amd64

Maxime Villard Thu, 23 Mar 2017 10:26:18 -0700

Module Name:    src
Committed By:   maxv
Date:           Thu Mar 23 17:25:51 UTC 2017


Modified Files:
        src/sys/arch/amd64/amd64: locore.S machdep.c trap.c

Log Message:
Remove this call gate on amd64, it is useless and vulnerable.

Call gates do not modify %rflags, so interrupts are not disabled when
entering the gate. There is a small window where we are in kernel mode and
with a userland %gs, and if an interrupt happens here we will rejump into
the kernel but not switch to the kernel TLS.

Userland can simply perform a gate call in a loop, and hope that at some
point an interrupt will be received in this window - which necessarily will
be the case. With a specially-crafted %gs it is certainly enough to
escalate privileges.


To generate a diff of this commit:
cvs rdiff -u -r1.121 -r1.122 src/sys/arch/amd64/amd64/locore.S
cvs rdiff -u -r1.253 -r1.254 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.94 -r1.95 src/sys/arch/amd64/amd64/trap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/locore.S
diff -u src/sys/arch/amd64/amd64/locore.S:1.121 src/sys/arch/amd64/amd64/locore.S:1.122
--- src/sys/arch/amd64/amd64/locore.S:1.121	Thu Feb  9 19:30:56 2017
+++ src/sys/arch/amd64/amd64/locore.S	Thu Mar 23 17:25:51 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: locore.S,v 1.121 2017/02/09 19:30:56 maxv Exp $	*/
+/*	$NetBSD: locore.S,v 1.122 2017/03/23 17:25:51 maxv Exp $	*/
 
 /*
  * Copyright-o-rama!
@@ -1399,27 +1399,6 @@ NENTRY(lwp_trampoline)
 END(lwp_trampoline)
 
 /*
- * oosyscall()
- *
- * Old call gate entry for syscall. only needed if we're
- * going to support running old i386 NetBSD 1.0 or ibcs2 binaries, etc,
- * on NetBSD/amd64.
- * The 64bit call gate can't request that arguments be copied from the
- * user stack (which the i386 code uses to get a gap for the flags).
- * push/pop are <read>:<modify_sp>:<write> cycles.
- */
-IDTVEC(oosyscall)
-	/* Set rflags in trap frame. */
-	pushq	(%rsp)		/* move user's %eip */
-	pushq	16(%rsp)	/* and %cs */
-	popq	8(%rsp)
-	pushfq
-	popq	16(%rsp)
-	pushq	$7		/* size of instruction for restart */
-	jmp	osyscall1
-IDTVEC_END(oosyscall)
-
-/*
  * osyscall()
  *
  * Trap gate entry for int $80 syscall, also used by sigreturn.

Index: src/sys/arch/amd64/amd64/machdep.c
diff -u src/sys/arch/amd64/amd64/machdep.c:1.253 src/sys/arch/amd64/amd64/machdep.c:1.254
--- src/sys/arch/amd64/amd64/machdep.c:1.253	Fri Mar 10 14:54:12 2017
+++ src/sys/arch/amd64/amd64/machdep.c	Thu Mar 23 17:25:51 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.253 2017/03/10 14:54:12 maxv Exp $	*/
+/*	$NetBSD: machdep.c,v 1.254 2017/03/23 17:25:51 maxv Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011
@@ -111,7 +111,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.253 2017/03/10 14:54:12 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.254 2017/03/23 17:25:51 maxv Exp $");
 
 /* #define XENDEBUG_LOW  */
 
@@ -1452,7 +1452,6 @@ typedef void (vector)(void);
 extern vector IDTVEC(syscall);
 extern vector IDTVEC(syscall32);
 extern vector IDTVEC(osyscall);
-extern vector IDTVEC(oosyscall);
 extern vector *IDTVEC(exceptions)[];
 
 static void
@@ -1642,11 +1641,8 @@ init_x86_64(paddr_t first_avail)
 #endif
 
 	/*
-	 * Make LDT gates and memory segments.
+	 * Make LDT memory segments.
 	 */
-	setgate((struct gate_descriptor *)(ldtstore + LSYS5CALLS_SEL),
-	    &IDTVEC(oosyscall), 0, SDT_SYS386CGT, SEL_UPL,
-	    GSEL(GCODE_SEL, SEL_KPL));
 	*(struct mem_segment_descriptor *)(ldtstore + LUCODE_SEL) =
 	    *GDT_ADDR_MEM(gdtstore, GUCODE_SEL);
 	*(struct mem_segment_descriptor *)(ldtstore + LUDATA_SEL) =
@@ -1677,16 +1673,6 @@ init_x86_64(paddr_t first_avail)
 	set_mem_segment(ldt_segp, 0, x86_btop(VM_MAXUSER_ADDRESS32) - 1,
 	    SDT_MEMRWA, SEL_UPL, 1, 1, 0);
 
-	/*
-	 * Other LDT entries.
-	 */
-	memcpy((struct gate_descriptor *)(ldtstore + LSOL26CALLS_SEL),
-	    (struct gate_descriptor *)(ldtstore + LSYS5CALLS_SEL),
-	    sizeof (struct gate_descriptor));
-	memcpy((struct gate_descriptor *)(ldtstore + LBSDICALLS_SEL),
-	    (struct gate_descriptor *)(ldtstore + LSYS5CALLS_SEL),
-	    sizeof (struct gate_descriptor));
-
 	/* CPU-specific IDT exceptions. */
 	for (x = 0; x < NCPUIDT; x++) {
 #ifndef XEN

Index: src/sys/arch/amd64/amd64/trap.c
diff -u src/sys/arch/amd64/amd64/trap.c:1.94 src/sys/arch/amd64/amd64/trap.c:1.95
--- src/sys/arch/amd64/amd64/trap.c:1.94	Sat Mar 18 13:39:23 2017
+++ src/sys/arch/amd64/amd64/trap.c	Thu Mar 23 17:25:51 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: trap.c,v 1.94 2017/03/18 13:39:23 maxv Exp $	*/
+/*	$NetBSD: trap.c,v 1.95 2017/03/23 17:25:51 maxv Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.94 2017/03/18 13:39:23 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.95 2017/03/23 17:25:51 maxv Exp $");
 
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
@@ -222,7 +222,6 @@ trap(struct trapframe *frame)
 	struct proc *p;
 	struct pcb *pcb;
 	extern char fusuintrfailure[], kcopy_fault[];
-	extern char IDTVEC(oosyscall)[];
 	extern char IDTVEC(osyscall)[];
 	extern char IDTVEC(syscall32)[];
 #ifndef XEN
@@ -692,8 +691,7 @@ faultcommon:
 			break;
 
 		/* Check whether they single-stepped into a lcall. */
-		if (frame->tf_rip == (uint64_t)IDTVEC(oosyscall) ||
-		    frame->tf_rip == (uint64_t)IDTVEC(osyscall) ||
+		if (frame->tf_rip == (uint64_t)IDTVEC(osyscall) ||
 		    frame->tf_rip == (uint64_t)IDTVEC(syscall32)) {
 			frame->tf_rflags &= ~PSL_T;
 			return;

CVS commit: src/sys/arch/amd64/amd64

Reply via email to