Control the execution permission of the readable segments for

i386 binaries on the amd64 and ia64 with the sysctl, instead of unconditionally enabling it. Reviewed by: marcel
2011-10-15 12:35:18 +00:00 · 2011-10-15 12:35:18 +00:00 · 126b36a21e
commit 126b36a21e
parent 2b6ae84b63
4 changed files with 16 additions and 4 deletions
--- a/sys/compat/freebsd32/freebsd32_misc.c
+++ b/sys/compat/freebsd32/freebsd32_misc.c
@ -445,7 +445,7 @@ freebsd32_mprotect(struct thread *td, struct freebsd32_mprotect_args *uap)
 	ap.len = uap->len;
 	ap.prot = uap->prot;
 #if defined(__amd64__) || defined(__ia64__)
-	if (ap.prot & PROT_READ)
+	if (i386_read_exec && (ap.prot & PROT_READ) != 0)
 		ap.prot |= PROT_EXEC;
 #endif
 	return (sys_mprotect(td, &ap));
@ -536,7 +536,7 @@ freebsd32_mmap(struct thread *td, struct freebsd32_mmap_args *uap)
 #endif

 #if defined(__amd64__) || defined(__ia64__)
-	if (prot & PROT_READ)
+	if (i386_read_exec && (prot & PROT_READ))
 		prot |= PROT_EXEC;
 #endif

--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@ -123,6 +123,14 @@ SYSCTL_INT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), OID_AUTO,
    nxstack, CTLFLAG_RW, &__elfN(nxstack), 0,
    __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": enable non-executable stack");

+#if __ELF_WORD_SIZE == 32
+#if defined(__amd64__) || defined(__ia64__)
+int i386_read_exec = 0;
+SYSCTL_INT(_kern_elf32, OID_AUTO, read_exec, CTLFLAG_RW, &i386_read_exec, 0,
+    "enable execution from readable segments");
+#endif
+#endif
+
 static Elf_Brandinfo *elf_brand_list[MAX_BRANDS];

 #define	trunc_page_ps(va, ps)	((va) & ~(ps - 1))
@ -1666,7 +1674,7 @@ __elfN(trans_prot)(Elf_Word flags)
 		prot |= VM_PROT_READ;
 #if __ELF_WORD_SIZE == 32
 #if defined(__amd64__) || defined(__ia64__)
-	if (flags & PF_R)
+	if (i386_read_exec && (flags & PF_R))
 		prot |= VM_PROT_EXECUTE;
 #endif
 #endif
--- a/sys/sys/sysent.h
+++ b/sys/sys/sysent.h
@ -151,6 +151,10 @@ extern struct sysentvec null_sysvec;
 extern struct sysent sysent[];
 extern const char *syscallnames[];

+#if defined(__amd64__) || defined(__ia64__)
+extern int i386_read_exec;
+#endif
+
 #define	NO_SYSCALL (-1)

 struct module;
--- a/sys/vm/vm_unix.c
+++ b/sys/vm/vm_unix.c
@ -141,7 +141,7 @@ sys_obreak(td, uap)
 		prot = VM_PROT_RW;
 #ifdef COMPAT_FREEBSD32
 #if defined(__amd64__) || defined(__ia64__)
-		if (SV_PROC_FLAG(td->td_proc, SV_ILP32))
+		if (i386_read_exec && SV_PROC_FLAG(td->td_proc, SV_ILP32))
 			prot |= VM_PROT_EXECUTE;
 #endif
 #endif