Module Name:    src
Committed By:   maxv
Date:           Tue Aug  8 17:27:34 UTC 2017

Modified Files:
        src/sys/arch/amd64/amd64: process_machdep.c

Log Message:
Mmh, don't overwrite tf_err and tf_trapno. Looks like it can be used to
exploit the intel sysret vulnerability once again.


To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 src/sys/arch/amd64/amd64/process_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/process_machdep.c
diff -u src/sys/arch/amd64/amd64/process_machdep.c:1.32 src/sys/arch/amd64/amd64/process_machdep.c:1.33
--- src/sys/arch/amd64/amd64/process_machdep.c:1.32	Thu Feb 23 03:34:22 2017
+++ src/sys/arch/amd64/amd64/process_machdep.c	Tue Aug  8 17:27:34 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: process_machdep.c,v 1.32 2017/02/23 03:34:22 kamil Exp $	*/
+/*	$NetBSD: process_machdep.c,v 1.33 2017/08/08 17:27:34 maxv Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
 
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: process_machdep.c,v 1.32 2017/02/23 03:34:22 kamil Exp $");
+__KERNEL_RCSID(0, "$NetBSD: process_machdep.c,v 1.33 2017/08/08 17:27:34 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -141,6 +141,7 @@ process_write_regs(struct lwp *l, const 
 	struct trapframe *tf = process_frame(l);
 	int error;
 	const long *regs = regp->regs;
+	int err, trapno;
 
 	/*
 	 * Check for security violations.
@@ -151,10 +152,16 @@ process_write_regs(struct lwp *l, const 
 	if (error != 0)
 		return error;
 
+	err = tf->tf_err;
+	trapno = tf->tf_trapno;
+
 #define copy_to_frame(reg, REG, idx) tf->tf_##reg = regs[_REG_##REG];
 	_FRAME_GREG(copy_to_frame)
 #undef copy_to_frame
 
+	tf->tf_err = err;
+	tf->tf_trapno = trapno;
+
 	return (0);
 }
 

Reply via email to