Fix security holes in sigreturn(), ptrace() and procfs. sigreturn()

attempted to check for insecure and fatal eflags and segment
selectors, but missed many cases and got the IOPL check back to
front.  The other syscalls didn't check at all.

sys_process.c, machdep.c:
Only allow PT_WRITE_U to write to the registers (ordinary and FP).

psl.h, locore.s, machdep.c:
Eliminate PSL_MBZ, PSL_MBO and PSL_USERCLR.  We are not supposed
to assume anything about the reserved bits.  Use PSL_USERCHANGE
and PSL_KERNEL instead.  Rename PSL_USERSET to PSL_USER.

exception.s:
Define a private label for use by doreti when returning to user
mode fails.

machdep.c:
In syscalls, allow changing only the eflags that can be changed on
486's in user mode (no longer attempt to allow benign IOPL changes;
allow changing the nasty PSL_NT; don't allow changing the i586
bits).

Don't attempt to check all the cases involving invalid selectors
and %eip's.  Just check for privilege violations and let the invalid
things cause a trap.

procfs_machdep.c:
Call the ptrace register functions to do all the work for reading
and writing ordinary registers and for single stepping.

trap.c:
Ignore traps caused by PSL_NT being set.  Previously, users could
cause a fatal trap in user mode by setting PSL_NT and executing an
iret, and a fatal trap in kernel mode by setting PSL_NT and making
a syscall.  PSL_NT was cleared too late and not in enough modes to
fix the problem.

Make all traps in user mode (except T_NMI) nonfatal.

Recover from traps caused by attempting to load invalid user
registers in doreti by restarting the traps so that they appear to
occur in user mode.
---

Fix bogons that I noticed while fixing the above:

psl.h:
Fix some comments.

Uniformize idempotency ifdef.

exception.s, machdep.c:
Remove rsvd[0-14].  rsvd0 hasn't been reserved since the 486 came
out.  Replace rsvd0 by `align'.  rsvd[0-11] used wrong (magic
non-unique) trap numbers.  Replace rsvd[1-14] by rsvd.

locore.s:
Enable alignment check flag on 486's and 586's.

machdep.c:
Use a better type for kstack[].

Use TFREGP() to find the registers.

Reformat ptrace functions from SEF to something closer to KNF.

procfs_machdep.c:
The wrong pointer to the registers got fixed as a side effect.

Implement reading and writing of FP registers.

/proc/*/*regs now work (only) for processes that are in memory.

Clean up comments.

trap.c, trap.h:
Remove unused trap types.

1 files changed, 28 insertions, 9 deletions

diff --git a/sys/amd64/include/psl.h b/sys/amd64/include/psl.h
index 906acd4..3d96dbc 100644
--- a/sys/amd64/include/psl.h
+++ b/sys/amd64/include/psl.h
@@ -34,11 +34,11 @@
  * SUCH DAMAGE.
  *
  *	from: @(#)psl.h	5.2 (Berkeley) 1/18/91
- *	$Id: psl.h,v 1.4 1994/02/24 00:21:12 hsu Exp $
+ *	$Id: psl.h,v 1.5 1994/08/10 03:51:18 wollman Exp $
  */
 
 #ifndef _MACHINE_PSL_H_
-#define _MACHINE_PSL_H_ 1
+#define	_MACHINE_PSL_H_
 
 /*
  * 386 processor status longword.
@@ -52,18 +52,37 @@
 #define	PSL_I		0x00000200	/* interrupt enable bit */
 #define	PSL_D		0x00000400	/* string instruction direction bit */
 #define	PSL_V		0x00000800	/* overflow bit */
-#define	PSL_IOPL	0x00003000	/* i/o priviledge level enable */
+#define	PSL_IOPL	0x00003000	/* i/o privilege level */
 #define	PSL_NT		0x00004000	/* nested task bit */
-#define	PSL_RF		0x00010000	/* restart flag bit */
+#define	PSL_RF		0x00010000	/* resume flag bit */
 #define	PSL_VM		0x00020000	/* virtual 8086 mode bit */
 #define	PSL_AC		0x00040000	/* alignment checking */
 #define	PSL_VIF		0x00080000	/* virtual interrupt enable */
 #define	PSL_VIP		0x00100000	/* virtual interrupt pending */
 #define	PSL_ID		0x00200000	/* identification bit */
 
-#define	PSL_MBZ		0xffc08028	/* must be zero bits */
-#define	PSL_MBO		0x00000002	/* must be one bits */
+/*
+ * The i486 manual says that we are not supposed to change reserved flags,
+ * but this is too much trouble since the reserved flags depend on the cpu
+ * and setting them to their historical values works in practice.
+ */
+#define	PSL_RESERVED_DEFAULT	0x00000002
+
+/*
+ * Initial flags for kernel and user mode.  The kernel later inherits
+ * PSL_I and some other flags from user mode.
+ */
+#define	PSL_KERNEL	PSL_RESERVED_DEFAULT
+#define	PSL_USER	(PSL_RESERVED_DEFAULT | PSL_I)
+
+/*
+ * Bits that can be changed in user mode on 486's.  We allow these bits
+ * to be changed using ptrace(), sigreturn() and procfs.  Setting PS_NT
+ * is undesireable but it may as well be allowed since users can inflict
+ * it on the kernel directly.  Changes to PSL_AC are silently ignored on
+ * 386's.
+ */
+#define	PSL_USERCHANGE (PSL_C | PSL_PF | PSL_AF | PSL_Z | PSL_N | PSL_T \
+			| PSL_D | PSL_V | PSL_NT | PSL_AC)
 
-#define	PSL_USERSET	(PSL_MBO | PSL_I)
-#define	PSL_USERCLR	(PSL_MBZ | PSL_NT)
-#endif /* _MACHINE_PSL_H_ */
+#endif /* !_MACHINE_PSL_H_ */