Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys Recommit exec_subr.c revision 1.79:



details:   https://anonhg.NetBSD.org/src/rev/0d456a690382
branches:  trunk
changeset: 824952:0d456a690382
user:      joerg <joerg%NetBSD.org@localhost>
date:      Fri Jun 23 21:28:38 2017 +0000

description:
Recommit exec_subr.c revision 1.79:
  Always include a 1MB guard area beyond the end of stack. While ASLR will
  normally create a guard area as well, this provides a deterministic area
  for all binaries.

  Mitigates the rest of CVE-2017-1000374 and CVE-2017-1000375 from
  Qualys.

Additionally, change VM_DEFAULT_ADDRESS_TOPDOWN to include
user_stack_guard_size in the size reservation.

diffstat:

 sys/arch/amd64/include/vmparam.h   |   4 +---
 sys/arch/i386/include/vmparam.h    |   4 +---
 sys/arch/mips/include/vmparam.h    |   4 ++--
 sys/arch/powerpc/include/vmparam.h |   4 +---
 sys/arch/riscv/include/vmparam.h   |   4 ++--
 sys/kern/exec_subr.c               |  17 +++++++++++++++--
 sys/uvm/uvm_param.h                |   5 +++--
 7 files changed, 25 insertions(+), 17 deletions(-)

diffs (156 lines):

diff -r e9db4e5c6c92 -r 0d456a690382 sys/arch/amd64/include/vmparam.h
--- a/sys/arch/amd64/include/vmparam.h  Fri Jun 23 18:40:03 2017 +0000
+++ b/sys/arch/amd64/include/vmparam.h  Fri Jun 23 21:28:38 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vmparam.h,v 1.41 2017/06/17 08:40:46 maxv Exp $        */
+/*     $NetBSD: vmparam.h,v 1.42 2017/06/23 21:28:38 joerg Exp $       */
 
 /*-
  * Copyright (c) 1990 The Regents of the University of California.
@@ -135,8 +135,6 @@
 #endif
 #define __USE_TOPDOWN_VM
 
-#define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
-    trunc_page(USRSTACK - MAXSSIZ - (sz))
 #define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
     round_page((vaddr_t)(da) + (vsize_t)maxdmap)
 
diff -r e9db4e5c6c92 -r 0d456a690382 sys/arch/i386/include/vmparam.h
--- a/sys/arch/i386/include/vmparam.h   Fri Jun 23 18:40:03 2017 +0000
+++ b/sys/arch/i386/include/vmparam.h   Fri Jun 23 21:28:38 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vmparam.h,v 1.84 2017/02/11 15:05:15 maxv Exp $        */
+/*     $NetBSD: vmparam.h,v 1.85 2017/06/23 21:28:38 joerg Exp $       */
 
 /*-
  * Copyright (c) 1990 The Regents of the University of California.
@@ -114,8 +114,6 @@
 #include "opt_xen.h"
 #endif
 #define __USE_TOPDOWN_VM
-#define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
-    trunc_page(USRSTACK - MAXSSIZ - (sz))
 #define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
     round_page((vaddr_t)(da) + (vsize_t)MIN(maxdmap, MAXDSIZ_BU))
 
diff -r e9db4e5c6c92 -r 0d456a690382 sys/arch/mips/include/vmparam.h
--- a/sys/arch/mips/include/vmparam.h   Fri Jun 23 18:40:03 2017 +0000
+++ b/sys/arch/mips/include/vmparam.h   Fri Jun 23 21:28:38 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vmparam.h,v 1.57 2016/11/22 11:01:50 skrll Exp $       */
+/*     $NetBSD: vmparam.h,v 1.58 2017/06/23 21:28:38 joerg Exp $       */
 
 /*
  * Copyright (c) 1988 University of Utah.
@@ -185,7 +185,7 @@
 #define __USE_TOPDOWN_VM
 
 #define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
-    trunc_page(USRSTACK - MAXSSIZ - (sz))
+    trunc_page(USRSTACK - MAXSSIZ - (sz) - user_stack_guard_size)
 #define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
     round_page((vaddr_t)(da) + (vsize_t)maxdmap)
 
diff -r e9db4e5c6c92 -r 0d456a690382 sys/arch/powerpc/include/vmparam.h
--- a/sys/arch/powerpc/include/vmparam.h        Fri Jun 23 18:40:03 2017 +0000
+++ b/sys/arch/powerpc/include/vmparam.h        Fri Jun 23 21:28:38 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vmparam.h,v 1.19 2014/10/18 08:33:26 snj Exp $ */
+/*     $NetBSD: vmparam.h,v 1.20 2017/06/23 21:28:38 joerg Exp $       */
 
 #ifndef _POWERPC_VMPARAM_H_
 #define _POWERPC_VMPARAM_H_
@@ -25,8 +25,6 @@
  * top of the next lower segment.
  */
 #define        __USE_TOPDOWN_VM
-#define        VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
-    ((VM_MAXUSER_ADDRESS - MAXSSIZ) - round_page(sz))
 #define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
     round_page((vaddr_t)(da) + (vsize_t)maxdmap)
 
diff -r e9db4e5c6c92 -r 0d456a690382 sys/arch/riscv/include/vmparam.h
--- a/sys/arch/riscv/include/vmparam.h  Fri Jun 23 18:40:03 2017 +0000
+++ b/sys/arch/riscv/include/vmparam.h  Fri Jun 23 21:28:38 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vmparam.h,v 1.1 2014/09/19 17:36:26 matt Exp $ */
+/*     $NetBSD: vmparam.h,v 1.2 2017/06/23 21:28:38 joerg Exp $        */
 
 /*-
  * Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -137,7 +137,7 @@
 #define __USE_TOPDOWN_VM
 
 #define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
-    trunc_page(USRSTACK - MAXSSIZ - (sz))
+    trunc_page(USRSTACK - MAXSSIZ - (sz) - user_stack_guard_size)
 #define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
     round_page((vaddr_t)(da) + (vsize_t)maxdmap)
 
diff -r e9db4e5c6c92 -r 0d456a690382 sys/kern/exec_subr.c
--- a/sys/kern/exec_subr.c      Fri Jun 23 18:40:03 2017 +0000
+++ b/sys/kern/exec_subr.c      Fri Jun 23 21:28:38 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: exec_subr.c,v 1.80 2017/06/19 19:02:16 joerg Exp $     */
+/*     $NetBSD: exec_subr.c,v 1.81 2017/06/23 21:28:38 joerg Exp $     */
 
 /*
  * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.80 2017/06/19 19:02:16 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.81 2017/06/23 21:28:38 joerg Exp $");
 
 #include "opt_pax.h"
 
@@ -67,6 +67,8 @@
 #define DPRINTF(a)
 #endif
 
+uint32_t user_stack_guard_size = 1024 * 1024;
+
 /*
  * new_vmcmd():
  *     create a new vmcmd structure and fill in its fields based
@@ -440,6 +442,17 @@
            (uintmax_t)access_size, (uintmax_t)access_linear_min,
            (uintmax_t)noaccess_size, (uintmax_t)noaccess_linear_min));
 
+       if (user_stack_guard_size > 0) {
+#ifdef __MACHINE_STACK_GROWS_UP
+               vsize_t guard_size = MIN(VM_MAXUSER_ADDRESS - epp->ep_maxsaddr, user_stack_guard_size);
+               if (guard_size > 0)
+                       NEW_VMCMD(&epp->ep_vmcmds, vmcmd_map_zero, guard_size,
+                           epp->ep_maxsaddr, NULL, 0, VM_PROT_NONE);
+#else
+               NEW_VMCMD(&epp->ep_vmcmds, vmcmd_map_zero, user_stack_guard_size,
+                   epp->ep_maxsaddr - user_stack_guard_size, NULL, 0, VM_PROT_NONE);
+#endif
+       }
        if (noaccess_size > 0 && noaccess_size <= MAXSSIZ) {
                NEW_VMCMD2(&epp->ep_vmcmds, vmcmd_map_zero, noaccess_size,
                    noaccess_linear_min, NULL, 0, VM_PROT_NONE, VMCMD_STACK);
diff -r e9db4e5c6c92 -r 0d456a690382 sys/uvm/uvm_param.h
--- a/sys/uvm/uvm_param.h       Fri Jun 23 18:40:03 2017 +0000
+++ b/sys/uvm/uvm_param.h       Fri Jun 23 21:28:38 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uvm_param.h,v 1.35 2015/09/26 20:28:38 christos Exp $  */
+/*     $NetBSD: uvm_param.h,v 1.36 2017/06/23 21:28:39 joerg Exp $     */
 
 /*
  * Copyright (c) 1991, 1993
@@ -224,9 +224,10 @@
     round_page((vaddr_t)(da) + (vsize_t)maxdmap)
 #endif
 
+extern uint32_t user_stack_guard_size;
 #ifndef VM_DEFAULT_ADDRESS_TOPDOWN
 #define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
-    trunc_page(VM_MAXUSER_ADDRESS - MAXSSIZ - (sz))
+    trunc_page(VM_MAXUSER_ADDRESS - MAXSSIZ - (sz) - user_stack_guard_size)
 #endif
 
 extern int             ubc_nwins;      /* number of UBC mapping windows */



Home | Main Index | Thread Index | Old Index