Module Name: src
Committed By: maxv
Date: Tue Aug 4 18:28:10 UTC 2015
Modified Files:
src/sys/kern: exec_elf.c kern_pax.c
src/sys/sys: pax.h
src/sys/uvm: uvm_mmap.c
Log Message:
Some changes, to reduce a bit my tech-kern@ patch:
- move the P_PAX_ flags out of #ifdef PAX_ASLR in pax.h
- add a generic pax_flags_active() function
- fix a comment in exec_elf.c; interp is not static
- KNF for return
- rename pax_aslr() to pax_aslr_mmap()
- rename pax_segvguard_cb() to pax_segvguard_cleanup_cb()
To generate a diff of this commit:
cvs rdiff -u -r1.73 -r1.74 src/sys/kern/exec_elf.c
cvs rdiff -u -r1.30 -r1.31 src/sys/kern/kern_pax.c
cvs rdiff -u -r1.13 -r1.14 src/sys/sys/pax.h
cvs rdiff -u -r1.152 -r1.153 src/sys/uvm/uvm_mmap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/exec_elf.c
diff -u src/sys/kern/exec_elf.c:1.73 src/sys/kern/exec_elf.c:1.74
--- src/sys/kern/exec_elf.c:1.73 Thu Jul 30 15:28:18 2015
+++ src/sys/kern/exec_elf.c Tue Aug 4 18:28:09 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: exec_elf.c,v 1.73 2015/07/30 15:28:18 maxv Exp $ */
+/* $NetBSD: exec_elf.c,v 1.74 2015/08/04 18:28:09 maxv Exp $ */
/*-
* Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.73 2015/07/30 15:28:18 maxv Exp $");
+__KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.74 2015/08/04 18:28:09 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_pax.h"
@@ -701,7 +701,7 @@ exec_elf_makecmds(struct lwp *l, struct
*
* Probe functions would normally see if the interpreter (if any)
* exists. Emulation packages may possibly replace the interpreter in
- * interp[] with a changed path (/emul/xxx/<path>).
+ * interp with a changed path (/emul/xxx/<path>).
*/
pos = ELFDEFNNAME(NO_ADDR);
if (epp->ep_esch->u.elf_probe_func) {
Index: src/sys/kern/kern_pax.c
diff -u src/sys/kern/kern_pax.c:1.30 src/sys/kern/kern_pax.c:1.31
--- src/sys/kern/kern_pax.c:1.30 Fri Jul 31 07:37:17 2015
+++ src/sys/kern/kern_pax.c Tue Aug 4 18:28:09 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_pax.c,v 1.30 2015/07/31 07:37:17 maxv Exp $ */
+/* $NetBSD: kern_pax.c,v 1.31 2015/08/04 18:28:09 maxv Exp $ */
/*
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -57,7 +57,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.30 2015/07/31 07:37:17 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_pax.c,v 1.31 2015/08/04 18:28:09 maxv Exp $");
#include "opt_pax.h"
@@ -141,7 +141,7 @@ struct pax_segvguard_entry {
};
static bool pax_segvguard_elf_flags_active(uint32_t);
-static void pax_segvguard_cb(void *);
+static void pax_segvguard_cleanup_cb(void *);
#endif /* PAX_SEGVGUARD */
SYSCTL_SETUP(sysctl_security_pax_setup, "sysctl security.pax setup")
@@ -276,7 +276,7 @@ pax_init(void)
#ifdef PAX_SEGVGUARD
int error;
- error = fileassoc_register("segvguard", pax_segvguard_cb,
+ error = fileassoc_register("segvguard", pax_segvguard_cleanup_cb,
&segvguard_id);
if (error) {
panic("pax_init: segvguard_id: error=%d\n", error);
@@ -308,6 +308,15 @@ pax_setup_elf_flags(struct lwp *l, uint3
l->l_proc->p_pax = flags;
}
+#if defined(PAX_MPROTECT) || defined(PAX_SEGVGUARD) || defined(PAX_ASLR)
+static inline bool
+pax_flags_active(uint32_t flags, uint32_t opt)
+{
+ if (!(flags & opt))
+ return false;
+ return true;
+}
+#endif /* PAX_MPROTECT || PAX_SEGVGUARD || PAX_ASLR */
#ifdef PAX_MPROTECT
static bool
@@ -332,7 +341,7 @@ pax_mprotect(struct lwp *l, vm_prot_t *p
uint32_t flags;
flags = l->l_proc->p_pax;
- if (!(flags & P_PAX_MPROTECT))
+ if (!pax_flags_active(flags, P_PAX_MPROTECT))
return;
if ((*prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) != VM_PROT_EXECUTE) {
@@ -365,10 +374,7 @@ pax_aslr_elf_flags_active(uint32_t flags
bool
pax_aslr_active(struct lwp *l)
{
- uint32_t flags = l->l_proc->p_pax;
- if (!(flags & P_PAX_ASLR))
- return false;
- return true;
+ return pax_flags_active(l->l_proc->p_pax, P_PAX_ASLR);
}
void
@@ -382,7 +388,7 @@ pax_aslr_init_vm(struct lwp *l, struct v
}
void
-pax_aslr(struct lwp *l, vaddr_t *addr, vaddr_t orig_addr, int f)
+pax_aslr_mmap(struct lwp *l, vaddr_t *addr, vaddr_t orig_addr, int f)
{
if (!pax_aslr_active(l))
return;
@@ -404,17 +410,18 @@ pax_aslr(struct lwp *l, vaddr_t *addr, v
void
pax_aslr_stack(struct lwp *l, struct exec_package *epp, u_long *max_stack_size)
{
- if (pax_aslr_active(l)) {
- u_long d = PAX_ASLR_DELTA(cprng_fast32(),
- PAX_ASLR_DELTA_STACK_LSB,
- PAX_ASLR_DELTA_STACK_LEN);
- PAX_DPRINTF("stack 0x%lx d=0x%lx 0x%lx",
- epp->ep_minsaddr, d, epp->ep_minsaddr - d);
- epp->ep_minsaddr -= d;
- *max_stack_size -= d;
- if (epp->ep_ssize > *max_stack_size)
- epp->ep_ssize = *max_stack_size;
- }
+ if (!pax_aslr_active(l))
+ return;
+
+ u_long d = PAX_ASLR_DELTA(cprng_fast32(),
+ PAX_ASLR_DELTA_STACK_LSB,
+ PAX_ASLR_DELTA_STACK_LEN);
+ PAX_DPRINTF("stack 0x%lx d=0x%lx 0x%lx",
+ epp->ep_minsaddr, d, epp->ep_minsaddr - d);
+ epp->ep_minsaddr -= d;
+ *max_stack_size -= d;
+ if (epp->ep_ssize > *max_stack_size)
+ epp->ep_ssize = *max_stack_size;
}
#endif /* PAX_ASLR */
@@ -436,7 +443,7 @@ pax_segvguard_elf_flags_active(uint32_t
}
static void
-pax_segvguard_cb(void *v)
+pax_segvguard_cleanup_cb(void *v)
{
struct pax_segvguard_entry *p = v;
struct pax_segvguard_uid_entry *up;
@@ -466,18 +473,18 @@ pax_segvguard(struct lwp *l, struct vnod
bool have_uid;
flags = l->l_proc->p_pax;
- if (!(flags & P_PAX_GUARD))
+ if (!pax_flags_active(flags, P_PAX_GUARD))
return 0;
if (vp == NULL)
- return (EFAULT);
+ return EFAULT;
/* Check if we already monitor the file. */
p = fileassoc_lookup(vp, segvguard_id);
/* Fast-path if starting a program we don't know. */
if (p == NULL && !crashed)
- return (0);
+ return 0;
microtime(&tv);
@@ -500,10 +507,8 @@ pax_segvguard(struct lwp *l, struct vnod
up->sue_ncrashes = 1;
up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
up->sue_suspended = 0;
-
LIST_INSERT_HEAD(&p->segv_uids, up, sue_list);
-
- return (0);
+ return 0;
}
/*
@@ -529,10 +534,9 @@ pax_segvguard(struct lwp *l, struct vnod
up->sue_ncrashes = 1;
up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
up->sue_suspended = 0;
-
LIST_INSERT_HEAD(&p->segv_uids, up, sue_list);
}
- return (0);
+ return 0;
}
if (crashed) {
@@ -540,12 +544,10 @@ pax_segvguard(struct lwp *l, struct vnod
if (up->sue_expiry < tv.tv_sec) {
log(LOG_INFO, "PaX Segvguard: [%s] Suspension"
" expired.\n", name ? name : "unknown");
-
up->sue_ncrashes = 1;
up->sue_expiry = tv.tv_sec + pax_segvguard_expiry;
up->sue_suspended = 0;
-
- return (0);
+ return 0;
}
up->sue_ncrashes++;
@@ -567,11 +569,10 @@ pax_segvguard(struct lwp *l, struct vnod
log(LOG_ALERT, "PaX Segvguard: [%s] Preventing "
"execution due to repeated segfaults.\n", name ?
name : "unknown");
-
- return (EPERM);
+ return EPERM;
}
}
- return (0);
+ return 0;
}
#endif /* PAX_SEGVGUARD */
Index: src/sys/sys/pax.h
diff -u src/sys/sys/pax.h:1.13 src/sys/sys/pax.h:1.14
--- src/sys/sys/pax.h:1.13 Fri Jul 31 07:37:17 2015
+++ src/sys/sys/pax.h Tue Aug 4 18:28:10 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: pax.h,v 1.13 2015/07/31 07:37:17 maxv Exp $ */
+/* $NetBSD: pax.h,v 1.14 2015/08/04 18:28:10 maxv Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
@@ -32,6 +32,10 @@
#include <uvm/uvm_extern.h>
+#define P_PAX_ASLR 0x01 /* Enable ASLR */
+#define P_PAX_MPROTECT 0x02 /* Enable Mprotect */
+#define P_PAX_GUARD 0x04 /* Enable Segvguard */
+
struct lwp;
struct exec_package;
struct vmspace;
@@ -43,10 +47,6 @@ struct vmspace;
#ifndef PAX_ASLR_DELTA_EXEC_LEN
#define PAX_ASLR_DELTA_EXEC_LEN 12
#endif
-
-#define P_PAX_ASLR 0x01 /* Enable ASLR */
-#define P_PAX_MPROTECT 0x02 /* Enable Mprotect */
-#define P_PAX_GUARD 0x04 /* Enable Segvguard */
#endif /* PAX_ASLR */
void pax_init(void);
@@ -61,6 +61,6 @@ int pax_segvguard(struct lwp *, struct v
bool pax_aslr_active(struct lwp *);
void pax_aslr_init_vm(struct lwp *, struct vmspace *);
void pax_aslr_stack(struct lwp *, struct exec_package *, u_long *);
-void pax_aslr(struct lwp *, vaddr_t *, vaddr_t, int);
+void pax_aslr_mmap(struct lwp *, vaddr_t *, vaddr_t, int);
#endif /* !_SYS_PAX_H_ */
Index: src/sys/uvm/uvm_mmap.c
diff -u src/sys/uvm/uvm_mmap.c:1.152 src/sys/uvm/uvm_mmap.c:1.153
--- src/sys/uvm/uvm_mmap.c:1.152 Sun Mar 1 13:43:51 2015
+++ src/sys/uvm/uvm_mmap.c Tue Aug 4 18:28:10 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_mmap.c,v 1.152 2015/03/01 13:43:51 mlelstv Exp $ */
+/* $NetBSD: uvm_mmap.c,v 1.153 2015/08/04 18:28:10 maxv Exp $ */
/*
* Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -46,7 +46,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_mmap.c,v 1.152 2015/03/01 13:43:51 mlelstv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_mmap.c,v 1.153 2015/08/04 18:28:10 maxv Exp $");
#include "opt_compat_netbsd.h"
#include "opt_pax.h"
@@ -422,7 +422,7 @@ sys_mmap(struct lwp *l, const struct sys
#endif /* PAX_MPROTECT */
#ifdef PAX_ASLR
- pax_aslr(l, &addr, orig_addr, flags);
+ pax_aslr_mmap(l, &addr, orig_addr, flags);
#endif /* PAX_ASLR */
/*
