Many fixes to the vm system by Yuval Yarom and Bruce Evans
Mark VTEXT executables so that install does not cream them
The following patches were provided by Yuval Yarom and fix the following
problems:
David Greenman:
(Descriptions are in his words. The patches were originally for BSDI, but are
applicable to 386BSD, modified by me when necessary. Patches appear here for
incorporation into 386BSD with his permission. -David Greenman)
1) The page daemon calls vm_map_entry_create to create entries in pager_map.
This call might block waiting for memory.
2) On rare combinations of memory and kernel sizes the system may fault when
allocating the page map structures. The cause of this is that the estimation
of the number of pages is too low, and the map entry for the additional page
does not fit in the allocated page maps space. For example if start is
0x10a000 and end is 0x7fe000, the initial estimation is 1755 pages, while
after allocating the required page map space the system finds out there are
1756 pages free. When attempting to initialize the 1756'th page map entry
the system faults.
3) Munmap(2) fails to ensure the user does not deallocates parts of
the kernel context of the process, allowing programs like
main(){munmap(0xfdbfe000,8192);} to crash the system with a double
fault. A similar problem occurs with /dev/vga ioctl VGAIOCUNMAP.
4) Mmap(2) fails to ensure the user does not maps on parts of the kernel
context of the process, allowing programs like
#include <sys/types.h>
#include <sys/mman.h>
main(){mmap(0xfdbfe000,8192,PROT_READ,MAP_ANON|MAP_FIXED|MAP_PRIVATE,0,0);}
to crash the system with a double fault, and providing a great opportunity
for attaining super user privileges.
Yuval:
The cause of this problem is that, due to a bug in vm_mmap, unnamed
anonymous memory objects are marked as persistant, and remain in the
object cache. The following patch fixes the problem.
Bruce Evans:
Here are patches to stop ptrace from accessing various inaccessible areas,
to stop direct access to various inaccessible areas from crashing the system,
and a test program. The patch to sys_process.c requires patch00011 from
the patchkit.
Interesting inaccessible areas include:
1. Unmapped pages below the user area: trap.c faults in a page table just to
check these. Up to about 4M of page tables per process may be wasted.
Not fixed.
2. User area. Can be read and written using ptrace. Overwriting the user
stack and some other items can crash the system. There may be security
problems. Not fixed.
3. User page tables. Could be read and written using ptrace. Fixed.
4. Kernel memory. Could be read and written using ptrace. Fixed.
5. Last 8M of memory (2 page tables worth). The top 2 page tables are
special and must not be used for mapping. But ptracing to high addresses
used them and caused panic("pmap_enter: already in pv_tab") on the
second access. Fixed.
Bruce
AUTHOR: Yoval Yarom (???), fwd by David Greenman (davidg@implode.rain.com)
AUTHOR: Bruce Evans (???), fwd by David Greenman (davidg@implode.rain.com)
AUTHOR: Paul Kranenburg (pk@cs.few.eur.nl) (trap.c add counter for vmstat)
386BSD-Patchkit: patch00137