stack max resource limit to account for the maximum space that
can be lost by aslr
- tidy up debugging printfs
diffstat:
sys/kern/exec_subr.c | 36 ++++++++++++++++++------------------
sys/kern/kern_pax.c | 19 ++++++++++++-------
2 files changed, 30 insertions(+), 25 deletions(-)
diffs (135 lines):
diff -r 074c9aad1d98 -r ec9107a01faa sys/kern/exec_subr.c
--- a/sys/kern/exec_subr.c Fri May 13 16:54:36 2016 +0000
+++ b/sys/kern/exec_subr.c Fri May 13 17:33:43 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: exec_subr.c,v 1.74 2016/04/07 12:06:50 christos Exp $ */
+/* $NetBSD: exec_subr.c,v 1.75 2016/05/13 17:33:43 christos Exp $ */
/*
* Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.74 2016/04/07 12:06:50 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.75 2016/05/13 17:33:43 christos Exp $");
#include "opt_pax.h"
@@ -391,25 +391,27 @@
max_stack_size = MAXSSIZ;
}
- DPRINTF(("ep_minsaddr=%llx max_stack_size=%llx\n",
- (unsigned long long)epp->ep_minsaddr,
- (unsigned long long)max_stack_size));
-
- epp->ep_ssize = MIN(l->l_proc->p_rlimit[RLIMIT_STACK].rlim_cur,
- max_stack_size);
+ DPRINTF(("ep_minsaddr=%#jx max_stack_size=%#jx\n",
+ (uintmax_t)epp->ep_minsaddr, (uintmax_t)max_stack_size));
#ifdef PAX_ASLR
pax_aslr_stack(epp, &max_stack_size);
#endif /* PAX_ASLR */
+ DPRINTF(("[RLIMIT_STACK].lim_cur=%#jx max_stack_size=%#jx\n",
+ (uintmax_t)l->l_proc->p_rlimit[RLIMIT_STACK].rlim_cur,
+ (uintmax_t)max_stack_size));
+ epp->ep_ssize = MIN(l->l_proc->p_rlimit[RLIMIT_STACK].rlim_cur,
+ max_stack_size);
+
l->l_proc->p_stackbase = epp->ep_minsaddr;
epp->ep_maxsaddr = (vaddr_t)STACK_GROW(epp->ep_minsaddr,
- max_stack_size);
+ max_stack_size);
- DPRINTF(("ep_ssize=%llx ep_maxsaddr=%llx\n",
- (unsigned long long)epp->ep_ssize,
- (unsigned long long)epp->ep_maxsaddr));
+ DPRINTF(("ep_ssize=%#jx ep_minsaddr=%#jx ep_maxsaddr=%#jx\n",
+ (uintmax_t)epp->ep_ssize, (uintmax_t)epp->ep_minsaddr,
+ (uintmax_t)epp->ep_maxsaddr));
/*
* set up commands for stack. note that this takes *two*, one to
@@ -425,12 +427,10 @@
noaccess_linear_min = (vaddr_t)STACK_ALLOC(STACK_GROW(epp->ep_minsaddr,
access_size), noaccess_size);
- DPRINTF(("access_size=%llx, access_linear_min=%llx, "
- "noaccess_size=%llx, noaccess_linear_min=%llx\n",
- (unsigned long long)access_size,
- (unsigned long long)access_linear_min,
- (unsigned long long)noaccess_size,
- (unsigned long long)noaccess_linear_min));
+ DPRINTF(("access_size=%#jx, access_linear_min=%#jx, "
+ "noaccess_size=%#jx, noaccess_linear_min=%#jx\n",
+ (uintmax_t)access_size, (uintmax_t)access_linear_min,
+ (uintmax_t)noaccess_size, (uintmax_t)noaccess_linear_min));
if (noaccess_size > 0 && noaccess_size <= MAXSSIZ) {
NEW_VMCMD2(&epp->ep_vmcmds, vmcmd_map_zero, noaccess_size,
diff -r 074c9aad1d98 -r ec9107a01faa sys/kern/kern_pax.c
--- a/sys/kern/kern_pax.c Fri May 13 16:54:36 2016 +0000
+++ b/sys/kern/kern_pax.c Fri May 13 17:33:43 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_pax.c,v 1.43 2016/05/08 20:01:56 christos Exp $ */
+/* $NetBSD: kern_pax.c,v 1.44 2016/05/13 17:33:43 christos Exp $ */
/*
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.43 2016/05/08 20:01:56 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.44 2016/05/13 17:33:43 christos Exp $");
#include "opt_pax.h"
@@ -104,11 +104,12 @@
#define PAX_ASLR_DELTA_STACK_LSB PGSHIFT
#endif
#ifndef PAX_ASLR_DELTA_STACK_LEN
-#define PAX_ASLR_DELTA_STACK_LEN PAX_ASLR_DELTA_MMAP_LEN
+#define PAX_ASLR_DELTA_STACK_LEN ((sizeof(void *) * NBBY) / 4)
#endif
#ifndef PAX_ASLR_DELTA_STACK_LEN32
-#define PAX_ASLR_DELTA_STACK_LEN32 PAX_ASLR_DELTA_MMAP_LEN32
+#define PAX_ASLR_DELTA_STACK_LEN32 ((sizeof(uint32_t) * NBBY) / 4)
#endif
+#define PAX_ASLR_MAX_STACK_WASTE 8
static bool pax_aslr_elf_flags_active(uint32_t);
#endif /* PAX_ASLR */
@@ -335,6 +336,12 @@
panic("pax_init: segvguard_id: error=%d\n", error);
}
#endif /* PAX_SEGVGUARD */
+#ifdef PAX_ASLR
+ /* Adjust maximum stack by the size we can consume for ASLR */
+ extern rlim_t maxsmap;
+ maxsmap = MAXSSIZ - (MAXSSIZ / PAX_ASLR_MAX_STACK_WASTE);
+ // XXX: compat32 is not handled.
+#endif
}
void
@@ -564,14 +571,12 @@
rand = pax_aslr_rand;
#endif
u_long d = PAX_ASLR_DELTA(rand, PAX_ASLR_DELTA_STACK_LSB, len);
- d &= (*max_stack_size / 4) - 1;
+ d &= (*max_stack_size / PAX_ASLR_MAX_STACK_WASTE) - 1;
u_long newminsaddr = (u_long)STACK_GROW(epp->ep_minsaddr, d);
PAX_DPRINTF("old minsaddr=%#jx delta=%#lx new minsaddr=%#lx",
(uintmax_t)epp->ep_minsaddr, d, newminsaddr);
epp->ep_minsaddr = (vaddr_t)newminsaddr;
*max_stack_size -= d;
- if (epp->ep_ssize > *max_stack_size)
- epp->ep_ssize = *max_stack_size;
}
uint32_t
Home |
Main Index |
Thread Index |
Old Index