From owner-freebsd-security@FreeBSD.ORG  Tue Jun 19 18:44:28 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 55A661065670;
	Tue, 19 Jun 2012 18:44:28 +0000 (UTC)
	(envelope-from simon@FreeBSD.org)
Received: from emx.nitro.dk (emx.nitro.dk [IPv6:2a01:4f8:120:7384::102])
	by mx1.freebsd.org (Postfix) with ESMTP id D83E38FC18;
	Tue, 19 Jun 2012 18:44:27 +0000 (UTC)
Received: from mailscan.leto.nitro.dk (mailscan.leto.nitro.dk [127.0.1.4])
	by emx.nitro.dk (Postfix) with ESMTP id 0ADA02869CA;
	Tue, 19 Jun 2012 18:44:27 +0000 (UTC)
Received: from emx.nitro.dk ([127.0.1.2])
	by mailscan.leto.nitro.dk (mailscan.leto.nitro.dk [127.0.1.4])
	(amavisd-new, port 10024)
	with LMTP id YZ-MaOmkCCd5; Tue, 19 Jun 2012 18:44:22 +0000 (UTC)
Received: from [192.168.4.24] (unknown [46.7.100.49])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by emx.nitro.dk (Postfix) with ESMTPSA id 1AB002869C8;
	Tue, 19 Jun 2012 18:44:22 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=iso-8859-1
From: "Simon L. B. Nielsen" <simon@FreeBSD.org>
In-Reply-To: <4FE0C1DA.2080809@pyro.eu.org>
Date: Tue, 19 Jun 2012 19:44:22 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <AD75B6E8-735E-4D40-ABB5-6C43DEFAFAA3@FreeBSD.org>
References: <497105EC-3223-4E59-A6E6-F810A15BCA5C@FreeBSD.org>
	<4FE0C1DA.2080809@pyro.eu.org>
To: Steven Chamberlain <steven@pyro.eu.org>
X-Mailer: Apple Mail (2.1278)
Cc: freebsd-security@freebsd.org, bz@freebsd.org
Subject: Re: Update for FreeBSD Security Advisory FreeBSD-SA-12:04.sysret
	for 8.1
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2012 18:44:28 -0000


On 19 Jun 2012, at 19:15, Steven Chamberlain wrote:

> On 18/06/12 22:37, Simon L. B. Nielsen wrote:
>> Note that this is ONLY for FreeBSD 8.1. Other branches are OK.
>=20
> Having seen the correct fix now, I'm starting to wonder if the commit =
to
> RELENG_7_4 was really okay too?
>=20
> =
http://svnweb.freebsd.org/base/releng/7.4/sys/amd64/amd64/trap.c?annotate=3D=
236953#l975
>=20
> The inserted code does not appear at the end of the function, like it
> does now in all other versions including 8.1 which is the most =
similar.
>=20
> I expect this would at least trap if the exploit was attempted, but =
then
> it would omit the rest of the function, including userret();  would =
that
> have consequences?

=46rom what our "kernel experts" (jhb/kib - sorry can't recall who =
checked this), it should still work fine in the location it is in for =
7.4.

--=20
Simon L. B. Nielsen