[src/trunk]: src/sys/arch/amd64/amd64 Restore %ds before swapgs. Movs to segm...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/c29b9c14def0
branches:  trunk
changeset: 351305:c29b9c14def0
user:      maxv <maxv%NetBSD.org@localhost>
date:      Thu Feb 09 08:23:46 2017 +0000

description:
Restore %ds before swapgs. Movs to segment registers are allowed to fault
in kernel mode but simply cause a signal to be sent to userland. The thing
is, in this case %gs is not restored when entering the trap routine, which
means the kernel uses userland's TLS instead of using its own. Which in
short makes it easy to escalate privileges.

Currently, this bug is triggered only in one place, which I am about to
fix too.

diffstat:

 sys/arch/amd64/amd64/locore.S |  6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

diffs (35 lines):

diff -r 38cea65a6dc2 -r c29b9c14def0 sys/arch/amd64/amd64/locore.S
--- a/sys/arch/amd64/amd64/locore.S     Thu Feb 09 06:03:29 2017 +0000
+++ b/sys/arch/amd64/amd64/locore.S     Thu Feb 09 08:23:46 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: locore.S,v 1.119 2017/02/02 19:12:09 maxv Exp $        */
+/*     $NetBSD: locore.S,v 1.120 2017/02/09 08:23:46 maxv Exp $        */
 
 /*
  * Copyright-o-rama!
@@ -1310,16 +1310,15 @@
        testl   $(MDL_IRET|MDL_COMPAT32),L_MD_FLAGS(%r14)
        INTR_RESTORE_GPRS
        movw    TF_ES(%rsp),%es
+       movw    TF_DS(%rsp),%ds
        SWAPGS
        jnz     2f
 #ifndef XEN
        movq    TF_RIP(%rsp),%rcx       /* %rip for sysret */
        movq    TF_RFLAGS(%rsp),%r11    /* %flags for sysret */
-       movw    TF_DS(%rsp),%ds
        movq    TF_RSP(%rsp),%rsp
        sysretq
 #else
-       movw    TF_DS(%rsp),%ds
        addq    $TF_RIP,%rsp
        pushq   $256    /* VGCF_IN_SYSCALL */
        jmp     HYPERVISOR_iret
@@ -1332,7 +1331,6 @@
  * then a SIGSEGV will be signalled.
  */
 2:
-       movw    TF_DS(%rsp),%ds
        addq    $TF_RIP,%rsp
        iretq