CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2018/04/12 11:13:44
Modified files:
lib/libpthread/man: pthread_attr_setstack.3
pthread_attr_setstackaddr.3
sys/arch/alpha/alpha: machdep.c trap.c
sys/arch/amd64/amd64: machdep.c trap.c
sys/arch/arm/arm: fault.c sig_machdep.c
sys/arch/arm64/arm64: ast.c sig_machdep.c trap.c
sys/arch/hppa/hppa: machdep.c trap.c
sys/arch/i386/i386: machdep.c trap.c
sys/arch/m88k/m88k: sig_machdep.c
sys/arch/macppc/macppc: machdep.c
sys/arch/mips64/mips64: sendsig.c trap.c
sys/arch/powerpc/powerpc: trap.c
sys/arch/sh/sh : sh_machdep.c
sys/arch/socppc/socppc: machdep.c
sys/arch/sparc64/sparc64: machdep.c trap.c
sys/kern : exec_subr.c init_main.c kern_sig.c
sys/sys : exec.h proc.h syscall_mi.h
sys/uvm : uvm.h uvm_extern.h uvm_fault.c uvm_map.c
uvm_map.h uvm_mmap.c
Log message:
Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis
