[Midnightbsd-cvs] src: exception.S: amd64 swapgs local privilege escalation fix.

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Wed Sep 3 22:12:13 EDT 2008 

Log Message:
-----------
amd64 swapgs local privilege escalation fix.  CVE-2008-3890

Modified Files:
--------------
    src/sys/amd64/amd64:
        exception.S (r1.1.1.1 -> r1.2)

-------------- next part --------------
Index: exception.S
===================================================================
RCS file: /home/cvs/src/sys/amd64/amd64/exception.S,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/amd64/amd64/exception.S -L sys/amd64/amd64/exception.S -u -r1.1.1.1 -r1.2
--- sys/amd64/amd64/exception.S
+++ sys/amd64/amd64/exception.S
@@ -27,7 +27,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/amd64/amd64/exception.S,v 1.125.2.1 2005/09/03 11:57:28 jkoshy Exp $
+ * $FreeBSD: src/sys/amd64/amd64/exception.S,v 1.129.2.1 2007/11/21 16:38:54 jhb Exp $
  */
 
 #include "opt_atpic.h"
@@ -165,6 +165,7 @@
 	.globl	calltrap
 	.type	calltrap, at function
 calltrap:
+	movq	%rsp, %rdi
 	call	trap
 	MEXITCOUNT
 	jmp	doreti			/* Handle any pending ASTs */
@@ -186,10 +187,28 @@
 IDTVEC(dblfault)
 	subq	$TF_ERR,%rsp
 	movq	$T_DOUBLEFLT,TF_TRAPNO(%rsp)
+	movq	$0,TF_ADDR(%rsp)
+	movq	$0,TF_ERR(%rsp)
+	movq	%rdi,TF_RDI(%rsp)
+	movq	%rsi,TF_RSI(%rsp)
+	movq	%rdx,TF_RDX(%rsp)
+	movq	%rcx,TF_RCX(%rsp)
+	movq	%r8,TF_R8(%rsp)
+	movq	%r9,TF_R9(%rsp)
+	movq	%rax,TF_RAX(%rsp)
+	movq	%rbx,TF_RBX(%rsp)
+	movq	%rbp,TF_RBP(%rsp)
+	movq	%r10,TF_R10(%rsp)
+	movq	%r11,TF_R11(%rsp)
+	movq	%r12,TF_R12(%rsp)
+	movq	%r13,TF_R13(%rsp)
+	movq	%r14,TF_R14(%rsp)
+	movq	%r15,TF_R15(%rsp)
 	testb	$SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
 	jz	1f			/* already running with kernel GS.base */
 	swapgs
-1:	call	dblfault_handler
+1:	movq	%rsp, %rdi
+	call	dblfault_handler
 2:	hlt
 	jmp	2b
 
@@ -267,6 +286,7 @@
 	movq	%r14,TF_R14(%rsp)	/* C preserved */
 	movq	%r15,TF_R15(%rsp)	/* C preserved */
 	FAKE_MCOUNT(TF_RIP(%rsp))
+	movq	%rsp, %rdi
 	call	syscall
 	movq	PCPU(CURPCB),%rax
 	testq	$PCB_FULLCTX,PCB_FLAGS(%rax)
@@ -363,6 +383,7 @@
 /* Note: this label is also used by ddb and gdb: */
 nmi_calltrap:
 	FAKE_MCOUNT(TF_RIP(%rsp))
+	movq	%rsp, %rdi
 	call	trap
 	MEXITCOUNT
 	testl	%ebx,%ebx
@@ -509,13 +530,10 @@
 	.globl	doreti_iret_fault
 doreti_iret_fault:
 	subq	$TF_RIP,%rsp		/* space including tf_err, tf_trapno */
-	testb	$SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
-	jz	1f			/* already running with kernel GS.base */
-	swapgs
-1:	testl	$PSL_I,TF_RFLAGS(%rsp)
-	jz	2f
+	testl	$PSL_I,TF_RFLAGS(%rsp)
+	jz	1f
 	sti
-2:	movq	%rdi,TF_RDI(%rsp)
+1:	movq	%rdi,TF_RDI(%rsp)
 	movq	%rsi,TF_RSI(%rsp)
 	movq	%rdx,TF_RDX(%rsp)
 	movq	%rcx,TF_RCX(%rsp)

More information about the Midnightbsd-cvs mailing list