Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/compat/linux32/arch/amd64 Pull up following revision(...
details: https://anonhg.NetBSD.org/src/rev/cc9996ef50df
branches: netbsd-8
changeset: 434287:cc9996ef50df
user: snj <snj%NetBSD.org@localhost>
date: Sat Sep 09 17:01:23 2017 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #270):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
diffstat:
sys/compat/linux32/arch/amd64/linux32_machdep.c | 9 +++++----
1 files changed, 5 insertions(+), 4 deletions(-)
diffs (30 lines):
diff -r 892b9a4c729f -r cc9996ef50df sys/compat/linux32/arch/amd64/linux32_machdep.c
--- a/sys/compat/linux32/arch/amd64/linux32_machdep.c Mon Sep 04 20:47:59 2017 +0000
+++ b/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 09 17:01:23 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: linux32_machdep.c,v 1.38 2017/02/05 08:52:11 maxv Exp $ */
+/* $NetBSD: linux32_machdep.c,v 1.38.6.1 2017/09/09 17:01:23 snj Exp $ */
/*-
* Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved.
@@ -31,7 +31,7 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.38 2017/02/05 08:52:11 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.38.6.1 2017/09/09 17:01:23 snj Exp $");
#include <sys/param.h>
#include <sys/proc.h>
@@ -417,8 +417,9 @@
/*
* Check for security violations.
*/
- if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 ||
- !USERMODE(scp->sc_cs, scp->sc_eflags))
+ if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0)
+ return EINVAL;
+ if (!VALID_USER_CSEL32(scp->sc_cs))
return EINVAL;
if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
Home |
Main Index |
Thread Index |
Old Index