diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-09-24 17:54:31 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-09-24 17:54:31 +0000 |
commit | fd90f03032109673f830032a5e81130709415faf (patch) | |
tree | 15dab4a6d3abbd3cc843f68e8abd4f8524fff4f9 /sys/arch/i386 | |
parent | df4419435a5a604adc86c42c6a425aca75664d9c (diff) |
Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a straight-running ROP chain,
but the added (and rare) sleeping point has proven to be dangerous.
Discussed at length with kettenis and mortimer.
ok mortimer kettenis mpi
Diffstat (limited to 'sys/arch/i386')
-rw-r--r-- | sys/arch/i386/i386/trap.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/sys/arch/i386/i386/trap.c b/sys/arch/i386/i386/trap.c index 14b5be0d6fb..e3a5c7e5264 100644 --- a/sys/arch/i386/i386/trap.c +++ b/sys/arch/i386/i386/trap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: trap.c,v 1.147 2020/09/24 11:36:50 deraadt Exp $ */ +/* $OpenBSD: trap.c,v 1.148 2020/09/24 17:54:29 deraadt Exp $ */ /* $NetBSD: trap.c,v 1.95 1996/05/05 06:50:02 mycroft Exp $ */ /*- @@ -154,10 +154,6 @@ trap(struct trapframe *frame) type |= T_USER; p->p_md.md_regs = frame; refreshcreds(p); - if (!uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p), - "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n", - uvm_map_inentry_sp, p->p_vmspace->vm_map.sserial)) - goto out; } switch (type) { @@ -349,6 +345,10 @@ trap(struct trapframe *frame) int error; int signal, sicode; + if (!uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p), + "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n", + uvm_map_inentry_sp, p->p_vmspace->vm_map.sserial)) + goto out; KERNEL_LOCK(); faultcommon: vm = p->p_vmspace; |