the locking in proctext() is wrong. we have to acquire Proc.seglock
when reading segments from Proc.seg[] as segments do not
have a private freelist and can therefore be reused for other
data structures.
once we have Proc.seglock acquired, check that the process pid
is still valid so we wont accidentally read some other processes
segments. (for both proctext() and procctlmemio()). this also
should give better error message to distinguish the case when
the process did segdetach() the segment in question before we
could acquire Proc.seglock.
declare private functions as static.
there was a small window between modifying mmutop and switching the
asid where the core could bring in the new entries under the old asid
into the tlb due to speculation / prefetching.
this change moves the entering of the page tables into mmutop after
setttbr() to prevent this scenario.
due to us switching to the resereved asid 0 on procsave()->putasid(),
the only asid that could have potentially been poisoned would be asid 0
which does not have any user mappings. so this did not show any noticable
effect.
when a process state has not been saved (Proc.mach != nil)
then the contents of Proc.sched should be considered invalid.
to approximate a stacktrace in this case, we use the error
stack and get a stacktrace from the last waserror() call.
pexit() and pprint() can get called outside of a syscall
(from procctl()) with a process that is in active note
handling and require floating point in the kernel on amd64
for aesni (devtls).
This fixes ocaml on non-x86 architectures, where we have code
that looks like:
#define Fl_head ((uintptr_t)(&sentinel.first_field))
Without this change, we get an error about a non-constant
initializer. This change takes the checks for pointers and
makes them apply to all expressions. It also makes the checks
stricter, preventing the following from compiling to junk:
int x;
int y = 42;
int *p = &x + y
the following code reproduces the crash:
void
foo(void)
{
}
void
main(int argc, char **argv)
{
(void)(1 ? (void)0 : foo());
}
the problem is that side() gives a false positive on the OCOND
with later constant folding eleminating the acutal side effect
and OCAST ending up with two nested OCATS with the nested one
being zapped (type == T).
make exec() clear the per process error string
to avoid spurious errors and confusion.
the errstr() syscall used to always swap the
maximum buffer size with memmove(), which is
problematic as this gives access to the garbage
beyond the NUL byte. worse, newproc(), werrstr()
and rerrstr() only clear the first byte of the
input buffer. so random stack rubble could be
leaked across processes.
we change the errstr() syscall to not copy
beyond the NUL byte.
the manpage also documents that errstr() should
truncate on a utf8 boundary so we use utfecpy()
to ensure proper NUL termination.
kvik writes:
dnsquery(8) prints the interactive prompt on stdout together with
query results, making scripted usage unnecessarily difficult.
A straightforward solution is prompting on stderr instead: as
practiced by rc(1), among many others -- promptly taking care of
the issue:
; echo 9front.org mx | ndb/dnsquery >[2]/dev/null
kvik writes:
I needed to convert the RSA private key that was laying around in
secstore into a format understood by UNIX® tools like SSH.
With asn12rsa(8) we can go from the ASN.1/DER to Plan 9 format, but not
back - so I wrote the libsec function asn1encodeRSApriv(2) and used it in
rsa2asn1(8) by adding the -a flag which causes the full private key to be
encoded and output.
the idea is to catch bugs and make kernel exploitation
harder by mapping the kernel text section readonly
and everything else no-execute.
l.s maps the KZERO address space using 2MB pages so
to get the 4K granularity for the text section we use
the new ptesplit() function to split that mapping up.
we need to set EFER no-execute enable bit early
in apbootstrap so secondary application processors
will understand the NX bit in our shared kernel page
tables. also APBOOTSTRAP needs to be kept executable.
rebootjump() needs to mark REBOOTADDR page executable.
mischief reports:
this assembler input assembles with 6a but makes 6l crash.
// 6a l.s
// 6l l.6
// _intrr: unknown relation: TEXT in _intrr
// 6l 511: suicide: sys: trap: fault write addr=0x18 pc=0x20789c
TEXT noteret(SB), 1, $-4
CLI
JMP _intrestore // works when commented
TEXT _intrr(SB), 1, $-4
_intrestore:
RET
TEXT _main(SB), 1, $-4
RET
the user should not be able to change the cache
attributes for a segment in segattach() as this
can cause the same memory to be mapped with
conflicting attributes in the cache.
SG_TEXT should always be mapped with SG_RONLY
attribute. so fix data2txt() to follow the rules.
fault() now has an additional pc argument that is
used to detect fault on a non-executable segment.
that is, we check on read fault if the segment
has the SG_NOEXEC attribute and the program counter
is within faulting page.
a portable SG_NOEXEC segment attribute was added to allow
non-executable (physical) segments. which will set the
PTENOEXEC bits for putmmu().
in the future, this can be used to make non-executable
stack / bss segments.
the SG_DEVICE attribute was added to distinguish between
mmio regions and uncached memory. only matterns on arm64.
on arm, theres the issue that PTEUNCACHED would have
no bits set when using the hardware bit definitions.
this is the reason bcm, kw, teg2 and omap kernels use
arteficial PTE constants. on zynq, the XN bit was used
as a hack to give PTEUNCACHED a non-zero value and when
the bit is clear then cache attributes where added to
the pte.
to fix this, PTECACHED constant was added.
the portable mmu code in fault.c will now explicitely set
PTECACHED bits for cached memory and PTEUNCACHED for
uncached memory. that way the hardware bit definitions
can be used everywhere.
