diff options
author | bz <bz@FreeBSD.org> | 2012-06-12 12:10:10 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2012-06-12 12:10:10 +0000 |
commit | 5f1573508a5735b60204147b552da072229b7615 (patch) | |
tree | ba6c791cf9787d92e70cd7ec425f052d08fc3b77 /sys/amd64 | |
parent | 2836cfaf805f7b751e904f8f53aaf421aafdb66f (diff) | |
download | FreeBSD-src-5f1573508a5735b60204147b552da072229b7615.zip FreeBSD-src-5f1573508a5735b60204147b552da072229b7615.tar.gz |
Fix a problem where zero-length RDATA fields can cause named(8) to crash.
[12:03]
Correct a privilege escalation when returning from kernel if
running FreeBSD/amd64 on non-AMD processors. [12:04]
Fix reference count errors in IPv6 code. [EN-12:02]
Security: CVE-2012-1667
Security: FreeBSD-SA-12:03.bind
Security: CVE-2012-0217
Security: FreeBSD-SA-12:04.sysret
Security: FreeBSD-EN-12:02.ipv6refcount
Approved by: so (simon, bz)
Diffstat (limited to 'sys/amd64')
-rw-r--r-- | sys/amd64/amd64/trap.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/sys/amd64/amd64/trap.c b/sys/amd64/amd64/trap.c index ffacb87..4216fd3 100644 --- a/sys/amd64/amd64/trap.c +++ b/sys/amd64/amd64/trap.c @@ -972,4 +972,21 @@ amd64_syscall(struct thread *td, int traced) syscallname(td->td_proc, sa.code))); syscallret(td, error, &sa); + + /* + * If the user-supplied value of %rip is not a canonical + * address, then some CPUs will trigger a ring 0 #GP during + * the sysret instruction. However, the fault handler would + * execute with the user's %gs and %rsp in ring 0 which would + * not be safe. Instead, preemptively kill the thread with a + * SIGBUS. + */ + if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) { + ksiginfo_init_trap(&ksi); + ksi.ksi_signo = SIGBUS; + ksi.ksi_code = BUS_OBJERR; + ksi.ksi_trapno = T_PROTFLT; + ksi.ksi_addr = (void *)td->td_frame->tf_rip; + trapsignal(td, &ksi); + } } |