Disable PAX_SEGVGUARD.

We actually have a big problem: the fileassocs are never deleted. Therefore, if a user generates a lot of buggy binaries and launches them all, the kernel will allocate memory again again and again for all these entries and will never free them (unless the files are deleted from the disk). Which means that a user can too easily put the kernel under memory pressure.
2015-09-26 16:33:16 +00:00 · 2015-09-26 16:33:16 +00:00 · 87ee1fdec1
commit 87ee1fdec1
parent 9ed595918a
5 changed files with 12 additions and 15 deletions
--- a/sys/arch/alpha/conf/GENERIC
+++ b/sys/arch/alpha/conf/GENERIC
@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.365 2015/08/08 06:36:24 maxv Exp $
+# $NetBSD: GENERIC,v 1.366 2015/09/26 16:33:16 maxv Exp $
 #
 # This machine description file is used to generate the default NetBSD
 # kernel.
@ -19,7 +19,7 @@ include 	"arch/alpha/conf/std.alpha"

 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary

-ident		"GENERIC-$Revision: 1.365 $"
+ident		"GENERIC-$Revision: 1.366 $"

 maxusers 32

@ -789,5 +789,4 @@ pseudo-device	putter			# for puffs and pud
 #options 	VERIFIED_EXEC_FP_MD5

 options PAX_MPROTECT=0			# PaX mprotect(2) restrictions
-#options PAX_SEGVGUARD=0			# PaX Segmentation fault guard
 options PAX_ASLR=0			# PaX Address Space Layout Randomization
--- a/sys/arch/amd64/conf/ALL
+++ b/sys/arch/amd64/conf/ALL
@ -1,4 +1,4 @@
-# $NetBSD: ALL,v 1.30 2015/08/08 06:36:24 maxv Exp $
+# $NetBSD: ALL,v 1.31 2015/09/26 16:33:16 maxv Exp $
 # From NetBSD: GENERIC,v 1.787 2006/10/01 18:37:54 bouyer Exp
 #
 # ALL machine description file
@ -17,7 +17,7 @@ include 	"arch/amd64/conf/std.amd64"

 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary

-#ident 		"ALL-$Revision: 1.30 $"
+#ident 		"ALL-$Revision: 1.31 $"

 maxusers	64		# estimated number of users

@ -1633,7 +1633,7 @@ options 	VERIFIED_EXEC_FP_MD5

 options 	PAX_MPROTECT=0		# PaX mprotect(2) restrictions
 options 	PAX_ASLR=0		# PaX Address Space Layout Randomization
-options 	PAX_SEGVGUARD=0		# PaX Segmentation fault guard
+#options 	PAX_SEGVGUARD=0		# PaX Segmentation fault guard

 #
 # NetBSD: GENERIC_ISDN,v 1.16 2010/01/03 03:53:34 dholland Exp
--- a/sys/arch/evbarm64/conf/A64EMUL
+++ b/sys/arch/evbarm64/conf/A64EMUL
@ -1,4 +1,4 @@
-# $NetBSD: A64EMUL,v 1.4 2015/08/12 07:53:57 maxv Exp $
+# $NetBSD: A64EMUL,v 1.5 2015/09/26 16:33:16 maxv Exp $
 #
 # This machine description file is used to generate the default NetBSD
 # kernel.
@ -19,7 +19,7 @@ include 	"arch/evbarm64/conf/std.a64emul"

 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary

-ident		"A64EMUL-$Revision: 1.4 $"
+ident		"A64EMUL-$Revision: 1.5 $"

 maxusers 32

@ -267,5 +267,4 @@ pseudo-device	putter			# for puffs and pud
 #options 	VERIFIED_EXEC_FP_MD5

 #options PAX_MPROTECT=0			# PaX mprotect(2) restrictions
-#options PAX_SEGVGUARD=0			# PaX Segmentation fault guard
 #options PAX_ASLR=0			# PaX Address Space Layout Randomization
--- a/sys/arch/i386/conf/ALL
+++ b/sys/arch/i386/conf/ALL
@ -1,4 +1,4 @@
-# $NetBSD: ALL,v 1.395 2015/09/26 11:16:12 maxv Exp $
+# $NetBSD: ALL,v 1.396 2015/09/26 16:33:16 maxv Exp $
 # From NetBSD: GENERIC,v 1.787 2006/10/01 18:37:54 bouyer Exp
 #
 # ALL machine description file
@ -17,7 +17,7 @@ include 	"arch/i386/conf/std.i386"

 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary

-#ident 		"ALL-$Revision: 1.395 $"
+#ident 		"ALL-$Revision: 1.396 $"

 maxusers	64		# estimated number of users

@ -1823,7 +1823,7 @@ options 	VERIFIED_EXEC_FP_MD5

 options 	PAX_MPROTECT=0		# PaX mprotect(2) restrictions
 options 	PAX_ASLR=0		# PaX Address Space Layout Randomization
-options 	PAX_SEGVGUARD=0		# PaX Segmentation fault guard
+#options 	PAX_SEGVGUARD=0		# PaX Segmentation fault guard

 #
 # NetBSD: GENERIC_ISDN,v 1.16 2010/01/03 03:53:34 dholland Exp
--- a/sys/arch/shark/conf/GENERIC
+++ b/sys/arch/shark/conf/GENERIC
@ -1,4 +1,4 @@
-#	$NetBSD: GENERIC,v 1.122 2015/08/08 06:36:26 maxv Exp $
+#	$NetBSD: GENERIC,v 1.123 2015/09/26 16:33:16 maxv Exp $
 #
 # Generic Shark configuration.
 #
@ -7,7 +7,7 @@ include	"arch/shark/conf/std.shark"

 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary

-#ident		"GENERIC-$Revision: 1.122 $"
+#ident		"GENERIC-$Revision: 1.123 $"

 # estimated number of users
 maxusers	32
@ -330,5 +330,4 @@ pseudo-device	putter			# for puffs and pud
 #options VERIFIED_EXEC_FP_MD5

 options PAX_MPROTECT=0			# PaX mprotect(2) restrictions
-#options PAX_SEGVGUARD=0			# PaX Segmentation fault guard
 options PAX_ASLR=0			# PaX Address Space Layout Randomization