From owner-svn-src-head@freebsd.org Tue Feb 23 09:22:01 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9E08DAAF2C3; Tue, 23 Feb 2016 09:22:01 +0000 (UTC) (envelope-from ed@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5597D857; Tue, 23 Feb 2016 09:22:01 +0000 (UTC) (envelope-from ed@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u1N9M09c022124; Tue, 23 Feb 2016 09:22:00 GMT (envelope-from ed@FreeBSD.org) Received: (from ed@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u1N9M0sh022123; Tue, 23 Feb 2016 09:22:00 GMT (envelope-from ed@FreeBSD.org) Message-Id: <201602230922.u1N9M0sh022123@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ed set sender to ed@FreeBSD.org using -f From: Ed Schouten Date: Tue, 23 Feb 2016 09:22:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r295917 - head/sys/compat/cloudabi X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2016 09:22:01 -0000 Author: ed Date: Tue Feb 23 09:22:00 2016 New Revision: 295917 URL: https://svnweb.freebsd.org/changeset/base/295917 Log: Make handling of mmap()'s prot argument more strict. - Make the system call fail if prot contains bits other than read, write and exec. - Similar to OpenBSD's W^X, don't allow write and exec to be set at the same time. I'd like to see for now what happens if we enforce this policy unconditionally. If it turns out that this is far too strict, we'll loosen this requirement. Modified: head/sys/compat/cloudabi/cloudabi_mem.c Modified: head/sys/compat/cloudabi/cloudabi_mem.c ============================================================================== --- head/sys/compat/cloudabi/cloudabi_mem.c Tue Feb 23 09:20:33 2016 (r295916) +++ head/sys/compat/cloudabi/cloudabi_mem.c Tue Feb 23 09:22:00 2016 (r295917) @@ -35,18 +35,26 @@ __FBSDID("$FreeBSD$"); /* Converts CloudABI's memory protection flags to FreeBSD's. */ static int -convert_mprot(cloudabi_mprot_t in) +convert_mprot(cloudabi_mprot_t in, int *out) { - int out; - out = 0; + /* Unknown protection flags. */ + if ((in & ~(CLOUDABI_PROT_EXEC | CLOUDABI_PROT_WRITE | + CLOUDABI_PROT_READ)) != 0) + return (ENOTSUP); + /* W^X: Write and exec cannot be enabled at the same time. */ + if ((in & (CLOUDABI_PROT_EXEC | CLOUDABI_PROT_WRITE)) == + (CLOUDABI_PROT_EXEC | CLOUDABI_PROT_WRITE)) + return (ENOTSUP); + + *out = 0; if (in & CLOUDABI_PROT_EXEC) - out |= PROT_EXEC; + *out |= PROT_EXEC; if (in & CLOUDABI_PROT_WRITE) - out |= PROT_WRITE; + *out |= PROT_WRITE; if (in & CLOUDABI_PROT_READ) - out |= PROT_READ; - return (out); + *out |= PROT_READ; + return (0); } int @@ -98,10 +106,10 @@ cloudabi_sys_mem_map(struct thread *td, struct mmap_args mmap_args = { .addr = uap->addr, .len = uap->len, - .prot = convert_mprot(uap->prot), .fd = uap->fd, .pos = uap->off }; + int error; /* Translate flags. */ if (uap->flags & CLOUDABI_MAP_ANON) @@ -113,6 +121,11 @@ cloudabi_sys_mem_map(struct thread *td, if (uap->flags & CLOUDABI_MAP_SHARED) mmap_args.flags |= MAP_SHARED; + /* Translate protection. */ + error = convert_mprot(uap->prot, &mmap_args.prot); + if (error != 0) + return (error); + return (sys_mmap(td, &mmap_args)); } @@ -123,8 +136,13 @@ cloudabi_sys_mem_protect(struct thread * struct mprotect_args mprotect_args = { .addr = uap->addr, .len = uap->len, - .prot = convert_mprot(uap->prot), }; + int error; + + /* Translate protection. */ + error = convert_mprot(uap->prot, &mprotect_args.prot); + if (error != 0) + return (error); return (sys_mprotect(td, &mprotect_args)); }