From owner-freebsd-hackers@FreeBSD.ORG  Wed Jul 18 20:26:59 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C9CB11065672
	for <freebsd-hackers@freebsd.org>; Wed, 18 Jul 2012 20:26:59 +0000 (UTC)
	(envelope-from bcrisp@crispernetworks.com)
Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com
	[209.85.220.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 4343F8FC0C
	for <freebsd-hackers@freebsd.org>; Wed, 18 Jul 2012 20:26:59 +0000 (UTC)
Received: by vcbf1 with SMTP id f1so1813391vcb.13
	for <freebsd-hackers@freebsd.org>; Wed, 18 Jul 2012 13:26:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:x-gm-message-state;
	bh=+JTwDrneCV5a+cGuJfIf+7yArooKQ9cVW0u8C/KWPuA=;
	b=GaRGQibUGbpF9IK7/fH5Pn/dwPqn3V4AxUdA71mPDVqkLPOpoaEn8xVba+hjla9EIc
	Vf0EgkY9LMCS6buF/3I10Au9K5UPMPBkS3PVq7YCDmbYItMMm+JcqJESwzeUevB5yr7/
	myStSMhE2kGSI6ckc89y+0WUPb/kPEXe+MGoa0sp7kQl2L9wiSqiSdBin4vYJHhdYlXH
	4THdW8xn4aVVDNrsTD+EzVEbGSoZlljrrjoOfd5Vd8n4NgJs1TyjS6T4Md2jm9AB032R
	icrTRr1QV4Cx6Kvi8MTEzyazlIDmM9Mm53ND3ObnbM3tGVsdsyzBzBYdfZeEBKIEgSXE
	UEtQ==
MIME-Version: 1.0
Received: by 10.52.95.110 with SMTP id dj14mr382578vdb.69.1342643218130; Wed,
	18 Jul 2012 13:26:58 -0700 (PDT)
Received: by 10.58.216.6 with HTTP; Wed, 18 Jul 2012 13:26:57 -0700 (PDT)
In-Reply-To: <4FFF4B95.9080105@delphij.net>
References: <CAOmNS514kLwq=MpGbwL324MQGQYrCAgM9ByaocRujjG1M55+Tg@mail.gmail.com>
	<4FFF4B95.9080105@delphij.net>
Date: Wed, 18 Jul 2012 16:26:57 -0400
Message-ID: <CAOmNS50Gz_cnaqhxu0+bUO1JUBfUF6OHS2TaHZhiw6C-NtipGQ@mail.gmail.com>
From: Bill Crisp <bcrisp@crispernetworks.com>
To: Xin Li <delphij@delphij.net>
X-Gm-Message-State: ALoCoQkFxcq4LBfSLxyq7Ciqn8jHQ3Z//yXDspoI4oyIptm6p5yBqvPOrolWVeK6KJYTPAX3ObsR
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-hackers@freebsd.org
Subject: Re: CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and
 FreeBSD 6.2/6.3
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 20:26:59 -0000

Xin,

Thanks for the reply!

Unfortunately I tried to put the code from the patch in place but there
seems to be some missing functions in the header file and too many
arguments to a function and some other errors below:

../../../amd64/amd64/trap.c: In function `syscall':
../../../amd64/amd64/trap.c:884: warning: implicit declaration of function
`ksiginfo_init_trap'
../../../amd64/amd64/trap.c:884: warning: nested extern declaration of
`ksiginfo_init_trap'
../../../amd64/amd64/trap.c:884: error: `ksi' undeclared (first use in this
function)
../../../amd64/amd64/trap.c:884: error: (Each undeclared identifier is
reported only once
../../../amd64/amd64/trap.c:884: error: for each function it appears in.)
../../../amd64/amd64/trap.c:886: error: `BUS_OBJERR' undeclared (first use
in this function)
../../../amd64/amd64/trap.c:889: error: too few arguments to function
`trapsignal'
*** Error code 1

I can possibly take a stab at writing something to handle this...but I
don't write in C very often and I am sure others are much more experienced
in the FreeBSD kernel than I am.

If anyone can help further please let me know.

Thanks!

On Thu, Jul 12, 2012 at 6:11 PM, Xin Li <delphij@delphij.net> wrote:

> On 07/12/12 09:36, Bill Crisp wrote:
>
>> Good Morning!
>>
>> This was also posted to the FreeBSD forums:
>>
>> I have been researching CVE-2012-0217 and while I have patched the kernels
>> on servers with 7.3/8.2 that I have, I would like to see if anyone knows
>> for sure if 6.2/6.3 are also vulnerable? I am aware that those kernels are
>> out of support from looking at the documentation. I have looked at the
>> code
>> in trap.c to see if the current patch would work with 6.3 source but it
>> won't based on what I saw. I am also aware of upgrading as an option to
>> resolve this unfortunately in some cases I have this is not possible right
>> now.
>>
> I believe that 6.x are vulnerable.  You will have to backport the change
> (something like this against sys/amd64/amd64/trap.c, in syscall() right
> after
>
>         PTRACESTOP_SC(p, td, S_PT_SCX);
>
> Add:
>
> +       /*
> +        * If the user-supplied value of %rip is not a canonical
> +        * address, then some CPUs will trigger a ring 0 #GP during
> +        * the sysret instruction.  However, the fault handler would
> +        * execute with the user's %gs and %rsp in ring 0 which would
> +        * not be safe.  Instead, preemptively kill the thread with a
> +        * SIGBUS.
> +        */
> +       if (td->td_frame->tf_rip>= VM_MAXUSER_ADDRESS) {
> +               ksiginfo_init_trap(&ksi);
> +               ksi.ksi_signo = SIGBUS;
> +               ksi.ksi_code = BUS_OBJERR;
> +               ksi.ksi_trapno = T_PROTFLT;
> +               ksi.ksi_addr = (void *)td->td_frame->tf_rip;
> +               trapsignal(td,&ksi);
> +       }
>
> Right before:
>
>         WITNESS_WARN(...)
>
>
> Cheers,
>
>
>