Module Name: src
Committed By: maxv
Date: Thu Aug 31 10:30:58 UTC 2017
Modified Files:
src/sys/arch/amd64/amd64: amd64_trap.S locore.S
Log Message:
Add a layer of mitigation against the intel sysret vuln: restore %gs when
sysretq faults. Right now we try to make sure that %rip is canonical by
performing sanity checks in several places, but I've already found missing
checks two times already, and there may be others.
By performing an additional swapgs here, we are turning ring0 exploits to
simple DoSes - which are still security bugs, but of a lower impact.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/arch/amd64/amd64/amd64_trap.S
cvs rdiff -u -r1.127 -r1.128 src/sys/arch/amd64/amd64/locore.S
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/amd64/amd64/amd64_trap.S
diff -u src/sys/arch/amd64/amd64/amd64_trap.S:1.8 src/sys/arch/amd64/amd64/amd64_trap.S:1.9
--- src/sys/arch/amd64/amd64/amd64_trap.S:1.8 Thu Aug 31 09:33:19 2017
+++ src/sys/arch/amd64/amd64/amd64_trap.S Thu Aug 31 10:30:58 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: amd64_trap.S,v 1.8 2017/08/31 09:33:19 maxv Exp $ */
+/* $NetBSD: amd64_trap.S,v 1.9 2017/08/31 10:30:58 maxv Exp $ */
/*
* Copyright (c) 1998, 2007, 2008, 2017 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
#if 0
#include <machine/asm.h>
-__KERNEL_RCSID(0, "$NetBSD: amd64_trap.S,v 1.8 2017/08/31 09:33:19 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: amd64_trap.S,v 1.9 2017/08/31 10:30:58 maxv Exp $");
#endif
/*
@@ -378,7 +378,13 @@ NENTRY(check_swapgs)
/*
* Trap in kernel mode.
*/
- /* Case 1: fault on iretq? */
+
+ /* Case 1: fault on sysretq? */
+ leaq do_sysret(%rip),%rdi
+ cmpq %rdi,TF_RIP(%rsp)
+ je 1b
+
+ /* Case 2: fault on iretq? */
movq TF_RIP(%rsp),%rax
cmpw $0xcf48,(%rax) /* Faulting instruction is iretq ? */
jne 5f /* Jump if not */
@@ -388,7 +394,7 @@ NENTRY(check_swapgs)
jmp 1b /* to user - must restore %gs */
5:
- /* Case 2: move to %gs? */
+ /* Case 3: move to %gs? */
movw (%rax),%ax
andb $070,%ah /* mask mod/rm from mod/reg/rm */
cmpw $0x8e+050*256,%ax /* Any move to %gs (reg 5) */
Index: src/sys/arch/amd64/amd64/locore.S
diff -u src/sys/arch/amd64/amd64/locore.S:1.127 src/sys/arch/amd64/amd64/locore.S:1.128
--- src/sys/arch/amd64/amd64/locore.S:1.127 Thu Aug 31 09:27:28 2017
+++ src/sys/arch/amd64/amd64/locore.S Thu Aug 31 10:30:58 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: locore.S,v 1.127 2017/08/31 09:27:28 maxv Exp $ */
+/* $NetBSD: locore.S,v 1.128 2017/08/31 10:30:58 maxv Exp $ */
/*
* Copyright-o-rama!
@@ -328,6 +328,7 @@
.globl _C_LABEL(bootinfo)
.globl _C_LABEL(biosbasemem)
.globl _C_LABEL(biosextmem)
+ .globl do_sysret
.type _C_LABEL(tablesize), @object
_C_LABEL(tablesize): .long TABLESIZE
@@ -1313,6 +1314,7 @@ do_syscall:
movq TF_RIP(%rsp),%rcx /* %rip for sysret */
movq TF_RFLAGS(%rsp),%r11 /* %flags for sysret */
movq TF_RSP(%rsp),%rsp
+do_sysret:
sysretq
#else
addq $TF_RIP,%rsp
