From: guenther Date: Mon, 7 Nov 2022 01:41:57 +0000 (+0000) Subject: In kpageflttrap(), validate a non-NULL pcb_onfault against an array X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=4c5e57a2bb21e6f8963cca482c2e6a369211a6f7;p=openbsd In kpageflttrap(), validate a non-NULL pcb_onfault against an array of permitted addresses, done via .nofault* sections that end up in the linked kernel's rodata. ok deraadt@ kettenis@ --- diff --git a/sys/arch/amd64/amd64/copy.S b/sys/arch/amd64/amd64/copy.S index 73dcefa058f..87bdd002952 100644 --- a/sys/arch/amd64/amd64/copy.S +++ b/sys/arch/amd64/amd64/copy.S @@ -1,4 +1,4 @@ -/* $OpenBSD: copy.S,v 1.14 2021/09/04 22:15:33 bluhm Exp $ */ +/* $OpenBSD: copy.S,v 1.15 2022/11/07 01:41:57 guenther Exp $ */ /* $NetBSD: copy.S,v 1.1 2003/04/26 18:39:26 fvdl Exp $ */ /* @@ -44,6 +44,11 @@ #include #include +#define DECLARE_ONFAULT(x) \ + .pushsection .nofault.0, "a" ;\ + .quad x ;\ + .popsection + /* * Copy routines from and to userland, plus a few more. See the * section 9 manpages for info. Some cases can be optimized more. @@ -183,6 +188,7 @@ ENTRY(copyin) lfence NENTRY(copy_fault) +DECLARE_ONFAULT(copy_fault) SMAP_CLAC movq CPUVAR(CURPCB),%rdx popq PCB_ONFAULT(%rdx) @@ -277,6 +283,7 @@ ENTRY(copyinstr) jmp copystr_return ENTRY(copystr_fault) +DECLARE_ONFAULT(copystr_fault) movl $EFAULT,%eax copystr_return: SMAP_CLAC diff --git a/sys/arch/amd64/amd64/efi_machdep.c b/sys/arch/amd64/amd64/efi_machdep.c index 90716cb32e8..40ed5004b6c 100644 --- a/sys/arch/amd64/amd64/efi_machdep.c +++ b/sys/arch/amd64/amd64/efi_machdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: efi_machdep.c,v 1.3 2022/11/04 16:49:31 kettenis Exp $ */ +/* $OpenBSD: efi_machdep.c,v 1.4 2022/11/07 01:41:57 guenther Exp $ */ /* * Copyright (c) 2022 Mark Kettenis @@ -236,6 +236,7 @@ efi_fault(void) { longjmp(&efi_jmpbuf); } +__asm(".pushsection .nofault, \"a\"; .quad efi_fault; .popsection"); void efi_enter(struct efi_softc *sc) diff --git a/sys/arch/amd64/amd64/trap.c b/sys/arch/amd64/amd64/trap.c index ffda7e2609b..61f150321da 100644 --- a/sys/arch/amd64/amd64/trap.c +++ b/sys/arch/amd64/amd64/trap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: trap.c,v 1.92 2022/11/04 16:49:31 kettenis Exp $ */ +/* $OpenBSD: trap.c,v 1.93 2022/11/07 01:41:57 guenther Exp $ */ /* $NetBSD: trap.c,v 1.2 2003/05/04 23:51:56 fvdl Exp $ */ /*- @@ -226,6 +226,19 @@ kpageflttrap(struct trapframe *frame, uint64_t cr2) return 0; pcb = &p->p_addr->u_pcb; + if (pcb->pcb_onfault != NULL) { + extern caddr_t __nofault_start[], __nofault_end[]; + caddr_t *nf = __nofault_start; + while (*nf++ != pcb->pcb_onfault) { + if (nf >= __nofault_end) { + KERNEL_LOCK(); + fault("invalid pcb_nofault=%lx", + (long)pcb->pcb_onfault); + return 0; + /* retain kernel lock */ + } + } + } /* This will only trigger if SMEP is enabled */ if (pcb->pcb_onfault == NULL && cr2 <= VM_MAXUSER_ADDRESS && diff --git a/sys/arch/amd64/conf/ld.script b/sys/arch/amd64/conf/ld.script index 18298f8b8c3..c02f60c66cb 100644 --- a/sys/arch/amd64/conf/ld.script +++ b/sys/arch/amd64/conf/ld.script @@ -1,4 +1,4 @@ -/* $OpenBSD: ld.script,v 1.18 2022/09/02 09:02:37 mlarkin Exp $ */ +/* $OpenBSD: ld.script,v 1.19 2022/11/07 01:41:57 guenther Exp $ */ /* * Copyright (c) 2009 Tobias Weingartner @@ -85,6 +85,10 @@ SECTIONS { __rodata_start = ABSOLUTE(.); *(.rodata .rodata.*) + . = ALIGN(8); + __nofault_start = ABSOLUTE(.); + *(.nofault.*) *(.nofault) + __nofault_end = ABSOLUTE(.); *(.codepatch) *(.codepatchend) } :rodata =0xcccccccc