SROP mitigation. sendsig() stores a (per-process ^ &sigcontext) cookie

inside the sigcontext.  sigreturn(2) checks syscall entry was from the
exact PC addr in the (per-process ASLR) sigtramp, verifies the cookie,
and clears it to prevent sigcontext reuse.
not yet tested on landisk, sparc, *88k, socppc.
ok kettenis

1 files changed, 6 insertions, 1 deletions

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 2bae3c5fbeb..ced0bb86c51 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_exec.c,v 1.176 2016/04/25 20:00:33 tedu Exp $	*/
+/*	$OpenBSD: kern_exec.c,v 1.177 2016/05/10 18:39:51 deraadt Exp $	*/
 /*	$NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $	*/
 
 /*-
@@ -498,6 +498,7 @@ sys_execve(struct proc *p, void *v, register_t *retval)
 	TCB_SET(p, NULL);	/* reset the TCB address */
 	pr->ps_kbind_addr = 0;	/* reset the kbind bits */
 	pr->ps_kbind_cookie = 0;
+	arc4random_buf(&pr->ps_sigcookie, sizeof pr->ps_sigcookie);
 
 	/* set command name & other accounting info */
 	memset(p->p_comm, 0, sizeof(p->p_comm));
@@ -868,5 +869,9 @@ exec_sigcode_map(struct process *pr, struct emul *e)
 		return (ENOMEM);
 	}
 
+	/* Calculate PC at point of sigreturn entry */
+	pr->ps_sigcoderet = pr->ps_sigcode +
+	    (pr->ps_emul->e_esigret - pr->ps_emul->e_sigcode);
+
 	return (0);
 }