Date: Wed, 18 Jul 2012 16:26:57 -0400 From: Bill Crisp <bcrisp@crispernetworks.com> To: Xin Li <delphij@delphij.net> Cc: freebsd-hackers@freebsd.org Subject: Re: CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and FreeBSD 6.2/6.3 Message-ID: <CAOmNS50Gz_cnaqhxu0%2BbUO1JUBfUF6OHS2TaHZhiw6C-NtipGQ@mail.gmail.com> In-Reply-To: <4FFF4B95.9080105@delphij.net> References: <CAOmNS514kLwq=MpGbwL324MQGQYrCAgM9ByaocRujjG1M55%2BTg@mail.gmail.com> <4FFF4B95.9080105@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Xin,
Thanks for the reply!
Unfortunately I tried to put the code from the patch in place but there
seems to be some missing functions in the header file and too many
arguments to a function and some other errors below:
../../../amd64/amd64/trap.c: In function `syscall':
../../../amd64/amd64/trap.c:884: warning: implicit declaration of function
`ksiginfo_init_trap'
../../../amd64/amd64/trap.c:884: warning: nested extern declaration of
`ksiginfo_init_trap'
../../../amd64/amd64/trap.c:884: error: `ksi' undeclared (first use in this
function)
../../../amd64/amd64/trap.c:884: error: (Each undeclared identifier is
reported only once
../../../amd64/amd64/trap.c:884: error: for each function it appears in.)
../../../amd64/amd64/trap.c:886: error: `BUS_OBJERR' undeclared (first use
in this function)
../../../amd64/amd64/trap.c:889: error: too few arguments to function
`trapsignal'
*** Error code 1
I can possibly take a stab at writing something to handle this...but I
don't write in C very often and I am sure others are much more experienced
in the FreeBSD kernel than I am.
If anyone can help further please let me know.
Thanks!
On Thu, Jul 12, 2012 at 6:11 PM, Xin Li <delphij@delphij.net> wrote:
> On 07/12/12 09:36, Bill Crisp wrote:
>
>> Good Morning!
>>
>> This was also posted to the FreeBSD forums:
>>
>> I have been researching CVE-2012-0217 and while I have patched the kernels
>> on servers with 7.3/8.2 that I have, I would like to see if anyone knows
>> for sure if 6.2/6.3 are also vulnerable? I am aware that those kernels are
>> out of support from looking at the documentation. I have looked at the
>> code
>> in trap.c to see if the current patch would work with 6.3 source but it
>> won't based on what I saw. I am also aware of upgrading as an option to
>> resolve this unfortunately in some cases I have this is not possible right
>> now.
>>
> I believe that 6.x are vulnerable. You will have to backport the change
> (something like this against sys/amd64/amd64/trap.c, in syscall() right
> after
>
> PTRACESTOP_SC(p, td, S_PT_SCX);
>
> Add:
>
> + /*
> + * If the user-supplied value of %rip is not a canonical
> + * address, then some CPUs will trigger a ring 0 #GP during
> + * the sysret instruction. However, the fault handler would
> + * execute with the user's %gs and %rsp in ring 0 which would
> + * not be safe. Instead, preemptively kill the thread with a
> + * SIGBUS.
> + */
> + if (td->td_frame->tf_rip>= VM_MAXUSER_ADDRESS) {
> + ksiginfo_init_trap(&ksi);
> + ksi.ksi_signo = SIGBUS;
> + ksi.ksi_code = BUS_OBJERR;
> + ksi.ksi_trapno = T_PROTFLT;
> + ksi.ksi_addr = (void *)td->td_frame->tf_rip;
> + trapsignal(td,&ksi);
> + }
>
> Right before:
>
> WITNESS_WARN(...)
>
>
> Cheers,
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOmNS50Gz_cnaqhxu0%2BbUO1JUBfUF6OHS2TaHZhiw6C-NtipGQ>