Module Name: src Committed By: maxv Date: Tue Aug 8 17:27:34 UTC 2017
Modified Files: src/sys/arch/amd64/amd64: process_machdep.c Log Message: Mmh, don't overwrite tf_err and tf_trapno. Looks like it can be used to exploit the intel sysret vulnerability once again. To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 src/sys/arch/amd64/amd64/process_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/arch/amd64/amd64/process_machdep.c diff -u src/sys/arch/amd64/amd64/process_machdep.c:1.32 src/sys/arch/amd64/amd64/process_machdep.c:1.33 --- src/sys/arch/amd64/amd64/process_machdep.c:1.32 Thu Feb 23 03:34:22 2017 +++ src/sys/arch/amd64/amd64/process_machdep.c Tue Aug 8 17:27:34 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: process_machdep.c,v 1.32 2017/02/23 03:34:22 kamil Exp $ */ +/* $NetBSD: process_machdep.c,v 1.33 2017/08/08 17:27:34 maxv Exp $ */ /*- * Copyright (c) 1998, 2000 The NetBSD Foundation, Inc. @@ -76,7 +76,7 @@ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: process_machdep.c,v 1.32 2017/02/23 03:34:22 kamil Exp $"); +__KERNEL_RCSID(0, "$NetBSD: process_machdep.c,v 1.33 2017/08/08 17:27:34 maxv Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -141,6 +141,7 @@ process_write_regs(struct lwp *l, const struct trapframe *tf = process_frame(l); int error; const long *regs = regp->regs; + int err, trapno; /* * Check for security violations. @@ -151,10 +152,16 @@ process_write_regs(struct lwp *l, const if (error != 0) return error; + err = tf->tf_err; + trapno = tf->tf_trapno; + #define copy_to_frame(reg, REG, idx) tf->tf_##reg = regs[_REG_##REG]; _FRAME_GREG(copy_to_frame) #undef copy_to_frame + tf->tf_err = err; + tf->tf_trapno = trapno; + return (0); }