From fbdea4be1892e85e7f4952308b0ba48e435f8082 Mon Sep 17 00:00:00 2001
From: simon <simon@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Fri, 2 Oct 2009 18:09:56 +0000
Subject: [PATCH] MFC r197711 (partial) to 6.x and 7.x:

- Add no zero mapping feature, disabled by default. [EN-09:05]

MFC 178913,178914,179242,179243,180336,180340 to 6.x:

- Fix kqueue pipe race conditions. [SA-09:13]

MFC r192301 to 7.x; 6.x has slightly different fix:

- Fix devfs / VFS NULL pointer race condition. [SA-09:14]

Security:	FreeBSD-SA-09:13.pipe
Security:	FreeBSD-SA-09:14.devfs
Errata:		FreeBSD-EN-09:05.null
Submitted by:	kib [SA-09:13] [SA-09:14]
Submitted by:	bz [EN-09:05]
In collaboration with:	jhb, kib, alc [EN-09:05]
Approved by:	so (simon)


git-svn-id: svn://svn.freebsd.org/base/releng/7.2@197715 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                   |  5 +++++
 sys/conf/newvers.sh        |  2 +-
 sys/fs/devfs/devfs_vnops.c |  1 +
 sys/kern/kern_exec.c       | 15 ++++++++++++---
 4 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/UPDATING b/UPDATING
index 19b10910..6e613aa5 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,11 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20091002:	p4	FreeBSD-SA-09:14.devfs FreeBSD-EN-09:05.null
+	Fix devfs / VFS NULL pointer race condition. [SA-09:14]
+
+	Add no zero mapping feature. [EN-09:05]
+
 20090729:	p3	FreeBSD-SA-09:12.bind
 	Fix BIND named(8) dynamic update message remote DoS.
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index bbf24306..f573105c 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.2"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c
index 97f27b66..097a1c69 100644
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@@ -890,6 +890,7 @@ devfs_open(struct vop_open_args *ap)
 	if (fp != NULL) {
 		FILE_LOCK(fp);
 		fp->f_data = dev;
+		fp->f_vnode = vp;
 		FILE_UNLOCK(fp);
 	}
 	fpop = td->td_fpop;
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index f760f655..12aad92b 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -122,6 +122,11 @@ u_long ps_arg_cache_limit = PAGE_SIZE / 16;
 SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, 
     &ps_arg_cache_limit, 0, "");
 
+static int map_at_zero = 1;
+TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero);
+SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0,
+    "Permit processes to map an object at virtual address 0.");
+
 static int
 sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS)
 {
@@ -939,7 +944,7 @@ exec_new_vmspace(imgp, sv)
 	int error;
 	struct proc *p = imgp->proc;
 	struct vmspace *vmspace = p->p_vmspace;
-	vm_offset_t stack_addr;
+	vm_offset_t sv_minuser, stack_addr;
 	vm_map_t map;
 	u_long ssiz;
 
@@ -955,13 +960,17 @@ exec_new_vmspace(imgp, sv)
 	 * not disrupted
 	 */
 	map = &vmspace->vm_map;
-	if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv->sv_minuser &&
+	if (map_at_zero)
+		sv_minuser = sv->sv_minuser;
+	else
+		sv_minuser = MAX(sv->sv_minuser, PAGE_SIZE);
+	if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv_minuser &&
 	    vm_map_max(map) == sv->sv_maxuser) {
 		shmexit(vmspace);
 		pmap_remove_pages(vmspace_pmap(vmspace));
 		vm_map_remove(map, vm_map_min(map), vm_map_max(map));
 	} else {
-		error = vmspace_exec(p, sv->sv_minuser, sv->sv_maxuser);
+		error = vmspace_exec(p, sv_minuser, sv->sv_maxuser);
 		if (error)
 			return (error);
 		vmspace = p->p_vmspace;
-- 
2.45.0