On systems without xonly mmu hardware-enforcement, we can still mitigate

against classic BROP with a range-checking wrapper in front of copyin() and
copyinstr() which ensures the userland source doesn't overlap the main program
text, ld.so text, signal tramp text (it's mapping is hard to distinguish
so it comes along for the ride), or libc.so text.  ld.so tells the kernel
libc.so text range with msyscall(2).  The range checking for 2-4 elements is
done without locking (because all 4 ranges are immutable!) and is inexpensive.

write(sock, &open, 400) now fails with EFAULT.  No programs have been
discovered which require reading their own text segments with a system call.

On a machine without mmu enforcement, a test program reports the following:
                  userland   kernel
ld.so             readable   unreadable
mmap xz           unreadable unreadable
mmap x            readable   readable
mmap nrx          readable   readable
mmap nwx          readable   readable
mmap xnwx         readable   readable
main              readable   unreadable
libc unmapped?    readable   unreadable
libc mapped       readable   unreadable

ok kettenis, additional help from miod

1 files changed, 6 insertions, 1 deletions

diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index 38149c19cc8..416cef58181 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sig.c,v 1.303 2023/01/02 23:09:48 guenther Exp $	*/
+/*	$OpenBSD: kern_sig.c,v 1.304 2023/01/31 15:18:56 deraadt Exp $	*/
 /*	$NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $	*/
 
 /*
@@ -1635,6 +1635,11 @@ coredump(struct proc *p)
 
 	atomic_setbits_int(&pr->ps_flags, PS_COREDUMP);
 
+#ifdef PMAP_CHECK_COPYIN
+	/* disable copyin checks, so we can write out text sections if needed */
+	p->p_vmspace->vm_map.check_copyin_count = 0;
+#endif
+
 	/* Don't dump if will exceed file size limit. */
 	if (USPACE + ptoa(vm->vm_dsize + vm->vm_ssize) >= lim_cur(RLIMIT_CORE))
 		return (EFBIG);