Date: Sun, 14 Nov 2010 17:53:52 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r215307 - head/sys/vm Message-ID: <201011141753.oAEHrqYr089022@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Sun Nov 14 17:53:52 2010 New Revision: 215307 URL: http://svn.freebsd.org/changeset/base/215307 Log: Implement a (soft) stack guard page for auto-growing stack mappings. The unmapped page separates the tip of the stack and possible adjanced segment, making some uses of stack overflow harder. The stack growing code refuses to expand the segment to the last page of the reseved region when sysctl security.bsd.stack_guard_page is set to 1. The default value for sysctl and accompanying tunable is 0. Please note that mmap(MAP_FIXED) still can place a mapping right up to the stack, making continuous region. Reviewed by: alc MFC after: 1 week Modified: head/sys/vm/vm_map.c Modified: head/sys/vm/vm_map.c ============================================================================== --- head/sys/vm/vm_map.c Sun Nov 14 17:24:15 2010 (r215306) +++ head/sys/vm/vm_map.c Sun Nov 14 17:53:52 2010 (r215307) @@ -67,6 +67,7 @@ __FBSDID("$FreeBSD$"); #include <sys/param.h> #include <sys/systm.h> +#include <sys/kernel.h> #include <sys/ktr.h> #include <sys/lock.h> #include <sys/mutex.h> @@ -76,6 +77,7 @@ __FBSDID("$FreeBSD$"); #include <sys/vnode.h> #include <sys/resourcevar.h> #include <sys/file.h> +#include <sys/sysctl.h> #include <sys/sysent.h> #include <sys/shm.h> @@ -3216,6 +3218,12 @@ vm_map_stack(vm_map_t map, vm_offset_t a return (rv); } +static int stack_guard_page = 0; +TUNABLE_INT("security.bsd.stack_guard_page", &stack_guard_page); +SYSCTL_INT(_security_bsd, OID_AUTO, stack_guard_page, CTLFLAG_RW, + &stack_guard_page, 0, + "Insert stack guard page ahead of the growable segments."); + /* Attempts to grow a vm stack entry. Returns KERN_SUCCESS if the * desired address is already mapped, or if we successfully grow * the stack. Also returns KERN_SUCCESS if addr is outside the @@ -3312,7 +3320,7 @@ Retry: * This also effectively destroys any guard page the user might have * intended by limiting the stack size. */ - if (grow_amount > max_grow) { + if (grow_amount + (stack_guard_page ? PAGE_SIZE : 0) > max_grow) { if (vm_map_lock_upgrade(map)) goto Retry; @@ -3365,6 +3373,8 @@ Retry: if (addr < end) { stack_entry->avail_ssize = max_grow; addr = end; + if (stack_guard_page) + addr += PAGE_SIZE; } rv = vm_map_insert(map, NULL, 0, addr, stack_entry->start, @@ -3397,6 +3407,8 @@ Retry: if (addr > end) { stack_entry->avail_ssize = end - stack_entry->end; addr = end; + if (stack_guard_page) + addr -= PAGE_SIZE; } grow_amount = addr - stack_entry->end;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011141753.oAEHrqYr089022>