From owner-freebsd-hackers@FreeBSD.ORG Thu Jul 12 22:11:41 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4EDA4106566C for ; Thu, 12 Jul 2012 22:11:41 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 3038B8FC18 for ; Thu, 12 Jul 2012 22:11:41 +0000 (UTC) Received: from planet.ixsystems.com (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 0DBC311D52; Thu, 12 Jul 2012 15:11:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1342131095; bh=/X45ft0cUnfsCaWfuG2c3JA6KnYfAkL1Ge4goyvg+cA=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=ZnylTZDsrccK/SGrUA7R0u+2cmw2qWqXA9FB+/dN2mX7Wny7FS/REANhe370FxziX sPS0U6BAQmFHlthhBzkIGvDkHAjvvuBu4A4yPXBFIr96xpWlaC1uCOL+8qKmXjNbQG AGddJDgsre30f0htTBvq9A4rkTqbAF6rKP9cDIOo= Message-ID: <4FFF4B95.9080105@delphij.net> Date: Thu, 12 Jul 2012 15:11:33 -0700 From: Xin Li User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.3) Gecko/20120320 Thunderbird/10.0.3 MIME-Version: 1.0 To: Bill Crisp References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org Subject: Re: CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and FreeBSD 6.2/6.3 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2012 22:11:41 -0000 On 07/12/12 09:36, Bill Crisp wrote: > Good Morning! > > This was also posted to the FreeBSD forums: > > I have been researching CVE-2012-0217 and while I have patched the kernels > on servers with 7.3/8.2 that I have, I would like to see if anyone knows > for sure if 6.2/6.3 are also vulnerable? I am aware that those kernels are > out of support from looking at the documentation. I have looked at the code > in trap.c to see if the current patch would work with 6.3 source but it > won't based on what I saw. I am also aware of upgrading as an option to > resolve this unfortunately in some cases I have this is not possible right > now. I believe that 6.x are vulnerable. You will have to backport the change (something like this against sys/amd64/amd64/trap.c, in syscall() right after PTRACESTOP_SC(p, td, S_PT_SCX); Add: + /* + * If the user-supplied value of %rip is not a canonical + * address, then some CPUs will trigger a ring 0 #GP during + * the sysret instruction. However, the fault handler would + * execute with the user's %gs and %rsp in ring 0 which would + * not be safe. Instead, preemptively kill the thread with a + * SIGBUS. + */ + if (td->td_frame->tf_rip>= VM_MAXUSER_ADDRESS) { + ksiginfo_init_trap(&ksi); + ksi.ksi_signo = SIGBUS; + ksi.ksi_code = BUS_OBJERR; + ksi.ksi_trapno = T_PROTFLT; + ksi.ksi_addr = (void *)td->td_frame->tf_rip; + trapsignal(td,&ksi); + } Right before: WITNESS_WARN(...) Cheers,