Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/arch/amd64/amd64 Mmh, don't overwrite tf_err and tf_trap...



details:   https://anonhg.NetBSD.org/src/rev/5f8a9ef4a8a1
branches:  trunk
changeset: 355663:5f8a9ef4a8a1
user:      maxv <maxv%NetBSD.org@localhost>
date:      Tue Aug 08 17:27:34 2017 +0000

description:
Mmh, don't overwrite tf_err and tf_trapno. Looks like it can be used to
exploit the intel sysret vulnerability once again.

diffstat:

 sys/arch/amd64/amd64/process_machdep.c |  11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diffs (43 lines):

diff -r 9f00858edb68 -r 5f8a9ef4a8a1 sys/arch/amd64/amd64/process_machdep.c
--- a/sys/arch/amd64/amd64/process_machdep.c    Tue Aug 08 17:00:42 2017 +0000
+++ b/sys/arch/amd64/amd64/process_machdep.c    Tue Aug 08 17:27:34 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: process_machdep.c,v 1.32 2017/02/23 03:34:22 kamil Exp $       */
+/*     $NetBSD: process_machdep.c,v 1.33 2017/08/08 17:27:34 maxv Exp $        */
 
 /*-
  * Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
 
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: process_machdep.c,v 1.32 2017/02/23 03:34:22 kamil Exp $");
+__KERNEL_RCSID(0, "$NetBSD: process_machdep.c,v 1.33 2017/08/08 17:27:34 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -141,6 +141,7 @@
        struct trapframe *tf = process_frame(l);
        int error;
        const long *regs = regp->regs;
+       int err, trapno;
 
        /*
         * Check for security violations.
@@ -151,10 +152,16 @@
        if (error != 0)
                return error;
 
+       err = tf->tf_err;
+       trapno = tf->tf_trapno;
+
 #define copy_to_frame(reg, REG, idx) tf->tf_##reg = regs[_REG_##REG];
        _FRAME_GREG(copy_to_frame)
 #undef copy_to_frame
 
+       tf->tf_err = err;
+       tf->tf_trapno = trapno;
+
        return (0);
 }
 



Home | Main Index | Thread Index | Old Index