On Sat, Jul 01, 2017 at 01:28:47PM -0400, Shawn Webb wrote:
> When running my Stack Clash PoC on a vanilla FreeBSD 12-CURRENT/amd64 VM
> and security.bsd.stack_guard_page is > 1:
>
> https://goo.gl/photos/vZQY4B9jKJRLrNwP7
>
> The PoC doesn't need to be run as root on vanilla FreeBSD with a default
> configuration.
I cannot make much sense from the last sentence, esp. after mention of
the setting of stack_guard_page to greater than one value in the first
sentence.
Anyway, there could be some situation where max_grow calculation overflows.
Indeed only possible when guard > 1. Try this.
diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c
index 114e4b34a90..9c9b781db2d 100644
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@@ -3684,7 +3684,7 @@ vm_map_growstack(vm_map_t map, vm_offset_t addr,
vm_map_entry_t gap_entry)
struct proc *p;
struct vmspace *vm;
struct ucred *cred;
- vm_offset_t gap_end, gap_start, grow_start;
+ vm_offset_t gap_end, gap_start, grow_start, sgp;
size_t grow_amount, max_grow;
rlim_t lmemlim, stacklim, vmemlim;
int rv, rv1;
@@ -3727,8 +3727,11 @@ retry:
} else {
return (KERN_FAILURE);
}
- max_grow = gap_entry->end - gap_entry->start - stack_guard_page *
- PAGE_SIZE;
+ sgp = stack_guard_page * PAGE_SIZE;
+ max_grow = gap_entry->end - gap_entry->start;
+ if (max_grow < sgp)
+ return (KERN_NO_SPACE);
+ max_grow -= sgp;
if (grow_amount > max_grow)
return (KERN_NO_SPACE);
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
