Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src/sys/compat/linux32/arch/amd64 Pull up following revision(...
details: https://anonhg.NetBSD.org/src/rev/655c4416b603
branches: netbsd-6
changeset: 777252:655c4416b603
user: snj <snj%NetBSD.org@localhost>
date: Sat Sep 09 16:53:36 2017 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #1502):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
diffstat:
sys/compat/linux32/arch/amd64/linux32_machdep.c | 9 +++++----
1 files changed, 5 insertions(+), 4 deletions(-)
diffs (30 lines):
diff -r 781d43794d84 -r 655c4416b603 sys/compat/linux32/arch/amd64/linux32_machdep.c
--- a/sys/compat/linux32/arch/amd64/linux32_machdep.c Mon Sep 04 16:05:13 2017 +0000
+++ b/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 09 16:53:36 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $ */
+/* $NetBSD: linux32_machdep.c,v 1.29.10.1 2017/09/09 16:53:36 snj Exp $ */
/*-
* Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved.
@@ -31,7 +31,7 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29.10.1 2017/09/09 16:53:36 snj Exp $");
#include <sys/param.h>
#include <sys/proc.h>
@@ -428,8 +428,9 @@
/*
* Check for security violations.
*/
- if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 ||
- !USERMODE(scp->sc_cs, scp->sc_eflags))
+ if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0)
+ return EINVAL;
+ if (!VALID_USER_CSEL32(scp->sc_cs))
return EINVAL;
if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
Home |
Main Index |
Thread Index |
Old Index