Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -63,17 +63,24 @@
 int use_stk_lpg = 1;
 
 static int brk_lpg(caddr_t nva);
 static int grow_lpg(caddr_t sp);
 
-int
+intptr_t
 brk(caddr_t nva)
 {
         int error;
         proc_t *p = curproc;
 
         /*
+         * As a special case to aid the implementation of sbrk(3C), if given a
+         * new brk of 0, return the current brk.  We'll hide this in brk(3C).
+         */
+        if (nva == 0)
+                return ((intptr_t)(p->p_brkbase + p->p_brksize));
+
+        /*
          * Serialize brk operations on an address space.
          * This also serves as the lock protecting p_brksize
          * and p_brkpageszc.
          */
         as_rangelock(p->p_as);

@@ -488,14 +495,14 @@
         p->p_stksize = newsize;
         return (0);
 }
 
 /*
- * Find address for user to map.
- * If MAP_FIXED is not specified, we can pick any address we want, but we will
- * first try the value in *addrp if it is non-NULL.  Thus this is implementing
- * a way to try and get a preferred address.
+ * Find address for user to map.  If MAP_FIXED is not specified, we can pick
+ * any address we want, but we will first try the value in *addrp if it is
+ * non-NULL and _MAP_RANDOMIZE is not set.  Thus this is implementing a way to
+ * try and get a preferred address.
  */
 int
 choose_addr(struct as *as, caddr_t *addrp, size_t len, offset_t off,
     int vacalign, uint_t flags)
 {

@@ -504,11 +511,12 @@
 
         ASSERT(AS_ISCLAIMGAP(as));      /* searches should be serialized */
         if (flags & MAP_FIXED) {
                 (void) as_unmap(as, *addrp, len);
                 return (0);
-        } else if (basep != NULL && ((flags & MAP_ALIGN) == 0) &&
+        } else if (basep != NULL &&
+            ((flags & (MAP_ALIGN | _MAP_RANDOMIZE)) == 0) &&
             !as_gap(as, len, &basep, &lenp, 0, *addrp)) {
                 /* User supplied address was available */
                 *addrp = basep;
         } else {
                 /*

@@ -610,10 +618,23 @@
 
         if ((flags & (MAP_TEXT | MAP_INITDATA)) == (MAP_TEXT | MAP_INITDATA)) {
                 return (EINVAL);
         }
 
+        if ((flags & (MAP_FIXED | _MAP_RANDOMIZE)) ==
+            (MAP_FIXED | _MAP_RANDOMIZE)) {
+                return (EINVAL);
+        }
+
+        /*
+         * If it's not a fixed allocation and mmap ASLR is enabled, randomize
+         * it.
+         */
+        if (((flags & MAP_FIXED) == 0) &&
+            secflag_enabled(curproc, PROC_SEC_ASLR))
+                flags |= _MAP_RANDOMIZE;
+
 #if defined(__sparc)
         /*
          * See if this is an "old mmap call".  If so, remember this
          * fact and convert the flags value given to mmap to indicate
          * the specified address in the system call must be used.

@@ -628,11 +649,10 @@
         if (type != MAP_PRIVATE && type != MAP_SHARED)
                 return (EINVAL);
 
 
         if (flags & MAP_ALIGN) {
-
                 if (flags & MAP_FIXED)
                         return (EINVAL);
 
                 /* alignment needs to be a power of 2 >= page size */
                 if (((uintptr_t)*addrp < PAGESIZE && (uintptr_t)*addrp != 0) ||