Module Name: src Committed By: maxv Date: Thu Feb 9 08:23:46 UTC 2017
Modified Files: src/sys/arch/amd64/amd64: locore.S Log Message: Restore %ds before swapgs. Movs to segment registers are allowed to fault in kernel mode but simply cause a signal to be sent to userland. The thing is, in this case %gs is not restored when entering the trap routine, which means the kernel uses userland's TLS instead of using its own. Which in short makes it easy to escalate privileges. Currently, this bug is triggered only in one place, which I am about to fix too. To generate a diff of this commit: cvs rdiff -u -r1.119 -r1.120 src/sys/arch/amd64/amd64/locore.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/arch/amd64/amd64/locore.S diff -u src/sys/arch/amd64/amd64/locore.S:1.119 src/sys/arch/amd64/amd64/locore.S:1.120 --- src/sys/arch/amd64/amd64/locore.S:1.119 Thu Feb 2 19:12:09 2017 +++ src/sys/arch/amd64/amd64/locore.S Thu Feb 9 08:23:46 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: locore.S,v 1.119 2017/02/02 19:12:09 maxv Exp $ */ +/* $NetBSD: locore.S,v 1.120 2017/02/09 08:23:46 maxv Exp $ */ /* * Copyright-o-rama! @@ -1310,16 +1310,15 @@ do_syscall: testl $(MDL_IRET|MDL_COMPAT32),L_MD_FLAGS(%r14) INTR_RESTORE_GPRS movw TF_ES(%rsp),%es + movw TF_DS(%rsp),%ds SWAPGS jnz 2f #ifndef XEN movq TF_RIP(%rsp),%rcx /* %rip for sysret */ movq TF_RFLAGS(%rsp),%r11 /* %flags for sysret */ - movw TF_DS(%rsp),%ds movq TF_RSP(%rsp),%rsp sysretq #else - movw TF_DS(%rsp),%ds addq $TF_RIP,%rsp pushq $256 /* VGCF_IN_SYSCALL */ jmp HYPERVISOR_iret @@ -1332,7 +1331,6 @@ do_syscall: * then a SIGSEGV will be signalled. */ 2: - movw TF_DS(%rsp),%ds addq $TF_RIP,%rsp iretq