svn commit: r226388 - in head/sys: compat/freebsd32 kern sys vm

Sat Oct 15 12:35:19 UTC 2011

Author: kib
Date: Sat Oct 15 12:35:18 2011
New Revision: 226388
URL: http://svn.freebsd.org/changeset/base/226388

Log:
  Control the execution permission of the readable segments for
  i386 binaries on the amd64 and ia64 with the sysctl, instead of
  unconditionally enabling it.
  
  Reviewed by:	marcel

Modified:
  head/sys/compat/freebsd32/freebsd32_misc.c
  head/sys/kern/imgact_elf.c
  head/sys/sys/sysent.h
  head/sys/vm/vm_unix.c

Modified: head/sys/compat/freebsd32/freebsd32_misc.c
==============================================================================

--- head/sys/compat/freebsd32/freebsd32_misc.c	Sat Oct 15 12:33:24 2011	(r226387)
+++ head/sys/compat/freebsd32/freebsd32_misc.c	Sat Oct 15 12:35:18 2011	(r226388)
@@ -445,7 +445,7 @@ freebsd32_mprotect(struct thread *td, st
 	ap.len = uap->len;
 	ap.prot = uap->prot;
 #if defined(__amd64__) || defined(__ia64__)
-	if (ap.prot & PROT_READ)
+	if (i386_read_exec && (ap.prot & PROT_READ) != 0)
 		ap.prot |= PROT_EXEC;
 #endif
 	return (sys_mprotect(td, &ap));
@@ -536,7 +536,7 @@ freebsd32_mmap(struct thread *td, struct
 #endif
 
 #if defined(__amd64__) || defined(__ia64__)
-	if (prot & PROT_READ)
+	if (i386_read_exec && (prot & PROT_READ))
 		prot |= PROT_EXEC;
 #endif
 

Modified: head/sys/kern/imgact_elf.c
==============================================================================
--- head/sys/kern/imgact_elf.c	Sat Oct 15 12:33:24 2011	(r226387)
+++ head/sys/kern/imgact_elf.c	Sat Oct 15 12:35:18 2011	(r226388)
@@ -123,6 +123,14 @@ SYSCTL_INT(__CONCAT(_kern_elf, __ELF_WOR
     nxstack, CTLFLAG_RW, &__elfN(nxstack), 0,
     __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": enable non-executable stack");
 
+#if __ELF_WORD_SIZE == 32
+#if defined(__amd64__) || defined(__ia64__)
+int i386_read_exec = 0;
+SYSCTL_INT(_kern_elf32, OID_AUTO, read_exec, CTLFLAG_RW, &i386_read_exec, 0,
+    "enable execution from readable segments");
+#endif
+#endif
+
 static Elf_Brandinfo *elf_brand_list[MAX_BRANDS];
 
 #define	trunc_page_ps(va, ps)	((va) & ~(ps - 1))
@@ -1666,7 +1674,7 @@ __elfN(trans_prot)(Elf_Word flags)
 		prot |= VM_PROT_READ;
 #if __ELF_WORD_SIZE == 32
 #if defined(__amd64__) || defined(__ia64__)
-	if (flags & PF_R)
+	if (i386_read_exec && (flags & PF_R))
 		prot |= VM_PROT_EXECUTE;
 #endif
 #endif

Modified: head/sys/sys/sysent.h
==============================================================================
--- head/sys/sys/sysent.h	Sat Oct 15 12:33:24 2011	(r226387)
+++ head/sys/sys/sysent.h	Sat Oct 15 12:35:18 2011	(r226388)
@@ -151,6 +151,10 @@ extern struct sysentvec null_sysvec;
 extern struct sysent sysent[];
 extern const char *syscallnames[];
 
+#if defined(__amd64__) || defined(__ia64__)
+extern int i386_read_exec;
+#endif
+
 #define	NO_SYSCALL (-1)
 
 struct module;

Modified: head/sys/vm/vm_unix.c
==============================================================================
--- head/sys/vm/vm_unix.c	Sat Oct 15 12:33:24 2011	(r226387)
+++ head/sys/vm/vm_unix.c	Sat Oct 15 12:35:18 2011	(r226388)
@@ -141,7 +141,7 @@ sys_obreak(td, uap)
 		prot = VM_PROT_RW;
 #ifdef COMPAT_FREEBSD32
 #if defined(__amd64__) || defined(__ia64__)
-		if (SV_PROC_FLAG(td->td_proc, SV_ILP32))
+		if (i386_read_exec && SV_PROC_FLAG(td->td_proc, SV_ILP32))
 			prot |= VM_PROT_EXECUTE;
 #endif
 #endif
