Implement MAP_STACK option for mmap(). Synchronous faults (pagefault and

syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis

1 files changed, 3 insertions, 3 deletions

diff --git a/sys/arch/sh/sh/sh_machdep.c b/sys/arch/sh/sh/sh_machdep.c
index ec1c393a77d..218db7f2e75 100644
--- a/sys/arch/sh/sh/sh_machdep.c
+++ b/sys/arch/sh/sh/sh_machdep.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sh_machdep.c,v 1.46 2016/05/21 00:56:44 deraadt Exp $	*/
+/*	$OpenBSD: sh_machdep.c,v 1.47 2018/04/12 17:13:44 deraadt Exp $	*/
 /*	$NetBSD: sh3_machdep.c,v 1.59 2006/03/04 01:13:36 uwe Exp $	*/
 
 /*
@@ -460,8 +460,8 @@ sendsig(sig_t catcher, int sig, int mask, u_long code, int type,
 	if ((p->p_sigstk.ss_flags & SS_DISABLE) == 0 &&
 	    !sigonstack(p->p_md.md_regs->tf_r15) &&
 	    (psp->ps_sigonstack & sigmask(sig)))
-		fp = (struct sigframe *)((vaddr_t)p->p_sigstk.ss_sp +
-		    p->p_sigstk.ss_size);
+		fp = (struct sigframe *)
+		    trunc_page((vaddr_t)p->p_sigstk.ss_sp + p->p_sigstk.ss_size);
 	else
 		fp = (void *)p->p_md.md_regs->tf_r15;
 	--fp;