From owner-freebsd-hackers@FreeBSD.ORG  Fri Jul 13 15:09:15 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DBFA3106564A
	for <freebsd-hackers@freebsd.org>; Fri, 13 Jul 2012 15:09:15 +0000 (UTC)
	(envelope-from jhb@freebsd.org)
Received: from bigwig.baldwin.cx (bigknife-pt.tunnel.tserv9.chi1.ipv6.he.net
	[IPv6:2001:470:1f10:75::2])
	by mx1.freebsd.org (Postfix) with ESMTP id B0B5F8FC0C
	for <freebsd-hackers@freebsd.org>; Fri, 13 Jul 2012 15:09:15 +0000 (UTC)
Received: from jhbbsd.localnet (unknown [209.249.190.124])
	by bigwig.baldwin.cx (Postfix) with ESMTPSA id 1F92FB93A;
	Fri, 13 Jul 2012 11:09:15 -0400 (EDT)
From: John Baldwin <jhb@freebsd.org>
To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
Date: Fri, 13 Jul 2012 11:02:14 -0400
User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p17; KDE/4.5.5; amd64; ; )
References: <44644.1342190524@critter.freebsd.dk>
In-Reply-To: <44644.1342190524@critter.freebsd.dk>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201207131102.14379.jhb@freebsd.org>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
	(bigwig.baldwin.cx); Fri, 13 Jul 2012 11:09:15 -0400 (EDT)
Cc: freebsd-hackers@freebsd.org, Bill Crisp <bcrisp@crispernetworks.com>
Subject: Re: CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and
	FreeBSD 6.2/6.3
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2012 15:09:16 -0000

On Friday, July 13, 2012 10:42:04 am Poul-Henning Kamp wrote:
> In message <201207130831.59211.jhb@freebsd.org>, John Baldwin writes:
> 
> >Every FreeBSD/amd64 kernel in existent is vulnerable.  In truth, my 
personal 
> >opinion is that Intel screwed up their implementation of that instruction 
> >whereas AMD got it right, and we are merely working around Intel's CPU bug. 
:(
> 
> Given that the instruction set of AMD64 is defined by AMD originally,
> while Intel was trying very hard to ram Itanic down everybodys
> throat, that diagnosis is a given:  Intel copied AMD, and difference
> in functionality is a screwup on Intels part, even if they documented
> their screwup in their manual.
> 
> TL;DR: Which part of "compatible" doesn't Intel get ?

In this case, I believe they were just lazy and reused some existing block to 
manage this exception case without properly thinking through the security 
implications of using a user-supplied stack pointer to handle a fault.

-- 
John Baldwin