and make the stack and heap non-executable by default. the changes
fall into two basic catagories:
- pmap and trap-handler changes. these are all MD:
= alpha: we already track per-page execute permission with the (software)
PG_EXEC bit, so just have the trap handler pay attention to it.
= i386: use a new GDT segment for %cs for processes that have no
executable mappings above a certain threshold (currently the
bottom of the stack). track per-page execute permission with
the last unused PTE bit.
= powerpc/ibm4xx: just use the hardware exec bit.
= powerpc/oea: we already track per-page exec bits, but the hardware only
implements non-exec mappings at the segment level. so track the
number of executable mappings in each segment and turn on the no-exec
segment bit iff the count is 0. adjust the trap handler to deal.
= sparc (sun4m): fix our use of the hardware protection bits.
fix the trap handler to recognize text faults.
= sparc64: split the existing unified TSB into data and instruction TSBs,
and only load TTEs into the appropriate TSB(s) for the permissions.
fix the trap handler to check for execute permission.
= not yet implemented: amd64, hppa, sh5
- changes in all the emulations that put a signal trampoline on the stack.
instead, we now put the trampoline into a uvm_aobj and map that into
the process separately.
originally from openbsd, adapted for netbsd by me.
caveats, but works quite well in a lot of MP cases, and all
UP cases that I have tested. Parts of this will hopefully be
reworked in the not-too-distant future.
trap/interrupt/syscall entry from userspace.
Remove special-case "by hand" validation of fs/gs register values as
well as special handling of them in various signal handling paths.
Now, like %ds and %es, they are validated by the hardware on return to
userland.
This paves the way for the use of %fs for per-cpu data on
multiprocessor systems, and fixes an otherwise difficult-to-fix
interaction between threads/clone(2) and USER_LDT.
Discussed in advance with Frank van der Linden.
need to access this when we have the proclist locked for reading,
and thus cannot store it in the PCB (which may be swapped out).
As part of this, call pmap_activate() from cpu_switch() to switch
to the new address space, and refresh the PCB's copy of the LDT
selector from the pmap structure (see above paragraph). We need
to do this for MP support anyhow.
Fixes a "panic: spinlock_switchcheck: CPU 0 has 1 spin locks" via
gdt_compact() reported by Nathan Williams.
which set the LDT and share VM space (e.g. new versions of WINE) expect
the LDT to be logically coupled to the address space. Use the new pmap_fork()
interface to copy non-shared user-set LDTs when the address space is forked.
Map kernel stacks only at unique addresses.
Use one TSS per process.
Add sysarch calls for modifying IOPL and the I/O permission bitmap.
Add a compacting GDT entry allocator, for TSS and LDT selectors.
Enable modifying %fs and %gs with PT_SETREGS.
Sanitize various bits of code.