From owner-freebsd-security@FreeBSD.ORG Tue Jun 19 18:16:05 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B4DBE1065670; Tue, 19 Jun 2012 18:16:05 +0000 (UTC) (envelope-from steven@pyro.eu.org) Received: from falkenstein-2.sn.de.cluster.ok24.net (falkenstein-2.sn.de.cluster.ok24.net [IPv6:2002:4e2f:2f89:2::1]) by mx1.freebsd.org (Postfix) with ESMTP id 611B08FC08; Tue, 19 Jun 2012 18:16:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=pyro.eu.org; s=06.2012; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=dkN5lDvC+28Kz8hSVJkhQ5NtngXuUBSeWFVkvFJdUk8=; b=CbQEAaff4dAJ08TDlLdn1BtNcy9WBx+b8/Iw1bfj3pk0QSYbqXHZnhxOHhxqa/6S2PL5miS/EFF6cMwuVv0N6s7ftm9bfLcnZ16dhzZUL3jgI4+gbZrQTXchb3P2dUAv1fqRZ+d5W4kiI/l9yJ0arQZGm6E4wBkeV7cPUKI2J9Y=; X-Spam-Status: No, score=-1.1 required=2.0 tests=ALL_TRUSTED, BAYES_00, DKIM_ADSP_DISCARD, TVD_RCVD_IP Received: from 188-220-33-66.zone11.bethere.co.uk ([188.220.33.66] helo=guisborough-1.rcc.uk.cluster.ok24.net) by falkenstein-2.sn.de.cluster.ok24.net with esmtp (Exim 4.72) (envelope-from ) id 1Sh2y7-0002fz-7E; Tue, 19 Jun 2012 19:16:04 +0100 X-Spam-Status: No, score=-4.4 required=2.0 tests=ALL_TRUSTED, AWL, BAYES_00, DKIM_POLICY_SIGNALL Received: from [192.168.0.110] (helo=[192.168.0.9]) by guisborough-1.rcc.uk.cluster.ok24.net with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Sh2y2-0003RD-9x; Tue, 19 Jun 2012 19:15:58 +0100 Message-ID: <4FE0C1DA.2080809@pyro.eu.org> Date: Tue, 19 Jun 2012 19:15:54 +0100 From: Steven Chamberlain User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20120503 Icedove/3.0.11 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <497105EC-3223-4E59-A6E6-F810A15BCA5C@FreeBSD.org> In-Reply-To: <497105EC-3223-4E59-A6E6-F810A15BCA5C@FreeBSD.org> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: bz@freebsd.org, "Simon L. B. Nielsen" Subject: Re: Update for FreeBSD Security Advisory FreeBSD-SA-12:04.sysret for 8.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 18:16:05 -0000 Hi, Thanks a lot of looking into this! On 18/06/12 22:37, Simon L. B. Nielsen wrote: > Note that this is ONLY for FreeBSD 8.1. Other branches are OK. Having seen the correct fix now, I'm starting to wonder if the commit to RELENG_7_4 was really okay too? http://svnweb.freebsd.org/base/releng/7.4/sys/amd64/amd64/trap.c?annotate=236953#l975 The inserted code does not appear at the end of the function, like it does now in all other versions including 8.1 which is the most similar. I expect this would at least trap if the exploit was attempted, but then it would omit the rest of the function, including userret(); would that have consequences? Thanks, Regards, -- Steven Chamberlain steven@pyro.eu.org