CVS commit: [netbsd-8] src/sys/kern

Wed, 21 Jun 2017 11:18:05 -0700 

Module Name:    src
Committed By:   snj
Date:           Wed Jun 21 18:12:40 UTC 2017

Modified Files:
        src/sys/kern [netbsd-8]: exec_subr.c

Log Message:
Pull up following revision(s) (requested by joerg in ticket #50):
        sys/kern/exec_subr.c: revision 1.79
Always include a 1MB guard area beyond the end of stack. While ASLR will
normally create a guard area as well, this provides a deterministic area
for all binaries.
Mitigates the rest of CVE-2017-1000374 and CVE-2017-1000375 from
Qualys.


To generate a diff of this commit:
cvs rdiff -u -r1.78 -r1.78.2.1 src/sys/kern/exec_subr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/exec_subr.c
diff -u src/sys/kern/exec_subr.c:1.78 src/sys/kern/exec_subr.c:1.78.2.1
--- src/sys/kern/exec_subr.c:1.78	Sun May  7 22:54:54 2017
+++ src/sys/kern/exec_subr.c	Wed Jun 21 18:12:40 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: exec_subr.c,v 1.78 2017/05/07 22:54:54 christos Exp $	*/
+/*	$NetBSD: exec_subr.c,v 1.78.2.1 2017/06/21 18:12:40 snj Exp $	*/
 
 /*
  * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.78 2017/05/07 22:54:54 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.78.2.1 2017/06/21 18:12:40 snj Exp $");
 
 #include "opt_pax.h"
 
@@ -67,6 +67,8 @@ VMCMD_EVCNT_DECL(kills);
 #define DPRINTF(a)
 #endif
 
+uint32_t user_stack_guard_size = 1024 * 1024;
+
 /*
  * new_vmcmd():
  *	create a new vmcmd structure and fill in its fields based
@@ -440,6 +442,17 @@ exec_setup_stack(struct lwp *l, struct e
 	    (uintmax_t)access_size, (uintmax_t)access_linear_min,
 	    (uintmax_t)noaccess_size, (uintmax_t)noaccess_linear_min));
 
+	if (user_stack_guard_size > 0) {
+#ifdef __MACHINE_STACK_GROWS_UP
+		vsize_t guard_size = MIN(VM_MAXUSER_ADDRESS - epp->ep_maxsaddr, user_stack_guard_size);
+		if (guard_size > 0)
+			NEW_VMCMD(&epp->ep_vmcmds, vmcmd_map_zero, guard_size,
+			    epp->ep_maxsaddr, NULL, 0, VM_PROT_NONE);
+#else
+		NEW_VMCMD(&epp->ep_vmcmds, vmcmd_map_zero, user_stack_guard_size,
+		    epp->ep_maxsaddr - user_stack_guard_size, NULL, 0, VM_PROT_NONE);
+#endif
+	}
 	if (noaccess_size > 0 && noaccess_size <= MAXSSIZ) {
 		NEW_VMCMD2(&epp->ep_vmcmds, vmcmd_map_zero, noaccess_size,
 		    noaccess_linear_min, NULL, 0, VM_PROT_NONE, VMCMD_STACK);

Reply via email to