diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-09-24 17:54:31 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-09-24 17:54:31 +0000 |
| commit | fd90f03032109673f830032a5e81130709415faf (patch) | |
| tree | 15dab4a6d3abbd3cc843f68e8abd4f8524fff4f9 /sys/arch/mips64 | |
| parent | df4419435a5a604adc86c42c6a425aca75664d9c (diff) | |
Only perform uvm_map_inentry() checks for PROC_SP for userland pagefaults.
This should be sufficient for identifying pivoted ROP. Doing so for other
traps is at best opportunistic for finding a straight-running ROP chain,
but the added (and rare) sleeping point has proven to be dangerous.
Discussed at length with kettenis and mortimer.
ok mortimer kettenis mpi
Diffstat (limited to 'sys/arch/mips64')
| -rw-r--r-- | sys/arch/mips64/mips64/trap.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/sys/arch/mips64/mips64/trap.c b/sys/arch/mips64/mips64/trap.c index 2a657cd6cb2..42a1827b845 100644 --- a/sys/arch/mips64/mips64/trap.c +++ b/sys/arch/mips64/mips64/trap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: trap.c,v 1.146 2020/08/19 10:10:58 mpi Exp $ */ +/* $OpenBSD: trap.c,v 1.147 2020/09/24 17:54:30 deraadt Exp $ */ /* * Copyright (c) 1988 University of Utah. @@ -261,16 +261,11 @@ trap(struct trapframe *trapframe) } #endif - if (type & T_USER) { + if (type & T_USER) refreshcreds(p); - if (!uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p), - "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n", - uvm_map_inentry_sp, p->p_vmspace->vm_map.sserial)) - goto out; - } itsa(trapframe, ci, p, type); -out: + if (type & T_USER) userret(p); } @@ -394,6 +389,11 @@ itsa(struct trapframe *trapframe, struct cpu_info *ci, struct proc *p, ftype = PROT_WRITE; pcb = &p->p_addr->u_pcb; fault_common: + if ((type & T_USER) && + !uvm_map_inentry(p, &p->p_spinentry, PROC_STACK(p), + "[%s]%d/%d sp=%lx inside %lx-%lx: not MAP_STACK\n", + uvm_map_inentry_sp, p->p_vmspace->vm_map.sserial)) + return; #ifdef CPU_R4000 if (r4000_errata != 0) { |