Module Name: src Committed By: snj Date: Tue Feb 14 16:57:57 UTC 2017
Modified Files: src/sys/compat/linux/arch/amd64 [netbsd-6-0]: linux_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1433): sys/compat/linux/arch/amd64/linux_machdep.c: 1.50, 1.51 Don't let userland choose %rip. This is the Intel Sysret vulnerability again. -- Make sure %rip is in userland. This is harmless, since the return to userland is made with iret instead of sysret in this path. While here, use size_t. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.10.1 \ src/sys/compat/linux/arch/amd64/linux_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/compat/linux/arch/amd64/linux_machdep.c diff -u src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39.10.1 --- src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 Fri Nov 18 04:07:43 2011 +++ src/sys/compat/linux/arch/amd64/linux_machdep.c Tue Feb 14 16:57:57 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $ */ +/* $NetBSD: linux_machdep.c,v 1.39.10.1 2017/02/14 16:57:57 snj Exp $ */ /*- * Copyright (c) 2005 Emmanuel Dreyfus, all rights reserved. @@ -33,7 +33,7 @@ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39.10.1 2017/02/14 16:57:57 snj Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -254,7 +254,12 @@ linux_sendsig(const ksiginfo_t *ksi, con if (error != 0) { sigexit(l, SIGILL); return; - } + } + + if ((vaddr_t)catcher >= VM_MAXUSER_ADDRESS) { + sigexit(l, SIGILL); + return; + } linux_buildcontext(l, catcher, sp); tf->tf_rdi = sigframe.info.lsi_signo; @@ -485,7 +490,7 @@ linux_usertrap(struct lwp *l, vaddr_t tr { struct trapframe *tf = arg; uint64_t retaddr; - int vsyscallnr; + size_t vsyscallnr; /* * Check for a vsyscall. %rip must be the fault address, @@ -515,6 +520,8 @@ linux_usertrap(struct lwp *l, vaddr_t tr */ if (copyin((void *)tf->tf_rsp, &retaddr, sizeof retaddr) != 0) return 0; + if ((vaddr_t)retaddr >= VM_MAXUSER_ADDRESS) + return 0; tf->tf_rip = retaddr; tf->tf_rax = linux_vsyscall_to_syscall[vsyscallnr]; tf->tf_rsp += 8; /* "pop" the return address */