Author: kib Date: Sat Mar 23 16:36:18 2019 New Revision: 345452 URL: https://svnweb.freebsd.org/changeset/base/345452
Log: ASLR: check for max_addr after applying randomization, not before. Otherwise resulting address from vm_map_find() migh not satisfy the upper limit. For instance, it could affect MAP_32BIT flag from 64bit processes. Found by: Doug Moore <do...@rice.edu> Reviewed by: alc, Doug Moore <do...@rice.edu> Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D19688 Modified: head/sys/vm/vm_map.c Modified: head/sys/vm/vm_map.c ============================================================================== --- head/sys/vm/vm_map.c Sat Mar 23 16:30:50 2019 (r345451) +++ head/sys/vm/vm_map.c Sat Mar 23 16:36:18 2019 (r345452) @@ -1673,11 +1673,12 @@ again: (max_addr == 0 || max_addr > MAP_32BIT_MAX_ADDR) ? aslr_pages_rnd_64[pidx] : aslr_pages_rnd_32[pidx]; if (vm_map_findspace(map, curr_min_addr, length + - gap * pagesizes[pidx], addr) || - (max_addr != 0 && *addr + length > max_addr)) + gap * pagesizes[pidx], addr)) goto again; /* And randomize the start address. */ *addr += (arc4random() % gap) * pagesizes[pidx]; + if (max_addr != 0 && *addr + length > max_addr) + goto again; } else if (vm_map_findspace(map, curr_min_addr, length, addr) || (max_addr != 0 && *addr + length > max_addr)) { if (cluster) { _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
