From nobody Fri Mar 27 01:52:25 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fhkDB4pvdz6WY3s for ; Fri, 27 Mar 2026 01:52:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fhkD91x1Rz412y for ; Fri, 27 Mar 2026 01:52:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774576345; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4HqntNZPrxZYSrHGA52T2zuBOdU1Z8qbedy0nmK6dak=; b=mCpZr2Xw5de9C94cta0MVZDUS4FMXCH4t1wcvTEa08bpOjE3O1DAOTRuzJSg/C3IYv7czJ cRAJAUeUaHvTwvE0veqtHbiStgfGHYiXIX9F/pgOCe1tiTrGcIEuALUktxpHAzkW8BZag5 yDzjqBVjfPUjAMyXAxzT1k24dXusLBmHipvWaGfLptcXmFfernAJ5A6i68lISiWxSSQq8c iOBd07qGNSG/nlPw0B96RyfZ81xvfBePNji6Mdq619Y3UuK/ru3VHarEyiXW7e8cCaoFok AW/N04zc6BOWF6YnpNM5FvRnJjG2jFdhAUd9FzTIzx91+LtqdKtteWjBcD3sGw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774576345; a=rsa-sha256; cv=none; b=XohPyM1weyhGavqdFCAv0NWaQxKhTyHUKs4sWwPpeVkEQ3Uh9ZoqWGwJna7ahy9XspOwEu 0wdFtMEpwjPhkRc2h35CUmQxgR9nJpax8wWIzx9LxxQFVfXTzv7OjMReLRV/3xZi8AW71X tmYDBddN1TxLOApgYV6vgYgPWjLhQpPIy9JovEzx9Fy/iJcVtaJIcgO8wP2Mf1LLEP4Nq3 Bm/Ph1jTKKh0ZHW1uZR6v10LMEZdHw8zDPBVEWKAjN1Ns4Ws7bgRWNyNsFJBL4987aHal6 huc2IdRNpC/iEmsaV4vf4aMIZQoV+p01gyGc49t9buX+OQCQbReOYntgQRSSBQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774576345; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4HqntNZPrxZYSrHGA52T2zuBOdU1Z8qbedy0nmK6dak=; b=AAARp7XsNUodJb047zEacUe7PDi96GgKncf/u/E9UvdsauPHeTQrauXQ+OEFSsvlAdx92N Snbvcd3CdXHLOnz+Kr+j7GbMucOlCRTaMr+lldPbHFrnC4P4IKdo0V9KsI4vZLu2LkhS7U qu3v9+fY9S4Nt/N2HswFHI59c2cRNn2aAvIasJ79W81pVMjcUvXVBwXipbGlYQkh/GfKFI PAkVbsY9hBhkeN2kKcU7Txe/LgkUx74euAPcJn68EsCoobGpfPRKaQm3qqAto5A4vdVH3M 3Jayjm71ukbOsU6jZv5Dn4jf1DTWijpiSYMNOq4OASdPh0RbKBDjV/Q5n41/JQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fhkD91Snyz3Cq for ; Fri, 27 Mar 2026 01:52:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1f901 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 27 Mar 2026 01:52:25 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Konstantin Belousov Subject: git: 870bb8d0d32b - stable/15 - amd64: check that %cs and %ss values from ucontext fit into registers List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 870bb8d0d32b029e2ce074d93ea269f0c637e19f Auto-Submitted: auto-generated Date: Fri, 27 Mar 2026 01:52:25 +0000 Message-Id: <69c5e2d9.1f901.7c7edeed@gitrepo.freebsd.org> The branch stable/15 has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=870bb8d0d32b029e2ce074d93ea269f0c637e19f commit 870bb8d0d32b029e2ce074d93ea269f0c637e19f Author: Konstantin Belousov AuthorDate: 2026-03-15 07:17:24 +0000 Commit: Konstantin Belousov CommitDate: 2026-03-26 23:42:56 +0000 amd64: check that %cs and %ss values from ucontext fit into registers (cherry picked from commit 8892176c86db18bd175cc00a2d52dff080babec1) --- sys/amd64/amd64/exec_machdep.c | 19 +++++++++++++++++++ sys/amd64/ia32/ia32_signal.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/sys/amd64/amd64/exec_machdep.c b/sys/amd64/amd64/exec_machdep.c index 6752b716deb5..a4880175990f 100644 --- a/sys/amd64/amd64/exec_machdep.c +++ b/sys/amd64/amd64/exec_machdep.c @@ -94,6 +94,15 @@ _Static_assert(sizeof(mcontext_t) == 800, "mcontext_t size incorrect"); _Static_assert(sizeof(ucontext_t) == 880, "ucontext_t size incorrect"); _Static_assert(sizeof(siginfo_t) == 80, "siginfo_t size incorrect"); +/* + * Check that the value r is 16bit, i.e. fits into a segment register. + */ +static bool +is_seg_val(register_t r) +{ + return ((uint64_t)r <= 0xffff); +} + /* * Send an interrupt to process. * @@ -262,6 +271,14 @@ sys_sigreturn(struct thread *td, struct sigreturn_args *uap) return (EINVAL); } + if (!is_seg_val(ucp->uc_mcontext.mc_ss) || + !is_seg_val(ucp->uc_mcontext.mc_cs)) { + uprintf("pid %d (%s): sigreturn cs = %#lx ss = %#lx\n", + p->p_pid, td->td_name, ucp->uc_mcontext.mc_cs, + ucp->uc_mcontext.mc_ss); + return (EINVAL); + } + /* * Don't allow users to load a valid privileged %cs. Let the * hardware check for invalid selectors, excess privilege in @@ -659,6 +676,8 @@ set_mcontext(struct thread *td, mcontext_t *mcp) if (mcp->mc_len != sizeof(*mcp) || (mcp->mc_flags & ~_MC_FLAG_MASK) != 0) return (EINVAL); + if (!is_seg_val(mcp->mc_ss) || !is_seg_val(mcp->mc_cs)) + return (EINVAL); rflags = (mcp->mc_rflags & PSL_USERCHANGE) | (tp->tf_rflags & ~PSL_USERCHANGE); if (mcp->mc_flags & _MC_HASFPXSTATE) { diff --git a/sys/amd64/ia32/ia32_signal.c b/sys/amd64/ia32/ia32_signal.c index 54e170450dba..3b26244932b4 100644 --- a/sys/amd64/ia32/ia32_signal.c +++ b/sys/amd64/ia32/ia32_signal.c @@ -88,6 +88,15 @@ extern char _binary_elf_vdso32_so_1_size; static void freebsd4_ia32_sendsig(sig_t, ksiginfo_t *, sigset_t *); #endif +/* + * Check that the value r is 16bit, i.e. fits into a segment register. + */ +static bool +is_seg_val(uint32_t r) +{ + return (r <= 0xffff); +} + static void ia32_get_fpcontext(struct thread *td, struct ia32_mcontext *mcp, char **xfpusave, size_t *xfpusave_len) @@ -205,6 +214,8 @@ ia32_set_mcontext(struct thread *td, struct ia32_mcontext *mcp) tp = td->td_frame; if (mcp->mc_len != sizeof(*mcp)) return (EINVAL); + if (!is_seg_val(mcp->mc_ss) || !is_seg_val(mcp->mc_cs)) + return (EINVAL); rflags = (mcp->mc_eflags & PSL_USERCHANGE) | (tp->tf_rflags & ~PSL_USERCHANGE); if (mcp->mc_flags & _MC_IA32_HASFPXSTATE) { @@ -707,6 +718,8 @@ ofreebsd32_sigreturn(struct thread *td, struct ofreebsd32_sigreturn_args *uap) if (!EFL_SECURE(eflags, regs->tf_rflags)) { return (EINVAL); } + if (!is_seg_val(scp->sc_ss) || !is_seg_val(scp->sc_cs)) + return (EINVAL); if (!CS_SECURE(scp->sc_cs)) { ksiginfo_init_trap(&ksi); ksi.ksi_signo = SIGBUS; @@ -772,6 +785,13 @@ freebsd4_freebsd32_sigreturn(struct thread *td, return (EINVAL); } + if (!is_seg_val(ucp->uc_mcontext.mc_ss) || + !is_seg_val(ucp->uc_mcontext.mc_cs)) { + uprintf("pid %d (%s): sigreturn cs = %#x ss = %#x\n", + td->td_proc->p_pid, td->td_name, ucp->uc_mcontext.mc_cs, + ucp->uc_mcontext.mc_ss); + return (EINVAL); + } /* * Don't allow users to load a valid privileged %cs. Let the * hardware check for invalid selectors, excess privilege in @@ -841,6 +861,14 @@ freebsd32_sigreturn(struct thread *td, struct freebsd32_sigreturn_args *uap) return (EINVAL); } + if (!is_seg_val(ucp->uc_mcontext.mc_ss) || + !is_seg_val(ucp->uc_mcontext.mc_cs)) { + uprintf("pid %d (%s): sigreturn cs = %#x ss = %#x\n", + td->td_proc->p_pid, td->td_name, ucp->uc_mcontext.mc_cs, + ucp->uc_mcontext.mc_ss); + return (EINVAL); + } + /* * Don't allow users to load a valid privileged %cs. Let the * hardware check for invalid selectors, excess privilege in