summaryrefslogtreecommitdiff
path: root/sys/arch/i386
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2020-09-24 17:54:31 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2020-09-24 17:54:31 +0000
commitfd90f03032109673f830032a5e81130709415faf (patch)
tree15dab4a6d3abbd3cc843f68e8abd4f8524fff4f9 /sys/arch/i386
parentdf4419435a5a604adc86c42c6a425aca75664d9c (diff)
Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other traps is at best opportunistic for finding a straight-running ROP chain, but the added (and rare) sleeping point has proven to be dangerous. Discussed at length with kettenis and mortimer. ok mortimer kettenis mpi
Diffstat (limited to 'sys/arch/i386')
-rw-r--r--sys/arch/i386/i386/trap.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/sys/arch/i386/i386/trap.c b/sys/arch/i386/i386/trap.c
index 14b5be0d6fb..e3a5c7e5264 100644
--- a/sys/arch/i386/i386/trap.c
+++ b/sys/arch/i386/i386/trap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: trap.c,v 1.147 2020/09/24 11:36:50 deraadt Exp $ */
+/* $OpenBSD: trap.c,v 1.148 2020/09/24 17:54:29 deraadt Exp $ */
/* $NetBSD: trap.c,v 1.95 1996/05/05 06:50:02 mycroft Exp $ */
/*-
@@ -154,10 +154,6 @@ trap(struct trapframe *frame)
type |= T_USER;
p->p_md.md_regs = frame;
refreshcreds(p);
- if (!uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p),
- "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n",
- uvm_map_inentry_sp, p->p_vmspace->vm_map.sserial))
- goto out;
}
switch (type) {
@@ -349,6 +345,10 @@ trap(struct trapframe *frame)
int error;
int signal, sicode;
+ if (!uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p),
+ "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n",
+ uvm_map_inentry_sp, p->p_vmspace->vm_map.sserial))
+ goto out;
KERNEL_LOCK();
faultcommon:
vm = p->p_vmspace;