Module Name: src
Committed By: maxv
Date: Wed Jul 20 12:33:59 UTC 2016
Modified Files:
src/sys/arch/x86/x86: pmap.c
Log Message:
There is a huge bug in the way a uvm_map_protect is processed on x86.
When mprotecting a page, the kernel updates the uvm protection associated
with the page, and then gives control to the x86 pmap which splits the
procedure in two: if we are restricting the permissions it updates the page
tree right away, and if we are increasing the permissions it just waits for
the page to fault.
In the first case, it forgets to take care of the X permission. Which means
that if we allocate an executable page, it is impossible to remove the X
permission on it, this being true regardless of whether the mprotect call
comes from the kernel or from userland. It is not possible to make sure the
page is non executable either, since the only holder of the permission
information is uvm, and no track is kept at the pmap level of the actual
permissions enforced. In short, the kernel believes the page is non
executable, while the cpu knows it is.
Fix this by properly taking care of the !VM_PROT_EXECUTE case. Since the
bit manipulation is a little tricky we use two vars: bit_rem (remove) and
bit_put.
To generate a diff of this commit:
cvs rdiff -u -r1.212 -r1.213 src/sys/arch/x86/x86/pmap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/x86/x86/pmap.c
diff -u src/sys/arch/x86/x86/pmap.c:1.212 src/sys/arch/x86/x86/pmap.c:1.213
--- src/sys/arch/x86/x86/pmap.c:1.212 Tue Jul 19 18:54:45 2016
+++ src/sys/arch/x86/x86/pmap.c Wed Jul 20 12:33:59 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: pmap.c,v 1.212 2016/07/19 18:54:45 maxv Exp $ */
+/* $NetBSD: pmap.c,v 1.213 2016/07/20 12:33:59 maxv Exp $ */
/*-
* Copyright (c) 2008, 2010, 2016 The NetBSD Foundation, Inc.
@@ -171,7 +171,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.212 2016/07/19 18:54:45 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.213 2016/07/20 12:33:59 maxv Exp $");
#include "opt_user_ldt.h"
#include "opt_lockdebug.h"
@@ -3896,6 +3896,7 @@ pmap_pv_clear_attrs(paddr_t pa, unsigned
void
pmap_write_protect(struct pmap *pmap, vaddr_t sva, vaddr_t eva, vm_prot_t prot)
{
+ pt_entry_t bit_rem, bit_put;
pt_entry_t *ptes;
pt_entry_t * const *pdes;
struct pmap *pmap2;
@@ -3903,6 +3904,14 @@ pmap_write_protect(struct pmap *pmap, va
KASSERT(curlwp->l_md.md_gc_pmap != pmap);
+ bit_rem = 0;
+ if (!(prot & VM_PROT_WRITE))
+ bit_rem = PG_RW;
+
+ bit_put = 0;
+ if (!(prot & VM_PROT_EXECUTE))
+ bit_put = pmap_pg_nx;
+
sva &= PG_FRAME;
eva &= PG_FRAME;
@@ -3947,10 +3956,10 @@ pmap_write_protect(struct pmap *pmap, va
do {
opte = *spte;
- if ((~opte & (PG_RW | PG_V)) != 0) {
+ if (!pmap_valid_entry(opte)) {
goto next;
}
- npte = opte & ~PG_RW;
+ npte = (opte & ~bit_rem) | bit_put;
} while (pmap_pte_cas(spte, opte, npte) != opte);
if ((opte & PG_M) != 0) {
