Date: Tue, 7 Mar 2006 21:26:05 GMT From: John Baldwin <jhb@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 92934 for review Message-ID: <200603072126.k27LQ5Lq034726@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=92934 Change 92934 by jhb@jhb_slimer on 2006/03/07 21:25:27 - suser() was called on the wrong thread (target rather than subject (if I have those terms right)) - No good can come from userland setting watchpoints in the kernel, not even as root. Affected files ... .. //depot/projects/smpng/sys/amd64/amd64/machdep.c#50 edit .. //depot/projects/smpng/sys/i386/i386/machdep.c#103 edit .. //depot/projects/smpng/sys/pc98/pc98/machdep.c#10 edit Differences ... ==== //depot/projects/smpng/sys/amd64/amd64/machdep.c#50 (text+ko) ==== @@ -1749,8 +1749,7 @@ * could halt the system by setting a breakpoint in the kernel * (if ddb was enabled). Thus, we need to check to make sure * that no breakpoints are being enabled for addresses outside - * process's address space, unless, perhaps, we were called by - * uid 0. + * process's address space. * * XXX - what about when the watched area of the user's * address space is written into from within the kernel @@ -1758,27 +1757,25 @@ * from within kernel mode? */ - if (suser(td) != 0) { - if (dbregs->dr[7] & 0x3) { - /* dr0 is enabled */ - if (dbregs->dr[0] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } - if (dbregs->dr[7] & 0x3<<2) { - /* dr1 is enabled */ - if (dbregs->dr[1] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } - if (dbregs->dr[7] & 0x3<<4) { - /* dr2 is enabled */ - if (dbregs->dr[2] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } - if (dbregs->dr[7] & 0x3<<6) { - /* dr3 is enabled */ - if (dbregs->dr[3] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } + if (dbregs->dr[7] & 0x3) { + /* dr0 is enabled */ + if (dbregs->dr[0] >= VM_MAXUSER_ADDRESS) + return (EINVAL); + } + if (dbregs->dr[7] & 0x3<<2) { + /* dr1 is enabled */ + if (dbregs->dr[1] >= VM_MAXUSER_ADDRESS) + return (EINVAL); + } + if (dbregs->dr[7] & 0x3<<4) { + /* dr2 is enabled */ + if (dbregs->dr[2] >= VM_MAXUSER_ADDRESS) + return (EINVAL); + } + if (dbregs->dr[7] & 0x3<<6) { + /* dr3 is enabled */ + if (dbregs->dr[3] >= VM_MAXUSER_ADDRESS) + return (EINVAL); } pcb->pcb_dr0 = dbregs->dr[0]; ==== //depot/projects/smpng/sys/i386/i386/machdep.c#103 (text+ko) ==== @@ -2801,8 +2801,7 @@ * could halt the system by setting a breakpoint in the kernel * (if ddb was enabled). Thus, we need to check to make sure * that no breakpoints are being enabled for addresses outside - * process's address space, unless, perhaps, we were called by - * uid 0. + * process's address space. * * XXX - what about when the watched area of the user's * address space is written into from within the kernel @@ -2810,30 +2809,28 @@ * from within kernel mode? */ - if (suser(td) != 0) { - if (dbregs->dr[7] & 0x3) { - /* dr0 is enabled */ - if (dbregs->dr[0] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } + if (dbregs->dr[7] & 0x3) { + /* dr0 is enabled */ + if (dbregs->dr[0] >= VM_MAXUSER_ADDRESS) + return (EINVAL); + } - if (dbregs->dr[7] & (0x3<<2)) { - /* dr1 is enabled */ - if (dbregs->dr[1] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } + if (dbregs->dr[7] & (0x3<<2)) { + /* dr1 is enabled */ + if (dbregs->dr[1] >= VM_MAXUSER_ADDRESS) + return (EINVAL); + } - if (dbregs->dr[7] & (0x3<<4)) { - /* dr2 is enabled */ - if (dbregs->dr[2] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } + if (dbregs->dr[7] & (0x3<<4)) { + /* dr2 is enabled */ + if (dbregs->dr[2] >= VM_MAXUSER_ADDRESS) + return (EINVAL); + } - if (dbregs->dr[7] & (0x3<<6)) { - /* dr3 is enabled */ - if (dbregs->dr[3] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } + if (dbregs->dr[7] & (0x3<<6)) { + /* dr3 is enabled */ + if (dbregs->dr[3] >= VM_MAXUSER_ADDRESS) + return (EINVAL); } pcb->pcb_dr0 = dbregs->dr[0]; ==== //depot/projects/smpng/sys/pc98/pc98/machdep.c#10 (text+ko) ==== @@ -2632,8 +2632,7 @@ * could halt the system by setting a breakpoint in the kernel * (if ddb was enabled). Thus, we need to check to make sure * that no breakpoints are being enabled for addresses outside - * process's address space, unless, perhaps, we were called by - * uid 0. + * process's address space. * * XXX - what about when the watched area of the user's * address space is written into from within the kernel @@ -2641,30 +2640,28 @@ * from within kernel mode? */ - if (suser(td) != 0) { - if (dbregs->dr[7] & 0x3) { - /* dr0 is enabled */ - if (dbregs->dr[0] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } + if (dbregs->dr[7] & 0x3) { + /* dr0 is enabled */ + if (dbregs->dr[0] >= VM_MAXUSER_ADDRESS) + return (EINVAL); + } - if (dbregs->dr[7] & (0x3<<2)) { - /* dr1 is enabled */ - if (dbregs->dr[1] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } + if (dbregs->dr[7] & (0x3<<2)) { + /* dr1 is enabled */ + if (dbregs->dr[1] >= VM_MAXUSER_ADDRESS) + return (EINVAL); + } - if (dbregs->dr[7] & (0x3<<4)) { - /* dr2 is enabled */ - if (dbregs->dr[2] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } + if (dbregs->dr[7] & (0x3<<4)) { + /* dr2 is enabled */ + if (dbregs->dr[2] >= VM_MAXUSER_ADDRESS) + return (EINVAL); + } - if (dbregs->dr[7] & (0x3<<6)) { - /* dr3 is enabled */ - if (dbregs->dr[3] >= VM_MAXUSER_ADDRESS) - return (EINVAL); - } + if (dbregs->dr[7] & (0x3<<6)) { + /* dr3 is enabled */ + if (dbregs->dr[3] >= VM_MAXUSER_ADDRESS) + return (EINVAL); } pcb->pcb_dr0 = dbregs->dr[0];
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603072126.k27LQ5Lq034726>