From owner-svn-src-all@freebsd.org Tue Mar 26 15:35:51 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E57F21556567; Tue, 26 Mar 2019 15:35:50 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 89A8070B83; Tue, 26 Mar 2019 15:35:50 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5BE4421B2D; Tue, 26 Mar 2019 15:35:50 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2QFZoF6094755; Tue, 26 Mar 2019 15:35:50 GMT (envelope-from trasz@FreeBSD.org) Received: (from trasz@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2QFZo0j094754; Tue, 26 Mar 2019 15:35:50 GMT (envelope-from trasz@FreeBSD.org) Message-Id: <201903261535.x2QFZo0j094754@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: trasz set sender to trasz@FreeBSD.org using -f From: Edward Tomasz Napierala Date: Tue, 26 Mar 2019 15:35:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r345547 - head/sys/kern X-SVN-Group: head X-SVN-Commit-Author: trasz X-SVN-Commit-Paths: head/sys/kern X-SVN-Commit-Revision: 345547 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 89A8070B83 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.95)[-0.954,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 15:35:51 -0000 Author: trasz Date: Tue Mar 26 15:35:49 2019 New Revision: 345547 URL: https://svnweb.freebsd.org/changeset/base/345547 Log: Factor out resource limit enforcement code in the ELF loader. It makes the code slightly easier to follow, and might make it easier to fix the resouce accounting to also account for the interpreter. The PROC_UNLOCK() is moved earlier - I don't see anything it should protect; the lim_max() is a wrapper around lim_rlimit(), and that, differently from lim_rlimit_proc(), doesn't require the proc lock to be held. Reviewed by: kib MFC after: 2 weeks Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D19689 Modified: head/sys/kern/imgact_elf.c Modified: head/sys/kern/imgact_elf.c ============================================================================== --- head/sys/kern/imgact_elf.c Tue Mar 26 13:53:33 2019 (r345546) +++ head/sys/kern/imgact_elf.c Tue Mar 26 15:35:49 2019 (r345547) @@ -812,6 +812,83 @@ __CONCAT(rnd_, __elfN(base))(vm_map_t map __unused, u_ return (res); } +static int +__elfN(enforce_limits)(struct image_params *imgp, const Elf_Ehdr *hdr, + const Elf_Phdr *phdr, u_long et_dyn_addr) +{ + struct vmspace *vmspace; + const char *err_str; + u_long text_size, data_size, total_size, text_addr, data_addr; + u_long seg_size, seg_addr; + int i; + + err_str = NULL; + text_size = data_size = total_size = text_addr = data_addr = 0; + + for (i = 0; i < hdr->e_phnum; i++) { + if (phdr[i].p_type != PT_LOAD || phdr[i].p_memsz == 0) + continue; + + seg_addr = trunc_page(phdr[i].p_vaddr + et_dyn_addr); + seg_size = round_page(phdr[i].p_memsz + + phdr[i].p_vaddr + et_dyn_addr - seg_addr); + + /* + * Make the largest executable segment the official + * text segment and all others data. + * + * Note that obreak() assumes that data_addr + data_size == end + * of data load area, and the ELF file format expects segments + * to be sorted by address. If multiple data segments exist, + * the last one will be used. + */ + + if ((phdr[i].p_flags & PF_X) != 0 && text_size < seg_size) { + text_size = seg_size; + text_addr = seg_addr; + } else { + data_size = seg_size; + data_addr = seg_addr; + } + total_size += seg_size; + } + + if (data_addr == 0 && data_size == 0) { + data_addr = text_addr; + data_size = text_size; + } + + /* + * Check limits. It should be safe to check the + * limits after loading the segments since we do + * not actually fault in all the segments pages. + */ + PROC_LOCK(imgp->proc); + if (data_size > lim_cur_proc(imgp->proc, RLIMIT_DATA)) + err_str = "Data segment size exceeds process limit"; + else if (text_size > maxtsiz) + err_str = "Text segment size exceeds system limit"; + else if (total_size > lim_cur_proc(imgp->proc, RLIMIT_VMEM)) + err_str = "Total segment size exceeds process limit"; + else if (racct_set(imgp->proc, RACCT_DATA, data_size) != 0) + err_str = "Data segment size exceeds resource limit"; + else if (racct_set(imgp->proc, RACCT_VMEM, total_size) != 0) + err_str = "Total segment size exceeds resource limit"; + PROC_UNLOCK(imgp->proc); + if (err_str != NULL) { + uprintf("%s\n", err_str); + return (ENOMEM); + } + + vmspace = imgp->proc->p_vmspace; + vmspace->vm_tsize = text_size >> PAGE_SHIFT; + vmspace->vm_taddr = (caddr_t)(uintptr_t)text_addr; + vmspace->vm_dsize = data_size >> PAGE_SHIFT; + vmspace->vm_daddr = (caddr_t)(uintptr_t)data_addr; + + return (0); +} + /* * Impossible et_dyn_addr initial value indicating that the real base * must be calculated later with some randomization applied. @@ -827,13 +904,12 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i Elf_Auxargs *elf_auxargs; struct vmspace *vmspace; vm_map_t map; - const char *err_str, *newinterp; + const char *newinterp; char *interp, *interp_buf, *path; Elf_Brandinfo *brand_info; struct sysentvec *sv; vm_prot_t prot; - u_long text_size, data_size, total_size, text_addr, data_addr; - u_long seg_size, seg_addr, addr, baddr, et_dyn_addr, entry, proghdr; + u_long addr, baddr, et_dyn_addr, entry, proghdr; u_long maxalign, mapsz, maxv, maxv1; uint32_t fctl0; int32_t osrel; @@ -872,10 +948,9 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i baddr = 0; osrel = 0; fctl0 = 0; - text_size = data_size = total_size = text_addr = data_addr = 0; entry = proghdr = 0; interp_name_len = 0; - err_str = newinterp = NULL; + newinterp = NULL; interp = interp_buf = NULL; td = curthread; maxalign = PAGE_SIZE; @@ -1064,30 +1139,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i <= phdr[i].p_filesz) proghdr = phdr[i].p_vaddr + hdr->e_phoff + et_dyn_addr; - - seg_addr = trunc_page(phdr[i].p_vaddr + et_dyn_addr); - seg_size = round_page(phdr[i].p_memsz + - phdr[i].p_vaddr + et_dyn_addr - seg_addr); - - /* - * Make the largest executable segment the official - * text segment and all others data. - * - * Note that obreak() assumes that data_addr + - * data_size == end of data load area, and the ELF - * file format expects segments to be sorted by - * address. If multiple data segments exist, the - * last one will be used. - */ - - if (phdr[i].p_flags & PF_X && text_size < seg_size) { - text_size = seg_size; - text_addr = seg_addr; - } else { - data_size = seg_size; - data_addr = seg_addr; - } - total_size += seg_size; break; case PT_PHDR: /* Program header table info */ proghdr = phdr[i].p_vaddr + et_dyn_addr; @@ -1096,41 +1147,12 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i break; } } - - if (data_addr == 0 && data_size == 0) { - data_addr = text_addr; - data_size = text_size; - } - entry = (u_long)hdr->e_entry + et_dyn_addr; - - /* - * Check limits. It should be safe to check the - * limits after loading the segments since we do - * not actually fault in all the segments pages. - */ - PROC_LOCK(imgp->proc); - if (data_size > lim_cur_proc(imgp->proc, RLIMIT_DATA)) - err_str = "Data segment size exceeds process limit"; - else if (text_size > maxtsiz) - err_str = "Text segment size exceeds system limit"; - else if (total_size > lim_cur_proc(imgp->proc, RLIMIT_VMEM)) - err_str = "Total segment size exceeds process limit"; - else if (racct_set(imgp->proc, RACCT_DATA, data_size) != 0) - err_str = "Data segment size exceeds resource limit"; - else if (racct_set(imgp->proc, RACCT_VMEM, total_size) != 0) - err_str = "Total segment size exceeds resource limit"; - if (err_str != NULL) { - PROC_UNLOCK(imgp->proc); - uprintf("%s\n", err_str); - error = ENOMEM; + error = __elfN(enforce_limits)(imgp, hdr, phdr, et_dyn_addr); + if (error != 0) goto ret; - } - vmspace->vm_tsize = text_size >> PAGE_SHIFT; - vmspace->vm_taddr = (caddr_t)(uintptr_t)text_addr; - vmspace->vm_dsize = data_size >> PAGE_SHIFT; - vmspace->vm_daddr = (caddr_t)(uintptr_t)data_addr; + entry = (u_long)hdr->e_entry + et_dyn_addr; /* * We load the dynamic linker where a userland call @@ -1148,7 +1170,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i } else { map->anon_loc = addr; } - PROC_UNLOCK(imgp->proc); imgp->entry_addr = entry;