Module Name: src Committed By: snj Date: Wed Jun 21 18:12:40 UTC 2017
Modified Files: src/sys/kern [netbsd-8]: exec_subr.c Log Message: Pull up following revision(s) (requested by joerg in ticket #50): sys/kern/exec_subr.c: revision 1.79 Always include a 1MB guard area beyond the end of stack. While ASLR will normally create a guard area as well, this provides a deterministic area for all binaries. Mitigates the rest of CVE-2017-1000374 and CVE-2017-1000375 from Qualys. To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.78.2.1 src/sys/kern/exec_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/exec_subr.c diff -u src/sys/kern/exec_subr.c:1.78 src/sys/kern/exec_subr.c:1.78.2.1 --- src/sys/kern/exec_subr.c:1.78 Sun May 7 22:54:54 2017 +++ src/sys/kern/exec_subr.c Wed Jun 21 18:12:40 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: exec_subr.c,v 1.78 2017/05/07 22:54:54 christos Exp $ */ +/* $NetBSD: exec_subr.c,v 1.78.2.1 2017/06/21 18:12:40 snj Exp $ */ /* * Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.78 2017/05/07 22:54:54 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.78.2.1 2017/06/21 18:12:40 snj Exp $"); #include "opt_pax.h" @@ -67,6 +67,8 @@ VMCMD_EVCNT_DECL(kills); #define DPRINTF(a) #endif +uint32_t user_stack_guard_size = 1024 * 1024; + /* * new_vmcmd(): * create a new vmcmd structure and fill in its fields based @@ -440,6 +442,17 @@ exec_setup_stack(struct lwp *l, struct e (uintmax_t)access_size, (uintmax_t)access_linear_min, (uintmax_t)noaccess_size, (uintmax_t)noaccess_linear_min)); + if (user_stack_guard_size > 0) { +#ifdef __MACHINE_STACK_GROWS_UP + vsize_t guard_size = MIN(VM_MAXUSER_ADDRESS - epp->ep_maxsaddr, user_stack_guard_size); + if (guard_size > 0) + NEW_VMCMD(&epp->ep_vmcmds, vmcmd_map_zero, guard_size, + epp->ep_maxsaddr, NULL, 0, VM_PROT_NONE); +#else + NEW_VMCMD(&epp->ep_vmcmds, vmcmd_map_zero, user_stack_guard_size, + epp->ep_maxsaddr - user_stack_guard_size, NULL, 0, VM_PROT_NONE); +#endif + } if (noaccess_size > 0 && noaccess_size <= MAXSSIZ) { NEW_VMCMD2(&epp->ep_vmcmds, vmcmd_map_zero, noaccess_size, noaccess_linear_min, NULL, 0, VM_PROT_NONE, VMCMD_STACK);