From owner-svn-src-stable@FreeBSD.ORG  Tue Jun 12 12:10:12 2012
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id AE4071065672;
	Tue, 12 Jun 2012 12:10:12 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 4AE5D8FC15;
	Tue, 12 Jun 2012 12:10:12 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q5CCAC08052402;
	Tue, 12 Jun 2012 12:10:12 GMT (envelope-from bz@svn.freebsd.org)
Received: (from bz@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id q5CCACFm052400;
	Tue, 12 Jun 2012 12:10:12 GMT (envelope-from bz@svn.freebsd.org)
Message-Id: <201206121210.q5CCACFm052400@svn.freebsd.org>
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Tue, 12 Jun 2012 12:10:12 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
X-SVN-Group: stable-9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r236953 - head/sys/amd64/amd64 releng/7.4
	releng/7.4/contrib/bind9/lib/dns releng/7.4/sys/amd64/amd64
	releng/7.4/sys/conf releng/8.1
	releng/8.1/contrib/bind9/lib/dns releng/8.1/sys/amd6...
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2012 12:10:12 -0000

Author: bz
Date: Tue Jun 12 12:10:10 2012
New Revision: 236953
URL: http://svn.freebsd.org/changeset/base/236953

Log:
  Fix a problem where zero-length RDATA fields can cause named(8) to crash.
  [12:03]
  
  Correct a privilege escalation when returning from kernel if
  running FreeBSD/amd64 on non-AMD processors. [12:04]
  
  Fix reference count errors in IPv6 code. [EN-12:02]
  
  Security:	CVE-2012-1667
  Security:	FreeBSD-SA-12:03.bind
  Security:	CVE-2012-0217
  Security:	FreeBSD-SA-12:04.sysret
  Security:	FreeBSD-EN-12:02.ipv6refcount
  Approved by:	so (simon, bz)

Modified:
  stable/9/sys/amd64/amd64/trap.c

Changes in other areas also in this revision:
Modified:
  head/sys/amd64/amd64/trap.c
  releng/7.4/UPDATING
  releng/7.4/contrib/bind9/lib/dns/rdata.c
  releng/7.4/contrib/bind9/lib/dns/rdataslab.c
  releng/7.4/sys/amd64/amd64/trap.c
  releng/7.4/sys/conf/newvers.sh
  releng/8.1/UPDATING
  releng/8.1/contrib/bind9/lib/dns/rdata.c
  releng/8.1/contrib/bind9/lib/dns/rdataslab.c
  releng/8.1/sys/amd64/amd64/trap.c
  releng/8.1/sys/conf/newvers.sh
  releng/8.1/sys/netinet/tcp_input.c
  releng/8.1/sys/netinet6/in6.c
  releng/8.1/sys/netinet6/ip6_input.c
  releng/8.2/UPDATING
  releng/8.2/contrib/bind9/lib/dns/rdata.c
  releng/8.2/contrib/bind9/lib/dns/rdataslab.c
  releng/8.2/sys/amd64/amd64/trap.c
  releng/8.2/sys/conf/newvers.sh
  releng/8.2/sys/netinet/tcp_input.c
  releng/8.2/sys/netinet6/in6.c
  releng/8.2/sys/netinet6/ip6_input.c
  releng/8.3/UPDATING
  releng/8.3/contrib/bind9/lib/dns/rdata.c
  releng/8.3/contrib/bind9/lib/dns/rdataslab.c
  releng/8.3/sys/amd64/amd64/trap.c
  releng/8.3/sys/conf/newvers.sh
  releng/8.3/sys/netinet/tcp_input.c
  releng/8.3/sys/netinet6/in6.c
  releng/8.3/sys/netinet6/ip6_input.c
  releng/9.0/UPDATING
  releng/9.0/contrib/bind9/lib/dns/rdata.c
  releng/9.0/contrib/bind9/lib/dns/rdataslab.c
  releng/9.0/sys/amd64/amd64/trap.c
  releng/9.0/sys/conf/newvers.sh
  releng/9.0/sys/netinet/tcp_input.c
  releng/9.0/sys/netinet6/in6.c
  releng/9.0/sys/netinet6/ip6_input.c
  stable/7/contrib/bind9/lib/dns/rdata.c
  stable/7/contrib/bind9/lib/dns/rdataslab.c
  stable/7/sys/amd64/amd64/trap.c
  stable/8/sys/amd64/amd64/trap.c

Modified: stable/9/sys/amd64/amd64/trap.c
==============================================================================
--- stable/9/sys/amd64/amd64/trap.c	Tue Jun 12 11:08:51 2012	(r236952)
+++ stable/9/sys/amd64/amd64/trap.c	Tue Jun 12 12:10:10 2012	(r236953)
@@ -977,4 +977,21 @@ amd64_syscall(struct thread *td, int tra
 	     syscallname(td->td_proc, sa.code)));
 
 	syscallret(td, error, &sa);
+
+	/*
+	 * If the user-supplied value of %rip is not a canonical
+	 * address, then some CPUs will trigger a ring 0 #GP during
+	 * the sysret instruction.  However, the fault handler would
+	 * execute with the user's %gs and %rsp in ring 0 which would
+	 * not be safe.  Instead, preemptively kill the thread with a
+	 * SIGBUS.
+	 */
+	if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) {
+		ksiginfo_init_trap(&ksi);
+		ksi.ksi_signo = SIGBUS;
+		ksi.ksi_code = BUS_OBJERR;
+		ksi.ksi_trapno = T_PROTFLT;
+		ksi.ksi_addr = (void *)td->td_frame->tf_rip;
+		trapsignal(td, &ksi);
+	}
 }