Date: Wed, 26 May 2021 20:37:47 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: c69096577383 - releng/13.0 - amd64: clear PSL.AC in the right frame Message-ID: <202105262037.14QKbl1O054422@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/13.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=c690965773831b46f84a242b417372fc499302b4 commit c690965773831b46f84a242b417372fc499302b4 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2021-05-22 19:48:36 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-26 19:31:22 +0000 amd64: clear PSL.AC in the right frame If copyin family of routines fault, kernel does clear PSL.AC on the fault entry, but the AC flag of the faulted frame is kept intact. Since onfault handler is effectively jump, AC survives until syscall exit. Approved by: so Security: FreeBSD-SA-21:11.smap Security: CVE-2021-29628 Reported by: m00nbsd, via Sony Reviewed by: markj Sponsored by: The FreeBSD Foundation admbugs: 975 (cherry picked from commit 91aae953cb807d6fb7a70782b323bf9beb60d7c9) (cherry picked from commit 6bbde34ae6088285af9d1cc587249c3e7a0159a9) --- sys/amd64/amd64/support.S | 18 ++++++++++++------ sys/amd64/linux/linux_support.s | 5 ++++- sys/amd64/linux32/linux32_support.s | 5 ++++- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/sys/amd64/amd64/support.S b/sys/amd64/amd64/support.S index b623fba277db..7963071303b7 100644 --- a/sys/amd64/amd64/support.S +++ b/sys/amd64/amd64/support.S @@ -853,9 +853,11 @@ ENTRY(copyin_smap_erms) END(copyin_smap_erms) ALIGN_TEXT - /* Trap entry clears PSL.AC */ copy_fault: - movq $0,PCB_ONFAULT(%r11) + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movq $0,PCB_ONFAULT(%r11) movl $EFAULT,%eax POP_FRAME_POINTER ret @@ -1292,9 +1294,11 @@ ENTRY(subyte_smap) END(subyte_smap) ALIGN_TEXT - /* Fault entry clears PSL.AC */ fusufault: - movq PCPU(CURPCB),%rcx + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movq PCPU(CURPCB),%rcx xorl %eax,%eax movq %rax,PCB_ONFAULT(%rcx) decq %rax @@ -1377,8 +1381,10 @@ ENTRY(copyinstr_smap) END(copyinstr_smap) cpystrflt: - /* Fault entry clears PSL.AC */ - movl $EFAULT,%eax + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movl $EFAULT,%eax cpystrflt_x: /* set *lencopied and return %eax */ movq $0,PCB_ONFAULT(%r9) diff --git a/sys/amd64/linux/linux_support.s b/sys/amd64/linux/linux_support.s index 391f76414f22..2de778e151bf 100644 --- a/sys/amd64/linux/linux_support.s +++ b/sys/amd64/linux/linux_support.s @@ -34,7 +34,10 @@ #include "assym.inc" futex_fault: - movq $0,PCB_ONFAULT(%r8) + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movq $0,PCB_ONFAULT(%r8) movl $-EFAULT,%eax ret diff --git a/sys/amd64/linux32/linux32_support.s b/sys/amd64/linux32/linux32_support.s index 981bba9f5821..7ff3e2293f6e 100644 --- a/sys/amd64/linux32/linux32_support.s +++ b/sys/amd64/linux32/linux32_support.s @@ -34,7 +34,10 @@ #include "assym.inc" futex_fault: - movq $0,PCB_ONFAULT(%r8) + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movq $0,PCB_ONFAULT(%r8) movl $-EFAULT,%eax ret
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105262037.14QKbl1O054422>