From owner-svn-src-stable-7@FreeBSD.ORG Fri Oct 2 18:09:57 2009 Return-Path: Delivered-To: svn-src-stable-7@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38F821065670; Fri, 2 Oct 2009 18:09:57 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 23F248FC12; Fri, 2 Oct 2009 18:09:57 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n92I9u83009086; Fri, 2 Oct 2009 18:09:56 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n92I9u1r009085; Fri, 2 Oct 2009 18:09:56 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <200910021809.n92I9u1r009085@svn.freebsd.org> From: "Simon L. Nielsen" Date: Fri, 2 Oct 2009 18:09:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r197715 - releng/6.3 releng/6.3/sys/conf releng/6.3/sys/fs/devfs releng/6.3/sys/kern releng/6.3/sys/sys releng/6.4 releng/6.4/sys/conf releng/6.4/sys/fs/devfs releng/6.4/sys/kern releng... X-BeenThere: svn-src-stable-7@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 7-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 18:09:57 -0000 Author: simon Date: Fri Oct 2 18:09:56 2009 New Revision: 197715 URL: http://svn.freebsd.org/changeset/base/197715 Log: MFC r197711 (partial) to 6.x and 7.x: - Add no zero mapping feature, disabled by default. [EN-09:05] MFC 178913,178914,179242,179243,180336,180340 to 6.x: - Fix kqueue pipe race conditions. [SA-09:13] MFC r192301 to 7.x; 6.x has slightly different fix: - Fix devfs / VFS NULL pointer race condition. [SA-09:14] Security: FreeBSD-SA-09:13.pipe Security: FreeBSD-SA-09:14.devfs Errata: FreeBSD-EN-09:05.null Submitted by: kib [SA-09:13] [SA-09:14] Submitted by: bz [EN-09:05] In collaboration with: jhb, kib, alc [EN-09:05] Approved by: so (simon) Modified: stable/7/sys/kern/kern_exec.c Changes in other areas also in this revision: Modified: releng/6.3/UPDATING releng/6.3/sys/conf/newvers.sh releng/6.3/sys/fs/devfs/devfs_vnops.c releng/6.3/sys/kern/kern_event.c releng/6.3/sys/kern/kern_exec.c releng/6.3/sys/kern/kern_fork.c releng/6.3/sys/kern/sys_pipe.c releng/6.3/sys/sys/event.h releng/6.3/sys/sys/pipe.h releng/6.4/UPDATING releng/6.4/sys/conf/newvers.sh releng/6.4/sys/fs/devfs/devfs_vnops.c releng/6.4/sys/kern/kern_event.c releng/6.4/sys/kern/kern_exec.c releng/6.4/sys/kern/kern_fork.c releng/6.4/sys/kern/sys_pipe.c releng/6.4/sys/sys/event.h releng/6.4/sys/sys/pipe.h releng/7.1/UPDATING releng/7.1/sys/conf/newvers.sh releng/7.1/sys/fs/devfs/devfs_vnops.c releng/7.1/sys/kern/kern_exec.c releng/7.2/UPDATING releng/7.2/sys/conf/newvers.sh releng/7.2/sys/fs/devfs/devfs_vnops.c releng/7.2/sys/kern/kern_exec.c stable/6/sys/fs/devfs/devfs_vnops.c stable/6/sys/kern/kern_event.c stable/6/sys/kern/kern_exec.c stable/6/sys/kern/kern_fork.c stable/6/sys/kern/sys_pipe.c stable/6/sys/sys/event.h stable/6/sys/sys/pipe.h Modified: stable/7/sys/kern/kern_exec.c ============================================================================== --- stable/7/sys/kern/kern_exec.c Fri Oct 2 17:58:47 2009 (r197714) +++ stable/7/sys/kern/kern_exec.c Fri Oct 2 18:09:56 2009 (r197715) @@ -122,6 +122,11 @@ u_long ps_arg_cache_limit = PAGE_SIZE / SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, &ps_arg_cache_limit, 0, ""); +static int map_at_zero = 1; +TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero); +SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0, + "Permit processes to map an object at virtual address 0."); + static int sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS) { @@ -939,7 +944,7 @@ exec_new_vmspace(imgp, sv) int error; struct proc *p = imgp->proc; struct vmspace *vmspace = p->p_vmspace; - vm_offset_t stack_addr; + vm_offset_t sv_minuser, stack_addr; vm_map_t map; u_long ssiz; @@ -955,13 +960,17 @@ exec_new_vmspace(imgp, sv) * not disrupted */ map = &vmspace->vm_map; - if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv->sv_minuser && + if (map_at_zero) + sv_minuser = sv->sv_minuser; + else + sv_minuser = MAX(sv->sv_minuser, PAGE_SIZE); + if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv_minuser && vm_map_max(map) == sv->sv_maxuser) { shmexit(vmspace); pmap_remove_pages(vmspace_pmap(vmspace)); vm_map_remove(map, vm_map_min(map), vm_map_max(map)); } else { - error = vmspace_exec(p, sv->sv_minuser, sv->sv_maxuser); + error = vmspace_exec(p, sv_minuser, sv->sv_maxuser); if (error) return (error); vmspace = p->p_vmspace;