Module Name: src Committed By: maxv Date: Sun Feb 25 13:09:34 UTC 2018
Modified Files: src/sys/arch/amd64/amd64: trap.c Log Message: Mmh. We shouldn't read %cr2 here. %cr2 is initialized by the CPU only during page faults (T_PAGEFLT), so here we're reading a value that comes from a previous page fault. That's a real problem; if you launch an unprivileged process, set up a signal handler, make it sleep 10 seconds, and trigger a T_ALIGNFLT fault, you get in si_addr the address of another LWP's page - and perhaps this can be used to defeat userland ASLR. This bug has been there since 2003. To generate a diff of this commit: cvs rdiff -u -r1.112 -r1.113 src/sys/arch/amd64/amd64/trap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/arch/amd64/amd64/trap.c diff -u src/sys/arch/amd64/amd64/trap.c:1.112 src/sys/arch/amd64/amd64/trap.c:1.113 --- src/sys/arch/amd64/amd64/trap.c:1.112 Sun Feb 25 12:37:16 2018 +++ src/sys/arch/amd64/amd64/trap.c Sun Feb 25 13:09:33 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: trap.c,v 1.112 2018/02/25 12:37:16 maxv Exp $ */ +/* $NetBSD: trap.c,v 1.113 2018/02/25 13:09:33 maxv Exp $ */ /* * Copyright (c) 1998, 2000, 2017 The NetBSD Foundation, Inc. @@ -64,7 +64,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.112 2018/02/25 12:37:16 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.113 2018/02/25 13:09:33 maxv Exp $"); #include "opt_ddb.h" #include "opt_kgdb.h" @@ -376,7 +376,7 @@ trap(struct trapframe *frame) case T_ALIGNFLT|T_USER: KSI_INIT_TRAP(&ksi); ksi.ksi_trap = type & ~T_USER; - ksi.ksi_addr = (void *)rcr2(); + ksi.ksi_addr = (void *)frame->tf_rip; switch (type) { case T_SEGNPFLT|T_USER: case T_STKFLT|T_USER: