Module Name: src
Committed By: joerg
Date: Fri Jun 23 21:28:39 UTC 2017
Modified Files:
src/sys/arch/amd64/include: vmparam.h
src/sys/arch/i386/include: vmparam.h
src/sys/arch/mips/include: vmparam.h
src/sys/arch/powerpc/include: vmparam.h
src/sys/arch/riscv/include: vmparam.h
src/sys/kern: exec_subr.c
src/sys/uvm: uvm_param.h
Log Message:
Recommit exec_subr.c revision 1.79:
Always include a 1MB guard area beyond the end of stack. While ASLR will
normally create a guard area as well, this provides a deterministic area
for all binaries.
Mitigates the rest of CVE-2017-1000374 and CVE-2017-1000375 from
Qualys.
Additionally, change VM_DEFAULT_ADDRESS_TOPDOWN to include
user_stack_guard_size in the size reservation.
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 src/sys/arch/amd64/include/vmparam.h
cvs rdiff -u -r1.84 -r1.85 src/sys/arch/i386/include/vmparam.h
cvs rdiff -u -r1.57 -r1.58 src/sys/arch/mips/include/vmparam.h
cvs rdiff -u -r1.19 -r1.20 src/sys/arch/powerpc/include/vmparam.h
cvs rdiff -u -r1.1 -r1.2 src/sys/arch/riscv/include/vmparam.h
cvs rdiff -u -r1.80 -r1.81 src/sys/kern/exec_subr.c
cvs rdiff -u -r1.35 -r1.36 src/sys/uvm/uvm_param.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/amd64/include/vmparam.h
diff -u src/sys/arch/amd64/include/vmparam.h:1.41 src/sys/arch/amd64/include/vmparam.h:1.42
--- src/sys/arch/amd64/include/vmparam.h:1.41 Sat Jun 17 08:40:46 2017
+++ src/sys/arch/amd64/include/vmparam.h Fri Jun 23 21:28:38 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vmparam.h,v 1.41 2017/06/17 08:40:46 maxv Exp $ */
+/* $NetBSD: vmparam.h,v 1.42 2017/06/23 21:28:38 joerg Exp $ */
/*-
* Copyright (c) 1990 The Regents of the University of California.
@@ -135,8 +135,6 @@
#endif
#define __USE_TOPDOWN_VM
-#define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
- trunc_page(USRSTACK - MAXSSIZ - (sz))
#define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
round_page((vaddr_t)(da) + (vsize_t)maxdmap)
Index: src/sys/arch/i386/include/vmparam.h
diff -u src/sys/arch/i386/include/vmparam.h:1.84 src/sys/arch/i386/include/vmparam.h:1.85
--- src/sys/arch/i386/include/vmparam.h:1.84 Sat Feb 11 15:05:15 2017
+++ src/sys/arch/i386/include/vmparam.h Fri Jun 23 21:28:38 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vmparam.h,v 1.84 2017/02/11 15:05:15 maxv Exp $ */
+/* $NetBSD: vmparam.h,v 1.85 2017/06/23 21:28:38 joerg Exp $ */
/*-
* Copyright (c) 1990 The Regents of the University of California.
@@ -114,8 +114,6 @@
#include "opt_xen.h"
#endif
#define __USE_TOPDOWN_VM
-#define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
- trunc_page(USRSTACK - MAXSSIZ - (sz))
#define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
round_page((vaddr_t)(da) + (vsize_t)MIN(maxdmap, MAXDSIZ_BU))
Index: src/sys/arch/mips/include/vmparam.h
diff -u src/sys/arch/mips/include/vmparam.h:1.57 src/sys/arch/mips/include/vmparam.h:1.58
--- src/sys/arch/mips/include/vmparam.h:1.57 Tue Nov 22 11:01:50 2016
+++ src/sys/arch/mips/include/vmparam.h Fri Jun 23 21:28:38 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vmparam.h,v 1.57 2016/11/22 11:01:50 skrll Exp $ */
+/* $NetBSD: vmparam.h,v 1.58 2017/06/23 21:28:38 joerg Exp $ */
/*
* Copyright (c) 1988 University of Utah.
@@ -185,7 +185,7 @@
#define __USE_TOPDOWN_VM
#define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
- trunc_page(USRSTACK - MAXSSIZ - (sz))
+ trunc_page(USRSTACK - MAXSSIZ - (sz) - user_stack_guard_size)
#define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
round_page((vaddr_t)(da) + (vsize_t)maxdmap)
Index: src/sys/arch/powerpc/include/vmparam.h
diff -u src/sys/arch/powerpc/include/vmparam.h:1.19 src/sys/arch/powerpc/include/vmparam.h:1.20
--- src/sys/arch/powerpc/include/vmparam.h:1.19 Sat Oct 18 08:33:26 2014
+++ src/sys/arch/powerpc/include/vmparam.h Fri Jun 23 21:28:38 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vmparam.h,v 1.19 2014/10/18 08:33:26 snj Exp $ */
+/* $NetBSD: vmparam.h,v 1.20 2017/06/23 21:28:38 joerg Exp $ */
#ifndef _POWERPC_VMPARAM_H_
#define _POWERPC_VMPARAM_H_
@@ -25,8 +25,6 @@
* top of the next lower segment.
*/
#define __USE_TOPDOWN_VM
-#define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
- ((VM_MAXUSER_ADDRESS - MAXSSIZ) - round_page(sz))
#define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
round_page((vaddr_t)(da) + (vsize_t)maxdmap)
Index: src/sys/arch/riscv/include/vmparam.h
diff -u src/sys/arch/riscv/include/vmparam.h:1.1 src/sys/arch/riscv/include/vmparam.h:1.2
--- src/sys/arch/riscv/include/vmparam.h:1.1 Fri Sep 19 17:36:26 2014
+++ src/sys/arch/riscv/include/vmparam.h Fri Jun 23 21:28:38 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vmparam.h,v 1.1 2014/09/19 17:36:26 matt Exp $ */
+/* $NetBSD: vmparam.h,v 1.2 2017/06/23 21:28:38 joerg Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -137,7 +137,7 @@
#define __USE_TOPDOWN_VM
#define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
- trunc_page(USRSTACK - MAXSSIZ - (sz))
+ trunc_page(USRSTACK - MAXSSIZ - (sz) - user_stack_guard_size)
#define VM_DEFAULT_ADDRESS_BOTTOMUP(da, sz) \
round_page((vaddr_t)(da) + (vsize_t)maxdmap)
Index: src/sys/kern/exec_subr.c
diff -u src/sys/kern/exec_subr.c:1.80 src/sys/kern/exec_subr.c:1.81
--- src/sys/kern/exec_subr.c:1.80 Mon Jun 19 19:02:16 2017
+++ src/sys/kern/exec_subr.c Fri Jun 23 21:28:38 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: exec_subr.c,v 1.80 2017/06/19 19:02:16 joerg Exp $ */
+/* $NetBSD: exec_subr.c,v 1.81 2017/06/23 21:28:38 joerg Exp $ */
/*
* Copyright (c) 1993, 1994, 1996 Christopher G. Demetriou
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.80 2017/06/19 19:02:16 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: exec_subr.c,v 1.81 2017/06/23 21:28:38 joerg Exp $");
#include "opt_pax.h"
@@ -67,6 +67,8 @@ VMCMD_EVCNT_DECL(kills);
#define DPRINTF(a)
#endif
+uint32_t user_stack_guard_size = 1024 * 1024;
+
/*
* new_vmcmd():
* create a new vmcmd structure and fill in its fields based
@@ -440,6 +442,17 @@ exec_setup_stack(struct lwp *l, struct e
(uintmax_t)access_size, (uintmax_t)access_linear_min,
(uintmax_t)noaccess_size, (uintmax_t)noaccess_linear_min));
+ if (user_stack_guard_size > 0) {
+#ifdef __MACHINE_STACK_GROWS_UP
+ vsize_t guard_size = MIN(VM_MAXUSER_ADDRESS - epp->ep_maxsaddr, user_stack_guard_size);
+ if (guard_size > 0)
+ NEW_VMCMD(&epp->ep_vmcmds, vmcmd_map_zero, guard_size,
+ epp->ep_maxsaddr, NULL, 0, VM_PROT_NONE);
+#else
+ NEW_VMCMD(&epp->ep_vmcmds, vmcmd_map_zero, user_stack_guard_size,
+ epp->ep_maxsaddr - user_stack_guard_size, NULL, 0, VM_PROT_NONE);
+#endif
+ }
if (noaccess_size > 0 && noaccess_size <= MAXSSIZ) {
NEW_VMCMD2(&epp->ep_vmcmds, vmcmd_map_zero, noaccess_size,
noaccess_linear_min, NULL, 0, VM_PROT_NONE, VMCMD_STACK);
Index: src/sys/uvm/uvm_param.h
diff -u src/sys/uvm/uvm_param.h:1.35 src/sys/uvm/uvm_param.h:1.36
--- src/sys/uvm/uvm_param.h:1.35 Sat Sep 26 20:28:38 2015
+++ src/sys/uvm/uvm_param.h Fri Jun 23 21:28:39 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_param.h,v 1.35 2015/09/26 20:28:38 christos Exp $ */
+/* $NetBSD: uvm_param.h,v 1.36 2017/06/23 21:28:39 joerg Exp $ */
/*
* Copyright (c) 1991, 1993
@@ -224,9 +224,10 @@ extern const int *const uvmexp_pageshift
round_page((vaddr_t)(da) + (vsize_t)maxdmap)
#endif
+extern uint32_t user_stack_guard_size;
#ifndef VM_DEFAULT_ADDRESS_TOPDOWN
#define VM_DEFAULT_ADDRESS_TOPDOWN(da, sz) \
- trunc_page(VM_MAXUSER_ADDRESS - MAXSSIZ - (sz))
+ trunc_page(VM_MAXUSER_ADDRESS - MAXSSIZ - (sz) - user_stack_guard_size)
#endif
extern int ubc_nwins; /* number of UBC mapping windows */
