Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Jul 2012 15:59:21 -0500
From:      James <james@hicag.org>
To:        Bill Crisp <bcrisp@crispernetworks.com>
Cc:        freebsd-hackers@freebsd.org, Xin Li <delphij@delphij.net>
Subject:   Re: CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and FreeBSD 6.2/6.3
Message-ID:  <CAD4099k=h9T=fEXK5UjYoGifo8NGKcPWRA7eQ4C15sgdR2CMQQ@mail.gmail.com>
In-Reply-To: <CAOmNS50Gz_cnaqhxu0%2BbUO1JUBfUF6OHS2TaHZhiw6C-NtipGQ@mail.gmail.com>
References:  <CAOmNS514kLwq=MpGbwL324MQGQYrCAgM9ByaocRujjG1M55%2BTg@mail.gmail.com> <4FFF4B95.9080105@delphij.net> <CAOmNS50Gz_cnaqhxu0%2BbUO1JUBfUF6OHS2TaHZhiw6C-NtipGQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Wed, Jul 18, 2012 at 3:26 PM, Bill Crisp <bcrisp@crispernetworks.com> wrote:
>
> Unfortunately I tried to put the code from the patch in place but there
> seems to be some missing functions in the header file and too many
> arguments to a function and some other errors below:

    Hi Bill. Yes, the patch for >= FreeBSD 7 won't apply directly to
    6. ksi and the refined SIGBUS traps don't exist yet. Here's how I
    fixed it at work. Using this on multiple releng_6* branches.

    HTH!

-- 
James.

[-- Attachment #2 --]
Index: src/sys/amd64/amd64/trap.c
===================================================================
--- src/sys/amd64/amd64/trap.c	(revision 4564)
+++ src/sys/amd64/amd64/trap.c	(revision 4565)
@@ -846,6 +846,17 @@
 	/*
 	 * Traced syscall.
 	 */
+
+	/*
+	 * If the user-supplied value of %rip is not a canonical
+	 * address, then some CPUs will trigger a ring 0 #GP during
+	 * the sysret instruction.  However, the fault handler would
+	 * execute with the user's %gs and %rsp in ring 0 which would
+	 * not be safe.  Instead, preemptively kill the thread with a
+	 * SIGBUS.
+	 */
+	if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS)
+		trapsignal(td, SIGBUS, T_PROTFLT);
 	if (orig_tf_rflags & PSL_T) {
 		frame.tf_rflags &= ~PSL_T;
 		trapsignal(td, SIGTRAP, 0);
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD4099k=h9T=fEXK5UjYoGifo8NGKcPWRA7eQ4C15sgdR2CMQQ>