[src/trunk]: src/sys/compat/linux/arch/amd64 Don't let userland choose %rip. ...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/22bd00715023
branches:  trunk
changeset: 351445:22bd00715023
user:      maxv <maxv%NetBSD.org@localhost>
date:      Mon Feb 13 14:54:11 2017 +0000

description:
Don't let userland choose %rip. This is the Intel Sysret vulnerability
again.

diffstat:

 sys/compat/linux/arch/amd64/linux_machdep.c |  11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diffs (32 lines):

diff -r 4739086206e3 -r 22bd00715023 sys/compat/linux/arch/amd64/linux_machdep.c
--- a/sys/compat/linux/arch/amd64/linux_machdep.c       Mon Feb 13 11:16:46 2017 +0000
+++ b/sys/compat/linux/arch/amd64/linux_machdep.c       Mon Feb 13 14:54:11 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: linux_machdep.c,v 1.49 2017/02/05 08:42:49 maxv Exp $ */
+/*     $NetBSD: linux_machdep.c,v 1.50 2017/02/13 14:54:11 maxv Exp $ */
 
 /*-
  * Copyright (c) 2005 Emmanuel Dreyfus, all rights reserved.
@@ -33,7 +33,7 @@
 
 #include <sys/cdefs.h>
 
-__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.49 2017/02/05 08:42:49 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.50 2017/02/13 14:54:11 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -234,7 +234,12 @@
        if (error != 0) {
                sigexit(l, SIGILL);
                return;
-       }       
+       }
+
+       if ((vaddr_t)catcher >= VM_MAXUSER_ADDRESS) {
+               sigexit(l, SIGILL);
+               return;
+       }
 
        linux_buildcontext(l, catcher, sp);
        tf->tf_rdi = sigframe.info.lsi_signo;