From 4ec5462fec100929e25f9985f4cfd6b1e6983e64 Mon Sep 17 00:00:00 2001 From: mbuhl Date: Wed, 23 Nov 2022 11:00:27 +0000 Subject: [PATCH] cache ps_auxinfo inside the kernel, to avoid codedump() reading the copy on userland stack which points at an illicit region. ok kettenis, deraadt --- sys/kern/exec_elf.c | 25 +++---------------------- sys/kern/kern_exec.c | 4 +++- sys/sys/proc.h | 3 ++- 3 files changed, 8 insertions(+), 24 deletions(-) diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c index 4657d9fe09c..3cca0a1189b 100644 --- a/sys/kern/exec_elf.c +++ b/sys/kern/exec_elf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exec_elf.c,v 1.175 2022/11/14 17:25:00 visa Exp $ */ +/* $OpenBSD: exec_elf.c,v 1.176 2022/11/23 11:00:27 mbuhl Exp $ */ /* * Copyright (c) 1996 Per Fogelstrom @@ -1221,9 +1221,6 @@ coredump_walk_elf(vaddr_t start, vaddr_t realend, vaddr_t end, vm_prot_t prot, int coredump_notes_elf(struct proc *p, void *iocookie, size_t *sizep) { - struct ps_strings pss; - struct iovec iov; - struct uio uio; struct elfcore_procinfo cpi; Elf_Note nhdr; struct process *pr = p->p_p; @@ -1282,23 +1279,7 @@ coredump_notes_elf(struct proc *p, void *iocookie, size_t *sizep) /* Second, write an NT_OPENBSD_AUXV note. */ notesize = sizeof(nhdr) + elfround(sizeof("OpenBSD")) + elfround(ELF_AUX_WORDS * sizeof(char *)); - if (iocookie) { - iov.iov_base = &pss; - iov.iov_len = sizeof(pss); - uio.uio_iov = &iov; - uio.uio_iovcnt = 1; - uio.uio_offset = (off_t)pr->ps_strings; - uio.uio_resid = sizeof(pss); - uio.uio_segflg = UIO_SYSSPACE; - uio.uio_rw = UIO_READ; - uio.uio_procp = NULL; - - error = uvm_io(&p->p_vmspace->vm_map, &uio, 0); - if (error) - return (error); - - if (pss.ps_envstr == NULL) - return (EIO); + if (iocookie && pr->ps_auxinfo) { nhdr.namesz = sizeof("OpenBSD"); nhdr.descsz = ELF_AUX_WORDS * sizeof(char *); @@ -1315,7 +1296,7 @@ coredump_notes_elf(struct proc *p, void *iocookie, size_t *sizep) return (error); error = coredump_write(iocookie, UIO_USERSPACE, - pss.ps_envstr + pss.ps_nenvstr + 1, nhdr.descsz); + (caddr_t)pr->ps_auxinfo, nhdr.descsz); if (error) return (error); } diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index e92587ab4f2..ca0ed3ce4f5 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exec.c,v 1.239 2022/11/17 18:53:12 deraadt Exp $ */ +/* $OpenBSD: kern_exec.c,v 1.240 2022/11/23 11:00:27 mbuhl Exp $ */ /* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */ /*- @@ -492,6 +492,8 @@ sys_execve(struct proc *p, void *v, register_t *retval) if (!copyargs(&pack, &arginfo, stack, argp)) goto exec_abort; + pr->ps_auxinfo = (vaddr_t)pack.ep_auxinfo; + /* copy out the process's ps_strings structure */ if (copyout(&arginfo, (char *)pr->ps_strings, sizeof(arginfo))) goto exec_abort; diff --git a/sys/sys/proc.h b/sys/sys/proc.h index 01fa10baf70..b4585103f31 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.h,v 1.334 2022/07/23 22:10:59 cheloha Exp $ */ +/* $OpenBSD: proc.h,v 1.335 2022/11/23 11:00:27 mbuhl Exp $ */ /* $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $ */ /*- @@ -215,6 +215,7 @@ struct process { char ps_comm[_MAXCOMLEN]; /* command name, incl NUL */ vaddr_t ps_strings; /* User pointers to argv/env */ + vaddr_t ps_auxinfo; /* User pointer to auxinfo */ vaddr_t ps_timekeep; /* User pointer to timekeep */ vaddr_t ps_sigcode; /* [I] User pointer to signal code */ vaddr_t ps_sigcoderet; /* [I] User ptr to sigreturn retPC */ -- 2.20.1