diff options
author | Renato Botelho <renato@netgate.com> | 2018-05-08 13:01:44 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2018-05-08 13:01:44 -0300 |
commit | 70d1caf0ad967030b2ce835dc0f116ed1733c82c (patch) | |
tree | d8d3e5c39f96c4f1a230eb163d57b858f4339f57 /sys/amd64/amd64/mp_machdep.c | |
parent | 77c0e2e68638110a69edb20c8beaf1f288912b09 (diff) | |
download | FreeBSD-src-70d1caf0ad967030b2ce835dc0f116ed1733c82c.zip FreeBSD-src-70d1caf0ad967030b2ce835dc0f116ed1733c82c.tar.gz |
Proposed fix for CVE-2018-8897
Diffstat (limited to 'sys/amd64/amd64/mp_machdep.c')
-rw-r--r-- | sys/amd64/amd64/mp_machdep.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/sys/amd64/amd64/mp_machdep.c b/sys/amd64/amd64/mp_machdep.c index 450d512..34a05e9 100644 --- a/sys/amd64/amd64/mp_machdep.c +++ b/sys/amd64/amd64/mp_machdep.c @@ -87,6 +87,7 @@ extern struct pcpu __pcpu[]; char *doublefault_stack; char *mce_stack; char *nmi_stack; +char *dbg_stack; /* * Local data and functions. @@ -225,6 +226,10 @@ init_secondary(void) np = ((struct nmi_pcpu *) &mce_stack[PAGE_SIZE]) - 1; common_tss[cpu].tss_ist3 = (long) np; + /* The DB# stack runs on IST4. */ + np = ((struct nmi_pcpu *) &dbg_stack[PAGE_SIZE]) - 1; + common_tss[cpu].tss_ist4 = (long) np; + /* Prepare private GDT */ gdt_segs[GPROC0_SEL].ssd_base = (long) &common_tss[cpu]; for (x = 0; x < NGDT; x++) { @@ -270,6 +275,10 @@ init_secondary(void) np = ((struct nmi_pcpu *) &mce_stack[PAGE_SIZE]) - 1; np->np_pcpu = (register_t) pc; + /* Save the per-cpu pointer for use by the DB# handler. */ + np = ((struct nmi_pcpu *) &dbg_stack[PAGE_SIZE]) - 1; + np->np_pcpu = (register_t) pc; + wrmsr(MSR_FSBASE, 0); /* User value */ wrmsr(MSR_GSBASE, (u_int64_t)pc); wrmsr(MSR_KGSBASE, (u_int64_t)pc); /* XXX User value while we're in the kernel */ @@ -368,6 +377,8 @@ native_start_all_aps(void) M_WAITOK | M_ZERO); nmi_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE, M_WAITOK | M_ZERO); + dbg_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE, + M_WAITOK | M_ZERO); dpcpu = (void *)kmem_malloc(kernel_arena, DPCPU_SIZE, M_WAITOK | M_ZERO); |