From owner-svn-src-all@freebsd.org Tue May 14 20:19:30 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 162C6159771C; Tue, 14 May 2019 20:19:30 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B046D82A4E; Tue, 14 May 2019 20:19:29 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 86D6B25E16; Tue, 14 May 2019 20:19:29 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4EKJT2r063792; Tue, 14 May 2019 20:19:29 GMT (envelope-from trasz@FreeBSD.org) Received: (from trasz@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4EKJTlV063791; Tue, 14 May 2019 20:19:29 GMT (envelope-from trasz@FreeBSD.org) Message-Id: <201905142019.x4EKJTlV063791@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: trasz set sender to trasz@FreeBSD.org using -f From: Edward Tomasz Napierala Date: Tue, 14 May 2019 20:19:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r347573 - stable/12/sys/kern X-SVN-Group: stable-12 X-SVN-Commit-Author: trasz X-SVN-Commit-Paths: stable/12/sys/kern X-SVN-Commit-Revision: 347573 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: B046D82A4E X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.979,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 May 2019 20:19:30 -0000 Author: trasz Date: Tue May 14 20:19:29 2019 New Revision: 347573 URL: https://svnweb.freebsd.org/changeset/base/347573 Log: MFC r345547: Factor out resource limit enforcement code in the ELF loader. It makes the code slightly easier to follow, and might make it easier to fix the resouce accounting to also account for the interpreter. The PROC_UNLOCK() is moved earlier - I don't see anything it should protect; the lim_max() is a wrapper around lim_rlimit(), and that, differently from lim_rlimit_proc(), doesn't require the proc lock to be held. Sponsored by: DARPA, AFRL Modified: stable/12/sys/kern/imgact_elf.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/kern/imgact_elf.c ============================================================================== --- stable/12/sys/kern/imgact_elf.c Tue May 14 20:03:19 2019 (r347572) +++ stable/12/sys/kern/imgact_elf.c Tue May 14 20:19:29 2019 (r347573) @@ -813,6 +813,83 @@ __CONCAT(rnd_, __elfN(base))(vm_map_t map __unused, u_ return (res); } +static int +__elfN(enforce_limits)(struct image_params *imgp, const Elf_Ehdr *hdr, + const Elf_Phdr *phdr, u_long et_dyn_addr) +{ + struct vmspace *vmspace; + const char *err_str; + u_long text_size, data_size, total_size, text_addr, data_addr; + u_long seg_size, seg_addr; + int i; + + err_str = NULL; + text_size = data_size = total_size = text_addr = data_addr = 0; + + for (i = 0; i < hdr->e_phnum; i++) { + if (phdr[i].p_type != PT_LOAD || phdr[i].p_memsz == 0) + continue; + + seg_addr = trunc_page(phdr[i].p_vaddr + et_dyn_addr); + seg_size = round_page(phdr[i].p_memsz + + phdr[i].p_vaddr + et_dyn_addr - seg_addr); + + /* + * Make the largest executable segment the official + * text segment and all others data. + * + * Note that obreak() assumes that data_addr + data_size == end + * of data load area, and the ELF file format expects segments + * to be sorted by address. If multiple data segments exist, + * the last one will be used. + */ + + if ((phdr[i].p_flags & PF_X) != 0 && text_size < seg_size) { + text_size = seg_size; + text_addr = seg_addr; + } else { + data_size = seg_size; + data_addr = seg_addr; + } + total_size += seg_size; + } + + if (data_addr == 0 && data_size == 0) { + data_addr = text_addr; + data_size = text_size; + } + + /* + * Check limits. It should be safe to check the + * limits after loading the segments since we do + * not actually fault in all the segments pages. + */ + PROC_LOCK(imgp->proc); + if (data_size > lim_cur_proc(imgp->proc, RLIMIT_DATA)) + err_str = "Data segment size exceeds process limit"; + else if (text_size > maxtsiz) + err_str = "Text segment size exceeds system limit"; + else if (total_size > lim_cur_proc(imgp->proc, RLIMIT_VMEM)) + err_str = "Total segment size exceeds process limit"; + else if (racct_set(imgp->proc, RACCT_DATA, data_size) != 0) + err_str = "Data segment size exceeds resource limit"; + else if (racct_set(imgp->proc, RACCT_VMEM, total_size) != 0) + err_str = "Total segment size exceeds resource limit"; + PROC_UNLOCK(imgp->proc); + if (err_str != NULL) { + uprintf("%s\n", err_str); + return (ENOMEM); + } + + vmspace = imgp->proc->p_vmspace; + vmspace->vm_tsize = text_size >> PAGE_SHIFT; + vmspace->vm_taddr = (caddr_t)(uintptr_t)text_addr; + vmspace->vm_dsize = data_size >> PAGE_SHIFT; + vmspace->vm_daddr = (caddr_t)(uintptr_t)data_addr; + + return (0); +} + /* * Impossible et_dyn_addr initial value indicating that the real base * must be calculated later with some randomization applied. @@ -828,13 +905,12 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i Elf_Auxargs *elf_auxargs; struct vmspace *vmspace; vm_map_t map; - const char *err_str, *newinterp; + const char *newinterp; char *interp, *interp_buf, *path; Elf_Brandinfo *brand_info; struct sysentvec *sv; vm_prot_t prot; - u_long text_size, data_size, total_size, text_addr, data_addr; - u_long seg_size, seg_addr, addr, baddr, et_dyn_addr, entry, proghdr; + u_long addr, baddr, et_dyn_addr, entry, proghdr; u_long maxalign, mapsz, maxv, maxv1; uint32_t fctl0; int32_t osrel; @@ -873,10 +949,9 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i baddr = 0; osrel = 0; fctl0 = 0; - text_size = data_size = total_size = text_addr = data_addr = 0; entry = proghdr = 0; interp_name_len = 0; - err_str = newinterp = NULL; + newinterp = NULL; interp = interp_buf = NULL; td = curthread; maxalign = PAGE_SIZE; @@ -1065,30 +1140,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i <= phdr[i].p_filesz) proghdr = phdr[i].p_vaddr + hdr->e_phoff + et_dyn_addr; - - seg_addr = trunc_page(phdr[i].p_vaddr + et_dyn_addr); - seg_size = round_page(phdr[i].p_memsz + - phdr[i].p_vaddr + et_dyn_addr - seg_addr); - - /* - * Make the largest executable segment the official - * text segment and all others data. - * - * Note that obreak() assumes that data_addr + - * data_size == end of data load area, and the ELF - * file format expects segments to be sorted by - * address. If multiple data segments exist, the - * last one will be used. - */ - - if (phdr[i].p_flags & PF_X && text_size < seg_size) { - text_size = seg_size; - text_addr = seg_addr; - } else { - data_size = seg_size; - data_addr = seg_addr; - } - total_size += seg_size; break; case PT_PHDR: /* Program header table info */ proghdr = phdr[i].p_vaddr + et_dyn_addr; @@ -1097,41 +1148,12 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i break; } } - - if (data_addr == 0 && data_size == 0) { - data_addr = text_addr; - data_size = text_size; - } - entry = (u_long)hdr->e_entry + et_dyn_addr; - - /* - * Check limits. It should be safe to check the - * limits after loading the segments since we do - * not actually fault in all the segments pages. - */ - PROC_LOCK(imgp->proc); - if (data_size > lim_cur_proc(imgp->proc, RLIMIT_DATA)) - err_str = "Data segment size exceeds process limit"; - else if (text_size > maxtsiz) - err_str = "Text segment size exceeds system limit"; - else if (total_size > lim_cur_proc(imgp->proc, RLIMIT_VMEM)) - err_str = "Total segment size exceeds process limit"; - else if (racct_set(imgp->proc, RACCT_DATA, data_size) != 0) - err_str = "Data segment size exceeds resource limit"; - else if (racct_set(imgp->proc, RACCT_VMEM, total_size) != 0) - err_str = "Total segment size exceeds resource limit"; - if (err_str != NULL) { - PROC_UNLOCK(imgp->proc); - uprintf("%s\n", err_str); - error = ENOMEM; + error = __elfN(enforce_limits)(imgp, hdr, phdr, et_dyn_addr); + if (error != 0) goto ret; - } - vmspace->vm_tsize = text_size >> PAGE_SHIFT; - vmspace->vm_taddr = (caddr_t)(uintptr_t)text_addr; - vmspace->vm_dsize = data_size >> PAGE_SHIFT; - vmspace->vm_daddr = (caddr_t)(uintptr_t)data_addr; + entry = (u_long)hdr->e_entry + et_dyn_addr; /* * We load the dynamic linker where a userland call @@ -1149,7 +1171,6 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *i } else { map->anon_loc = addr; } - PROC_UNLOCK(imgp->proc); imgp->entry_addr = entry;