diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2023-01-31 15:18:57 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2023-01-31 15:18:57 +0000 |
| commit | b5cb48fafaedcd8da458c3d4bdebb772a4ac854a (patch) | |
| tree | 8a33c4dfd70fe550056e51ea9d34caa246b0e153 /sys/arch/arm | |
| parent | 26cfaa1a08f7839f556db0f69e968a488481e454 (diff) | |
On systems without xonly mmu hardware-enforcement, we can still mitigate
against classic BROP with a range-checking wrapper in front of copyin() and
copyinstr() which ensures the userland source doesn't overlap the main program
text, ld.so text, signal tramp text (it's mapping is hard to distinguish
so it comes along for the ride), or libc.so text. ld.so tells the kernel
libc.so text range with msyscall(2). The range checking for 2-4 elements is
done without locking (because all 4 ranges are immutable!) and is inexpensive.
write(sock, &open, 400) now fails with EFAULT. No programs have been
discovered which require reading their own text segments with a system call.
On a machine without mmu enforcement, a test program reports the following:
userland kernel
ld.so readable unreadable
mmap xz unreadable unreadable
mmap x readable readable
mmap nrx readable readable
mmap nwx readable readable
mmap xnwx readable readable
main readable unreadable
libc unmapped? readable unreadable
libc mapped readable unreadable
ok kettenis, additional help from miod
Diffstat (limited to 'sys/arch/arm')
| -rw-r--r-- | sys/arch/arm/arm/bcopyinout.S | 4 | ||||
| -rw-r--r-- | sys/arch/arm/arm/copystr.S | 4 | ||||
| -rw-r--r-- | sys/arch/arm/include/pmap.h | 4 |
3 files changed, 7 insertions, 5 deletions
diff --git a/sys/arch/arm/arm/bcopyinout.S b/sys/arch/arm/arm/bcopyinout.S index 0caaa70b9b5..779741f9cf7 100644 --- a/sys/arch/arm/arm/bcopyinout.S +++ b/sys/arch/arm/arm/bcopyinout.S @@ -1,4 +1,4 @@ -/* $OpenBSD: bcopyinout.S,v 1.10 2022/12/08 01:25:44 guenther Exp $ */ +/* $OpenBSD: bcopyinout.S,v 1.11 2023/01/31 15:18:54 deraadt Exp $ */ /* $NetBSD: bcopyinout.S,v 1.13 2003/10/31 16:54:05 scw Exp $ */ /* @@ -67,7 +67,7 @@ * We save/restore r4-r11: * r4-r11 are scratch */ -ENTRY(copyin) +ENTRY(_copyin) /* Quick exit if length is zero */ teq r2, #0 moveq r0, #0 diff --git a/sys/arch/arm/arm/copystr.S b/sys/arch/arm/arm/copystr.S index 422535a8680..716c6d55665 100644 --- a/sys/arch/arm/arm/copystr.S +++ b/sys/arch/arm/arm/copystr.S @@ -1,4 +1,4 @@ -/* $OpenBSD: copystr.S,v 1.11 2023/01/06 19:10:18 miod Exp $ */ +/* $OpenBSD: copystr.S,v 1.12 2023/01/31 15:18:54 deraadt Exp $ */ /* $NetBSD: copystr.S,v 1.8 2002/10/13 14:54:48 bjh21 Exp $ */ /* @@ -67,7 +67,7 @@ * * Copy string from user space to kernel space */ -ENTRY(copyinstr) +ENTRY(_copyinstr) SAVE_REGS teq r2, #0x00000000 diff --git a/sys/arch/arm/include/pmap.h b/sys/arch/arm/include/pmap.h index eb9ced1a9be..2bf588563fe 100644 --- a/sys/arch/arm/include/pmap.h +++ b/sys/arch/arm/include/pmap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pmap.h,v 1.52 2023/01/01 19:49:17 miod Exp $ */ +/* $OpenBSD: pmap.h,v 1.53 2023/01/31 15:18:54 deraadt Exp $ */ /* $NetBSD: pmap.h,v 1.76 2003/09/06 09:10:46 rearnsha Exp $ */ /* @@ -251,6 +251,8 @@ extern struct pmap kernel_pmap_store; void pmap_remove_all(pmap_t); void pmap_uncache_page(paddr_t, vaddr_t); +#define PMAP_CHECK_COPYIN 1 + #define PMAP_GROWKERNEL /* turn on pmap_growkernel interface */ /* Functions we use internally. */ |