Date: Thu, 12 Jul 2012 15:11:33 -0700 From: Xin Li <delphij@delphij.net> To: Bill Crisp <bcrisp@crispernetworks.com> Cc: freebsd-hackers@freebsd.org Subject: Re: CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and FreeBSD 6.2/6.3 Message-ID: <4FFF4B95.9080105@delphij.net> In-Reply-To: <CAOmNS514kLwq=MpGbwL324MQGQYrCAgM9ByaocRujjG1M55%2BTg@mail.gmail.com> References: <CAOmNS514kLwq=MpGbwL324MQGQYrCAgM9ByaocRujjG1M55%2BTg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/12/12 09:36, Bill Crisp wrote:
> Good Morning!
>
> This was also posted to the FreeBSD forums:
>
> I have been researching CVE-2012-0217 and while I have patched the kernels
> on servers with 7.3/8.2 that I have, I would like to see if anyone knows
> for sure if 6.2/6.3 are also vulnerable? I am aware that those kernels are
> out of support from looking at the documentation. I have looked at the code
> in trap.c to see if the current patch would work with 6.3 source but it
> won't based on what I saw. I am also aware of upgrading as an option to
> resolve this unfortunately in some cases I have this is not possible right
> now.
I believe that 6.x are vulnerable. You will have to backport the change
(something like this against sys/amd64/amd64/trap.c, in syscall() right
after
PTRACESTOP_SC(p, td, S_PT_SCX);
Add:
+ /*
+ * If the user-supplied value of %rip is not a canonical
+ * address, then some CPUs will trigger a ring 0 #GP during
+ * the sysret instruction. However, the fault handler would
+ * execute with the user's %gs and %rsp in ring 0 which would
+ * not be safe. Instead, preemptively kill the thread with a
+ * SIGBUS.
+ */
+ if (td->td_frame->tf_rip>= VM_MAXUSER_ADDRESS) {
+ ksiginfo_init_trap(&ksi);
+ ksi.ksi_signo = SIGBUS;
+ ksi.ksi_code = BUS_OBJERR;
+ ksi.ksi_trapno = T_PROTFLT;
+ ksi.ksi_addr = (void *)td->td_frame->tf_rip;
+ trapsignal(td,&ksi);
+ }
Right before:
WITNESS_WARN(...)
Cheers,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FFF4B95.9080105>