diff options
author | davidxu <davidxu@FreeBSD.org> | 2006-05-28 06:51:57 +0000 |
---|---|---|
committer | davidxu <davidxu@FreeBSD.org> | 2006-05-28 06:51:57 +0000 |
commit | dc6d8065e601f808e8fa40f8ddea459edd78d5d0 (patch) | |
tree | 7bdcfa75af80577efab5a44b84aa998c37617b90 /sys/i386 | |
parent | 99d1c6dae68deb26981f4347d44794d6c568df31 (diff) | |
download | FreeBSD-src-dc6d8065e601f808e8fa40f8ddea459edd78d5d0.zip FreeBSD-src-dc6d8065e601f808e8fa40f8ddea459edd78d5d0.tar.gz |
Clear high 16 bits of mxcsr register, according to Intel document, if
the high 16 bits is non-zero, fxrstor instruction will generate GP fault,
resulting kernel crash, this bug can be triggered by setcontext and
ptrace(PT_SETXMMREGS).
Diffstat (limited to 'sys/i386')
-rw-r--r-- | sys/i386/i386/machdep.c | 3 | ||||
-rw-r--r-- | sys/i386/i386/ptrace_machdep.c | 2 |
2 files changed, 5 insertions, 0 deletions
diff --git a/sys/i386/i386/machdep.c b/sys/i386/i386/machdep.c index 279544a..ce4891f 100644 --- a/sys/i386/i386/machdep.c +++ b/sys/i386/i386/machdep.c @@ -2710,6 +2710,9 @@ set_fpcontext(struct thread *td, const mcontext_t *mcp) bcopy(&mcp->mc_fpstate, addr, sizeof(mcp->mc_fpstate)); } #ifdef DEV_NPX + /* clear high 16 bits of mxcsr to avoid security problem. */ + if (cpu_fxsr) + addr->sv_xmm.sv_env.en_mxcsr &= 0xFFFF; /* * XXX we violate the dubious requirement that npxsetregs() * be called with interrupts disabled. diff --git a/sys/i386/i386/ptrace_machdep.c b/sys/i386/i386/ptrace_machdep.c index 32105d6..b002651 100644 --- a/sys/i386/i386/ptrace_machdep.c +++ b/sys/i386/i386/ptrace_machdep.c @@ -59,6 +59,8 @@ cpu_ptrace(struct thread *td, int req, void *addr, int data) case PT_SETXMMREGS: error = copyin(addr, &td->td_pcb->pcb_save.sv_xmm, sizeof(td->td_pcb->pcb_save.sv_xmm)); + /* clear high 16 bits of mxcsr to avoid security problem. */ + td->td_pcb->pcb_save.sv_xmm.sv_env.en_mxcsr &= 0xFFFF; break; default: |