From owner-svn-src-all@FreeBSD.ORG Tue Jun 12 12:10:12 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE4071065672; Tue, 12 Jun 2012 12:10:12 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 4AE5D8FC15; Tue, 12 Jun 2012 12:10:12 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q5CCAC08052402; Tue, 12 Jun 2012 12:10:12 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q5CCACFm052400; Tue, 12 Jun 2012 12:10:12 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <201206121210.q5CCACFm052400@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Tue, 12 Jun 2012 12:10:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r236953 - head/sys/amd64/amd64 releng/7.4 releng/7.4/contrib/bind9/lib/dns releng/7.4/sys/amd64/amd64 releng/7.4/sys/conf releng/8.1 releng/8.1/contrib/bind9/lib/dns releng/8.1/sys/amd6... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2012 12:10:12 -0000 Author: bz Date: Tue Jun 12 12:10:10 2012 New Revision: 236953 URL: http://svn.freebsd.org/changeset/base/236953 Log: Fix a problem where zero-length RDATA fields can cause named(8) to crash. [12:03] Correct a privilege escalation when returning from kernel if running FreeBSD/amd64 on non-AMD processors. [12:04] Fix reference count errors in IPv6 code. [EN-12:02] Security: CVE-2012-1667 Security: FreeBSD-SA-12:03.bind Security: CVE-2012-0217 Security: FreeBSD-SA-12:04.sysret Security: FreeBSD-EN-12:02.ipv6refcount Approved by: so (simon, bz) Modified: stable/9/sys/amd64/amd64/trap.c Changes in other areas also in this revision: Modified: head/sys/amd64/amd64/trap.c releng/7.4/UPDATING releng/7.4/contrib/bind9/lib/dns/rdata.c releng/7.4/contrib/bind9/lib/dns/rdataslab.c releng/7.4/sys/amd64/amd64/trap.c releng/7.4/sys/conf/newvers.sh releng/8.1/UPDATING releng/8.1/contrib/bind9/lib/dns/rdata.c releng/8.1/contrib/bind9/lib/dns/rdataslab.c releng/8.1/sys/amd64/amd64/trap.c releng/8.1/sys/conf/newvers.sh releng/8.1/sys/netinet/tcp_input.c releng/8.1/sys/netinet6/in6.c releng/8.1/sys/netinet6/ip6_input.c releng/8.2/UPDATING releng/8.2/contrib/bind9/lib/dns/rdata.c releng/8.2/contrib/bind9/lib/dns/rdataslab.c releng/8.2/sys/amd64/amd64/trap.c releng/8.2/sys/conf/newvers.sh releng/8.2/sys/netinet/tcp_input.c releng/8.2/sys/netinet6/in6.c releng/8.2/sys/netinet6/ip6_input.c releng/8.3/UPDATING releng/8.3/contrib/bind9/lib/dns/rdata.c releng/8.3/contrib/bind9/lib/dns/rdataslab.c releng/8.3/sys/amd64/amd64/trap.c releng/8.3/sys/conf/newvers.sh releng/8.3/sys/netinet/tcp_input.c releng/8.3/sys/netinet6/in6.c releng/8.3/sys/netinet6/ip6_input.c releng/9.0/UPDATING releng/9.0/contrib/bind9/lib/dns/rdata.c releng/9.0/contrib/bind9/lib/dns/rdataslab.c releng/9.0/sys/amd64/amd64/trap.c releng/9.0/sys/conf/newvers.sh releng/9.0/sys/netinet/tcp_input.c releng/9.0/sys/netinet6/in6.c releng/9.0/sys/netinet6/ip6_input.c stable/7/contrib/bind9/lib/dns/rdata.c stable/7/contrib/bind9/lib/dns/rdataslab.c stable/7/sys/amd64/amd64/trap.c stable/8/sys/amd64/amd64/trap.c Modified: stable/9/sys/amd64/amd64/trap.c ============================================================================== --- stable/9/sys/amd64/amd64/trap.c Tue Jun 12 11:08:51 2012 (r236952) +++ stable/9/sys/amd64/amd64/trap.c Tue Jun 12 12:10:10 2012 (r236953) @@ -977,4 +977,21 @@ amd64_syscall(struct thread *td, int tra syscallname(td->td_proc, sa.code))); syscallret(td, error, &sa); + + /* + * If the user-supplied value of %rip is not a canonical + * address, then some CPUs will trigger a ring 0 #GP during + * the sysret instruction. However, the fault handler would + * execute with the user's %gs and %rsp in ring 0 which would + * not be safe. Instead, preemptively kill the thread with a + * SIGBUS. + */ + if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) { + ksiginfo_init_trap(&ksi); + ksi.ksi_signo = SIGBUS; + ksi.ksi_code = BUS_OBJERR; + ksi.ksi_trapno = T_PROTFLT; + ksi.ksi_addr = (void *)td->td_frame->tf_rip; + trapsignal(td, &ksi); + } }