Source-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: src/sys/arch/amd64/amd64

Module Name:    src
Committed By:   maxv
Date:           Sun Feb 25 13:09:34 UTC 2018

Modified Files:
        src/sys/arch/amd64/amd64: trap.c

Log Message:
Mmh. We shouldn't read %cr2 here. %cr2 is initialized by the CPU only
during page faults (T_PAGEFLT), so here we're reading a value that comes
from a previous page fault.

That's a real problem; if you launch an unprivileged process, set up a
signal handler, make it sleep 10 seconds, and trigger a T_ALIGNFLT fault,
you get in si_addr the address of another LWP's page - and perhaps this
can be used to defeat userland ASLR.

This bug has been there since 2003.

To generate a diff of this commit:
cvs rdiff -u -r1.112 -r1.113 src/sys/arch/amd64/amd64/trap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Home | Main Index | Thread Index | Old Index