bdrewery/gist:212365

## gistfile1.diff
--- src/sys/kern/kern_exec.c	(revision 171)
+++ src/sys/kern/kern_exec.c	(working copy)
@@ -83,6 +83,7 @@
 static int sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS);
 static int sysctl_kern_usrstack(SYSCTL_HANDLER_ARGS);
 static int sysctl_kern_stackprot(SYSCTL_HANDLER_ARGS);
+static int sysctl_kern_stackgap_random(SYSCTL_HANDLER_ARGS);
 static int do_execve(struct thread *td, struct image_args *args,
     struct mac *mac_p);

@@ -97,6 +98,9 @@
 SYSCTL_PROC(_kern, OID_AUTO, stackprot, CTLTYPE_INT|CTLFLAG_RD,
     NULL, 0, sysctl_kern_stackprot, "I", "");

+SYSCTL_PROC(_kern, OID_AUTO, stackgap_random, CTLTYPE_INT|CTLFLAG_RW,
+    NULL, 0, sysctl_kern_stackgap_random, "I", "stackgap maximum offset");
+
 u_long ps_arg_cache_limit = PAGE_SIZE / 16;
 SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW,
     &ps_arg_cache_limit, 0, "");
@@ -149,6 +153,26 @@
 	    sizeof(p->p_sysent->sv_stackprot)));
 }

+static int stackgap_random = 64 * 1024;
+
+static int
+sysctl_kern_stackgap_random(SYSCTL_HANDLER_ARGS)
+{
+	int error, val;
+
+	val = stackgap_random;
+	error = sysctl_handle_int(oidp, &val, sizeof(int), req);
+	if (error || !req->newptr)
+		return (error);
+
+	if ((val < ALIGNBYTES && (val != 0)) ||
+	    !powerof2(val) || val > 64 * 1024 * 1024)
+		return (EINVAL);
+
+	stackgap_random = val;
+	return (0);
+}
+
 /*
  * Each of the items is a pointer to a `const struct execsw', hence the
  * double pointer here.
@@ -1044,6 +1068,7 @@
 	struct ps_strings *arginfo;
 	struct proc *p;
 	int szsigcode;
+	int sgap;

 	/*
 	 * Calculate string base and vector table pointers.
@@ -1054,7 +1079,10 @@
 	arginfo = (struct ps_strings *)p->p_sysent->sv_psstrings;
 	if (p->p_sysent->sv_szsigcode != NULL)
 		szsigcode = *(p->p_sysent->sv_szsigcode);
-	destp =	(caddr_t)arginfo - szsigcode - SPARE_USRSPACE -
+	sgap = 0;
+	if (stackgap_random != 0)
+		sgap = ALIGN(arc4random() & (stackgap_random - 1));
+	destp =	(caddr_t)arginfo - szsigcode - SPARE_USRSPACE - sgap -
 	    roundup((ARG_MAX - imgp->args->stringspace), sizeof(char *));

 	/*
	--- src/sys/kern/kern_exec.c (revision 171)
	+++ src/sys/kern/kern_exec.c (working copy)
	@@ -83,6 +83,7 @@
	static int sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS);
	static int sysctl_kern_usrstack(SYSCTL_HANDLER_ARGS);
	static int sysctl_kern_stackprot(SYSCTL_HANDLER_ARGS);
	+static int sysctl_kern_stackgap_random(SYSCTL_HANDLER_ARGS);
	static int do_execve(struct thread td, struct image_args args,
	struct mac *mac_p);

	@@ -97,6 +98,9 @@
	SYSCTL_PROC(_kern, OID_AUTO, stackprot, CTLTYPE_INT\|CTLFLAG_RD,
	NULL, 0, sysctl_kern_stackprot, "I", "");

	+SYSCTL_PROC(_kern, OID_AUTO, stackgap_random, CTLTYPE_INT\|CTLFLAG_RW,
	+ NULL, 0, sysctl_kern_stackgap_random, "I", "stackgap maximum offset");
	+
	u_long ps_arg_cache_limit = PAGE_SIZE / 16;
	SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW,
	&ps_arg_cache_limit, 0, "");
	@@ -149,6 +153,26 @@
	sizeof(p->p_sysent->sv_stackprot)));
	}

	+static int stackgap_random = 64 * 1024;
	+
	+static int
	+sysctl_kern_stackgap_random(SYSCTL_HANDLER_ARGS)
	+{
	+ int error, val;
	+
	+ val = stackgap_random;
	+ error = sysctl_handle_int(oidp, &val, sizeof(int), req);
	+ if (error \|\| !req->newptr)
	+ return (error);
	+
	+ if ((val < ALIGNBYTES && (val != 0)) \|\|
	+ !powerof2(val) \|\| val > 64 * 1024 * 1024)
	+ return (EINVAL);
	+
	+ stackgap_random = val;
	+ return (0);
	+}
	+
	/*
	* Each of the items is a pointer to a `const struct execsw', hence the
	* double pointer here.
	@@ -1044,6 +1068,7 @@
	struct ps_strings *arginfo;
	struct proc *p;
	int szsigcode;
	+ int sgap;

	/*
	* Calculate string base and vector table pointers.
	@@ -1054,7 +1079,10 @@
	arginfo = (struct ps_strings *)p->p_sysent->sv_psstrings;
	if (p->p_sysent->sv_szsigcode != NULL)
	szsigcode = *(p->p_sysent->sv_szsigcode);
	- destp = (caddr_t)arginfo - szsigcode - SPARE_USRSPACE -
	+ sgap = 0;
	+ if (stackgap_random != 0)
	+ sgap = ALIGN(arc4random() & (stackgap_random - 1));
	+ destp = (caddr_t)arginfo - szsigcode - SPARE_USRSPACE - sgap -
	roundup((ARG_MAX - imgp->args->stringspace), sizeof(char *));

	/*