Module Name: src
Committed By: maxv
Date: Tue Aug 8 17:27:34 UTC 2017
Modified Files:
src/sys/arch/amd64/amd64: process_machdep.c
Log Message:
Mmh, don't overwrite tf_err and tf_trapno. Looks like it can be used to
exploit the intel sysret vulnerability once again.
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 src/sys/arch/amd64/amd64/process_machdep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/amd64/amd64/process_machdep.c
diff -u src/sys/arch/amd64/amd64/process_machdep.c:1.32 src/sys/arch/amd64/amd64/process_machdep.c:1.33
--- src/sys/arch/amd64/amd64/process_machdep.c:1.32 Thu Feb 23 03:34:22 2017
+++ src/sys/arch/amd64/amd64/process_machdep.c Tue Aug 8 17:27:34 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: process_machdep.c,v 1.32 2017/02/23 03:34:22 kamil Exp $ */
+/* $NetBSD: process_machdep.c,v 1.33 2017/08/08 17:27:34 maxv Exp $ */
/*-
* Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: process_machdep.c,v 1.32 2017/02/23 03:34:22 kamil Exp $");
+__KERNEL_RCSID(0, "$NetBSD: process_machdep.c,v 1.33 2017/08/08 17:27:34 maxv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -141,6 +141,7 @@ process_write_regs(struct lwp *l, const
struct trapframe *tf = process_frame(l);
int error;
const long *regs = regp->regs;
+ int err, trapno;
/*
* Check for security violations.
@@ -151,10 +152,16 @@ process_write_regs(struct lwp *l, const
if (error != 0)
return error;
+ err = tf->tf_err;
+ trapno = tf->tf_trapno;
+
#define copy_to_frame(reg, REG, idx) tf->tf_##reg = regs[_REG_##REG];
_FRAME_GREG(copy_to_frame)
#undef copy_to_frame
+ tf->tf_err = err;
+ tf->tf_trapno = trapno;
+
return (0);
}
