svn commit: r268471 - head/sys/amd64/amd64
Konstantin Belousov
kib at FreeBSD.org
Wed Jul 9 21:39:41 UTC 2014
Author: kib
Date: Wed Jul 9 21:39:40 2014
New Revision: 268471
URL: http://svnweb.freebsd.org/changeset/base/268471
Log:
For safety, ensure that any consumer of the set_regs() and
ptrace_set_pc() use the correct return to userspace using iret.
The signal return, PT_CONTINUE (which in fact uses signal return path)
set the pcb flag already. The setcontext(2) enforces iret return when
%rip is incorrect. Due to this, the change is redundand, but is made
to ensure that no path which modifies context, forgets to set
PCB_FULL_IRET.
Inspired by: CVE-2014-4699
Reviewed by: jhb
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Modified:
head/sys/amd64/amd64/machdep.c
Modified: head/sys/amd64/amd64/machdep.c
==============================================================================
--- head/sys/amd64/amd64/machdep.c Wed Jul 9 21:07:20 2014 (r268470)
+++ head/sys/amd64/amd64/machdep.c Wed Jul 9 21:39:40 2014 (r268471)
@@ -2144,7 +2144,9 @@ makectx(struct trapframe *tf, struct pcb
int
ptrace_set_pc(struct thread *td, unsigned long addr)
{
+
td->td_frame->tf_rip = addr;
+ set_pcb_flags(td->td_pcb, PCB_FULL_IRET);
return (0);
}
@@ -2244,8 +2246,8 @@ set_regs(struct thread *td, struct reg *
tp->tf_fs = regs->r_fs;
tp->tf_gs = regs->r_gs;
tp->tf_flags = TF_HASSEGS;
- set_pcb_flags(td->td_pcb, PCB_FULL_IRET);
}
+ set_pcb_flags(td->td_pcb, PCB_FULL_IRET);
return (0);
}
More information about the svn-src-all
mailing list