D35349.id106598.diff
No OneTemporary
Actions

Size

8 KB

Referenced Files

None

Subscribers

None

D35349.id106598.diff
View Options

	Index: sys/kern/imgact_elf.c
	===================================================================
	--- sys/kern/imgact_elf.c
	+++ sys/kern/imgact_elf.c
	@@ -209,6 +209,12 @@
	__XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE))
	": enable stack address randomization");

	+static int __elfN(aslr_shared_page) = __ELF_WORD_SIZE == 64;
	+SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, shared_page, CTLFLAG_RWTUN,
	+ &__elfN(aslr_shared_page), 0,
	+ __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE))
	+ ": enable shared page address randomization");
	+
	static int __elfN(sigfastblock) = 1;
	SYSCTL_INT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), OID_AUTO, sigfastblock,
	CTLFLAG_RWTUN, &__elfN(sigfastblock), 0,
	@@ -1305,6 +1311,8 @@
	imgp->map_flags \|= MAP_ASLR_IGNSTART;
	if (__elfN(aslr_stack))
	imgp->map_flags \|= MAP_ASLR_STACK;
	+ if (__elfN(aslr_shared_page))
	+ imgp->map_flags \|= MAP_ASLR_SHARED_PAGE;
	}

	if ((!__elfN(allow_wx) && (fctl0 & NT_FREEBSD_FCTL_WXNEEDED) == 0 &&
	Index: sys/kern/kern_exec.c
	===================================================================
	--- sys/kern/kern_exec.c
	+++ sys/kern/kern_exec.c
	@@ -1107,13 +1107,12 @@
	if (sv->sv_shared_page_obj == NULL)
	return;

	- pmap_remove(vmspace_pmap(vmspace), sv->sv_shared_page_base,
	- sv->sv_shared_page_base + sv->sv_shared_page_len);
	+ pmap_remove(vmspace_pmap(vmspace), p->p_vmspace->vm_sp_base,
	+ p->p_vmspace->vm_sp_base + sv->sv_shared_page_len);
	}

	/*
	- * Run down the current address space and install a new one. Map the shared
	- * page.
	+ * Run down the current address space and install a new one.
	*/
	int
	exec_new_vmspace(struct image_params imgp, struct sysentvec sv)
	@@ -1122,7 +1121,6 @@
	struct proc *p = imgp->proc;
	struct vmspace *vmspace = p->p_vmspace;
	struct thread *td = curthread;
	- vm_object_t obj;
	vm_offset_t sv_minuser;
	vm_map_t map;

	@@ -1159,7 +1157,8 @@
	*/
	vm_map_lock(map);
	vm_map_modflags(map, 0, MAP_WIREFUTURE \| MAP_ASLR \|
	- MAP_ASLR_IGNSTART \| MAP_ASLR_STACK \| MAP_WXORX);
	+ MAP_ASLR_IGNSTART \| MAP_ASLR_STACK \| MAP_ASLR_SHARED_PAGE \|
	+ MAP_WXORX);
	vm_map_unlock(map);
	} else {
	error = vmspace_exec(p, sv_minuser, sv->sv_maxuser);
	@@ -1170,22 +1169,6 @@
	}
	map->flags \|= imgp->map_flags;

	- /* Map a shared page */
	- obj = sv->sv_shared_page_obj;
	- if (obj != NULL) {
	- vm_object_reference(obj);
	- error = vm_map_fixed(map, obj, 0,
	- sv->sv_shared_page_base, sv->sv_shared_page_len,
	- VM_PROT_READ \| VM_PROT_EXECUTE,
	- VM_PROT_READ \| VM_PROT_EXECUTE,
	- MAP_INHERIT_SHARE \| MAP_ACC_NO_CHARGE);
	- if (error != KERN_SUCCESS) {
	- vm_object_deallocate(obj);
	- return (vm_mmap_to_errno(error));
	- }
	- vmspace->vm_sp_base = sv->sv_shared_page_base;
	- }
	-
	return (sv->sv_onexec != NULL ? sv->sv_onexec(p, imgp) : 0);
	}

	@@ -1201,9 +1184,11 @@
	vm_map_t map;
	struct vmspace *vmspace;
	vm_offset_t stack_addr, stack_top;
	+ vm_offset_t sharedpage_addr;
	u_long ssiz;
	int error, find_space, stack_off;
	vm_prot_t stack_prot;
	+ vm_object_t obj;

	p = imgp->proc;
	sv = p->p_sysent;
	@@ -1255,6 +1240,43 @@
	stack_top -= rounddown2(stack_off & PAGE_MASK, sizeof(void *));
	}

	+ /* Map a shared page */
	+ obj = sv->sv_shared_page_obj;
	+ if (obj == NULL) {
	+ /*
	+ * No shared page is provided for this ABI,
	+ * e.g. in case of a.out binaries.
	+ */
	+ sharedpage_addr = 0;
	+ goto out;
	+ }
	+
	+ /*
	+ * If randomization is disabled the vm logic maps it exactly
	+ * to the specific address (VMFS_NO_SPACE).
	+ * Otherwise it can choose any address above .data section.
	+ * Same logic is used for stack address randomization.
	+ */
	+ if ((map->flags & MAP_ASLR_SHARED_PAGE) != 0) {
	+ sharedpage_addr = round_page((vm_offset_t)p->p_vmspace->vm_daddr +
	+ lim_max(curthread, RLIMIT_DATA));
	+ find_space = VMFS_ANY_SPACE;
	+ } else {
	+ sharedpage_addr = sv->sv_shared_page_base;
	+ find_space = VMFS_NO_SPACE;
	+ }
	+ vm_object_reference(obj);
	+ error = vm_map_find(map, obj, 0,
	+ &sharedpage_addr, sv->sv_shared_page_len,
	+ sv->sv_maxuser, find_space,
	+ VM_PROT_READ \| VM_PROT_EXECUTE,
	+ VM_PROT_READ \| VM_PROT_EXECUTE,
	+ MAP_INHERIT_SHARE \| MAP_ACC_NO_CHARGE);
	+ if (error != KERN_SUCCESS) {
	+ vm_object_deallocate(obj);
	+ return (vm_mmap_to_errno(error));
	+ }
	+out:
	/*
	* vm_ssize and vm_maxsaddr are somewhat antiquated concepts, but they
	* are still used to enforce the stack rlimit on the process stack.
	@@ -1262,6 +1284,7 @@
	vmspace->vm_maxsaddr = (char *)stack_addr;
	vmspace->vm_stacktop = stack_top;
	vmspace->vm_ssize = sgrowsiz >> PAGE_SHIFT;
	+ vmspace->vm_sp_base = sharedpage_addr;

	return (0);
	}
	Index: sys/kern/kern_proc.c
	===================================================================
	--- sys/kern/kern_proc.c
	+++ sys/kern/kern_proc.c
	@@ -3245,6 +3245,8 @@
	kvm.kvm_map_flags \|= KMAP_FLAG_WXORX;
	if ((vmspace->vm_map.flags & MAP_ASLR_STACK) != 0)
	kvm.kvm_map_flags \|= KMAP_FLAG_ASLR_STACK;
	+ if ((vmspace->vm_map.flags & MAP_ASLR_SHARED_PAGE) != 0)
	+ kvm.kvm_map_flags \|= KMAP_FLAG_ASLR_SHARED_PAGE;

	#ifdef COMPAT_FREEBSD32
	if (SV_CURPROC_FLAG(SV_ILP32)) {
	Index: sys/sys/imgact.h
	===================================================================
	--- sys/sys/imgact.h
	+++ sys/sys/imgact.h
	@@ -91,7 +91,7 @@
	bool vmspace_destroyed; /* we've blown away original vm space */
	bool opened; /* we have opened executable vnode */
	bool textset;
	- u_int map_flags;
	+ vm_flags_t map_flags;
	};

	#ifdef _KERNEL
	Index: sys/sys/user.h
	===================================================================
	--- sys/sys/user.h
	+++ sys/sys/user.h
	@@ -625,6 +625,7 @@
	#define KMAP_FLAG_ASLR_IGNSTART 0x04 /* ASLR may map into sbrk grow region */
	#define KMAP_FLAG_WXORX 0x08 /* W^X mapping policy is enforced */
	#define KMAP_FLAG_ASLR_STACK 0x10 /* the stack location is randomized */
	+#define KMAP_FLAG_ASLR_SHARED_PAGE 0x20 /* the shared page location is randomized */

	struct kinfo_vm_layout {
	uintptr_t kvm_min_user_addr;
	Index: sys/vm/vm.h
	===================================================================
	--- sys/vm/vm.h
	+++ sys/vm/vm.h
	@@ -88,6 +88,8 @@
	#define VM_PROT_RW (VM_PROT_READ\|VM_PROT_WRITE)
	#define VM_PROT_DEFAULT VM_PROT_ALL

	+typedef uint16_t vm_flags_t;
	+
	enum obj_type {
	OBJT_DEFAULT,
	OBJT_SWAP,
	Index: sys/vm/vm_map.h
	===================================================================
	--- sys/vm/vm_map.h
	+++ sys/vm/vm_map.h
	@@ -79,7 +79,6 @@
	* vm_map_entry_t an entry in an address map.
	*/

	-typedef u_char vm_flags_t;
	typedef u_int vm_eflags_t;

	/*
	@@ -230,6 +229,7 @@
	#define MAP_REPLENISH 0x20 /* kmapent zone needs to be refilled */
	#define MAP_WXORX 0x40 /* enforce W^X */
	#define MAP_ASLR_STACK 0x80 /* stack location is randomized */
	+#define MAP_ASLR_SHARED_PAGE 0x100 /* shared page location is randomized */

	#ifdef _KERNEL
	#if defined(KLD_MODULE) && !defined(KLD_TIED)
	Index: sys/vm/vm_map.c
	===================================================================
	--- sys/vm/vm_map.c
	+++ sys/vm/vm_map.c
	@@ -4283,7 +4283,7 @@

	new_map->anon_loc = old_map->anon_loc;
	new_map->flags \|= old_map->flags & (MAP_ASLR \| MAP_ASLR_IGNSTART \|
	- MAP_ASLR_STACK \| MAP_WXORX);
	+ MAP_ASLR_STACK \| MAP_ASLR_SHARED_PAGE \| MAP_WXORX);

	VM_MAP_ENTRY_FOREACH(old_entry, old_map) {
	if ((old_entry->eflags & MAP_ENTRY_IS_SUB_MAP) != 0)
	Index: tests/sys/kern/kern_copyin.c
	===================================================================
	--- tests/sys/kern/kern_copyin.c
	+++ tests/sys/kern/kern_copyin.c
	@@ -34,6 +34,7 @@
	#include <sys/exec.h>
	#include <sys/sysctl.h>
	#include <sys/user.h>
	+#include <sys/mman.h>

	#include <errno.h>
	#include <fcntl.h>
	@@ -104,6 +105,8 @@
	{
	char template[] = "copyin.XXXXXX";
	uintptr_t maxuser;
	+ size_t size;
	+ void *addr;

	#if defined(__mips__)
	/*
	@@ -119,6 +122,16 @@
	#else
	maxuser = VM_MAXUSER_ADDRESS;
	#endif
	+ size = sysconf(_SC_PAGESIZE);
	+
	+ /*
	+ * Since the shared page address can be randomized we need to make
	+ * sure that something is mapped at the top of the user address space.
	+ * Otherwise reading bytes from maxuser-X will fail rendering this test
	+ * useless.
	+ */
	+ addr = mmap((void *)(maxuser - size), size, PROT_READ,
	+ MAP_ANON \| MAP_FIXED \| MAP_EXCL, -1, 0);

	scratch_file = mkstemp(template);
	ATF_REQUIRE(scratch_file != -1);
	@@ -141,6 +154,9 @@
	ATF_CHECK(copyin_checker(ADDR_SIGNED, 1) == EFAULT);
	ATF_CHECK(copyin_checker2(ADDR_SIGNED) == EFAULT);
	#endif
	+
	+ if (addr != MAP_FAILED)
	+ munmap(addr, PAGE_SIZE);
	}

	ATF_TP_ADD_TCS(tp)

File Metadata

Mime Type: text/plain
Expires: Fri, Jan 23, 4:16 PM (16 h, 12 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 27887448
Default Alt Text: D35349.id106598.diff (8 KB)

D35349.id106598.diffNo OneTemporaryActions

D35349.id106598.diffView Options

File Metadata

Event Timeline

D35349.id106598.diff
No OneTemporary
Actions

D35349.id106598.diff
View Options