Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/arch/amd64/amd64 Pull up following revision(s) (reque...
details: https://anonhg.NetBSD.org/src/rev/a38ce2f60a51
branches: netbsd-8
changeset: 434840:a38ce2f60a51
user: snj <snj%NetBSD.org@localhost>
date: Sun Apr 08 06:14:18 2018 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #705):
sys/arch/amd64/amd64/trap.c: 1.113
Mmh. We shouldn't read %cr2 here. %cr2 is initialized by the CPU only
during page faults (T_PAGEFLT), so here we're reading a value that comes
from a previous page fault.
That's a real problem; if you launch an unprivileged process, set up a
signal handler, make it sleep 10 seconds, and trigger a T_ALIGNFLT fault,
you get in si_addr the address of another LWP's page - and perhaps this
can be used to defeat userland ASLR.
This bug has been there since 2003.
diffstat:
sys/arch/amd64/amd64/trap.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diffs (27 lines):
diff -r c16da54eaf66 -r a38ce2f60a51 sys/arch/amd64/amd64/trap.c
--- a/sys/arch/amd64/amd64/trap.c Sun Apr 08 06:12:53 2018 +0000
+++ b/sys/arch/amd64/amd64/trap.c Sun Apr 08 06:14:18 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: trap.c,v 1.96.4.2 2018/03/22 16:59:03 martin Exp $ */
+/* $NetBSD: trap.c,v 1.96.4.3 2018/04/08 06:14:18 snj Exp $ */
/*-
* Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.96.4.2 2018/03/22 16:59:03 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.96.4.3 2018/04/08 06:14:18 snj Exp $");
#include "opt_ddb.h"
#include "opt_kgdb.h"
@@ -389,7 +389,7 @@
#endif
KSI_INIT_TRAP(&ksi);
ksi.ksi_trap = type & ~T_USER;
- ksi.ksi_addr = (void *)rcr2();
+ ksi.ksi_addr = (void *)frame->tf_rip;
switch (type) {
case T_SEGNPFLT|T_USER:
case T_STKFLT|T_USER:
Home |
Main Index |
Thread Index |
Old Index