amd64: clear callee-preserved registers on syscall exit

Submitted by: kib Approved by: so Security: CVE-2019-5595 Security: FreeBSD-SA-19:01.syscall
author: emaste <emaste@FreeBSD.org> 2019-02-05 18:07:45 +0000
committer: emaste <emaste@FreeBSD.org> 2019-02-05 18:07:45 +0000
commit: 3cdc87ea01fc2d12e6c16d27520d7554cf07dc8e (patch)
tree: b56669b4f0ea983a7ff9485ce378beba02f5a29f
parent: 859a3eff7065774c4fe9b196133c1eba19ffcb86 (diff)
download: FreeBSD-src-3cdc87ea01fc2d12e6c16d27520d7554cf07dc8e.zip
FreeBSD-src-3cdc87ea01fc2d12e6c16d27520d7554cf07dc8e.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/amd64/amd64/exception.S b/sys/amd64/amd64/exception.S
index b7e88e6..c35cea9 100644
--- a/sys/amd64/amd64/exception.S
+++ b/sys/amd64/amd64/exception.S
@@ -496,12 +496,14 @@ fast_syscall_common:
 	movq	TF_RFLAGS(%rsp),%r11	/* original %rflags */
 	movq	TF_RIP(%rsp),%rcx	/* original %rip */
 	movq	TF_RSP(%rsp),%rsp	/* user stack pointer */
+	xorl	%r8d,%r8d		/* zero the rest of GPRs */
+	xorl	%r10d,%r10d
 	cmpb	$0,pti
 	je	2f
 	movq	PCPU(UCR3),%r9
 	movq	%r9,%cr3
-	xorl	%r9d,%r9d
-2:	swapgs
+2:	xorl	%r9d,%r9d
+	swapgs
 	sysretq
 
 3:	/* AST scheduled. */
author	emaste <emaste@FreeBSD.org>	2019-02-05 18:07:45 +0000
committer	emaste <emaste@FreeBSD.org>	2019-02-05 18:07:45 +0000
commit	3cdc87ea01fc2d12e6c16d27520d7554cf07dc8e (patch)
tree	b56669b4f0ea983a7ff9485ce378beba02f5a29f
parent	859a3eff7065774c4fe9b196133c1eba19ffcb86 (diff)
download	FreeBSD-src-3cdc87ea01fc2d12e6c16d27520d7554cf07dc8e.zip FreeBSD-src-3cdc87ea01fc2d12e6c16d27520d7554cf07dc8e.tar.gz