Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/arch/amd64/amd64 Mmh. We shouldn't read %cr2 here. %cr2 ...



details:   https://anonhg.NetBSD.org/src/rev/0627e352d09f
branches:  trunk
changeset: 359782:0627e352d09f
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sun Feb 25 13:09:33 2018 +0000

description:
Mmh. We shouldn't read %cr2 here. %cr2 is initialized by the CPU only
during page faults (T_PAGEFLT), so here we're reading a value that comes
from a previous page fault.

That's a real problem; if you launch an unprivileged process, set up a
signal handler, make it sleep 10 seconds, and trigger a T_ALIGNFLT fault,
you get in si_addr the address of another LWP's page - and perhaps this
can be used to defeat userland ASLR.

This bug has been there since 2003.

diffstat:

 sys/arch/amd64/amd64/trap.c |  6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diffs (27 lines):

diff -r fbc2ee04af26 -r 0627e352d09f sys/arch/amd64/amd64/trap.c
--- a/sys/arch/amd64/amd64/trap.c       Sun Feb 25 12:57:39 2018 +0000
+++ b/sys/arch/amd64/amd64/trap.c       Sun Feb 25 13:09:33 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: trap.c,v 1.112 2018/02/25 12:37:16 maxv Exp $  */
+/*     $NetBSD: trap.c,v 1.113 2018/02/25 13:09:33 maxv Exp $  */
 
 /*
  * Copyright (c) 1998, 2000, 2017 The NetBSD Foundation, Inc.
@@ -64,7 +64,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.112 2018/02/25 12:37:16 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.113 2018/02/25 13:09:33 maxv Exp $");
 
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
@@ -376,7 +376,7 @@
        case T_ALIGNFLT|T_USER:
                KSI_INIT_TRAP(&ksi);
                ksi.ksi_trap = type & ~T_USER;
-               ksi.ksi_addr = (void *)rcr2();
+               ksi.ksi_addr = (void *)frame->tf_rip;
                switch (type) {
                case T_SEGNPFLT|T_USER:
                case T_STKFLT|T_USER:



Home | Main Index | Thread Index | Old Index