Module Name: src
Committed By: maxv
Date: Thu Feb 9 08:23:46 UTC 2017
Modified Files:
src/sys/arch/amd64/amd64: locore.S
Log Message:
Restore %ds before swapgs. Movs to segment registers are allowed to fault
in kernel mode but simply cause a signal to be sent to userland. The thing
is, in this case %gs is not restored when entering the trap routine, which
means the kernel uses userland's TLS instead of using its own. Which in
short makes it easy to escalate privileges.
Currently, this bug is triggered only in one place, which I am about to
fix too.
To generate a diff of this commit:
cvs rdiff -u -r1.119 -r1.120 src/sys/arch/amd64/amd64/locore.S
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/amd64/amd64/locore.S
diff -u src/sys/arch/amd64/amd64/locore.S:1.119 src/sys/arch/amd64/amd64/locore.S:1.120
--- src/sys/arch/amd64/amd64/locore.S:1.119 Thu Feb 2 19:12:09 2017
+++ src/sys/arch/amd64/amd64/locore.S Thu Feb 9 08:23:46 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: locore.S,v 1.119 2017/02/02 19:12:09 maxv Exp $ */
+/* $NetBSD: locore.S,v 1.120 2017/02/09 08:23:46 maxv Exp $ */
/*
* Copyright-o-rama!
@@ -1310,16 +1310,15 @@ do_syscall:
testl $(MDL_IRET|MDL_COMPAT32),L_MD_FLAGS(%r14)
INTR_RESTORE_GPRS
movw TF_ES(%rsp),%es
+ movw TF_DS(%rsp),%ds
SWAPGS
jnz 2f
#ifndef XEN
movq TF_RIP(%rsp),%rcx /* %rip for sysret */
movq TF_RFLAGS(%rsp),%r11 /* %flags for sysret */
- movw TF_DS(%rsp),%ds
movq TF_RSP(%rsp),%rsp
sysretq
#else
- movw TF_DS(%rsp),%ds
addq $TF_RIP,%rsp
pushq $256 /* VGCF_IN_SYSCALL */
jmp HYPERVISOR_iret
@@ -1332,7 +1331,6 @@ do_syscall:
* then a SIGSEGV will be signalled.
*/
2:
- movw TF_DS(%rsp),%ds
addq $TF_RIP,%rsp
iretq
