Clear high 16 bits of mxcsr register, according to Intel document, if

the high 16 bits is non-zero, fxrstor instruction will generate GP fault,
resulting kernel crash, this bug can be triggered by setcontext and
ptrace(PT_SETXMMREGS).

2 files changed, 5 insertions, 0 deletions

diff --git a/sys/i386/i386/machdep.c b/sys/i386/i386/machdep.c
index 279544a..ce4891f 100644
--- a/sys/i386/i386/machdep.c
+++ b/sys/i386/i386/machdep.c
@@ -2710,6 +2710,9 @@ set_fpcontext(struct thread *td, const mcontext_t *mcp)
 			bcopy(&mcp->mc_fpstate, addr, sizeof(mcp->mc_fpstate));
 		}
 #ifdef DEV_NPX
+		/* clear high 16 bits of mxcsr to avoid security problem. */
+		if (cpu_fxsr)
+			addr->sv_xmm.sv_env.en_mxcsr &= 0xFFFF;
 		/*
 		 * XXX we violate the dubious requirement that npxsetregs()
 		 * be called with interrupts disabled.
diff --git a/sys/i386/i386/ptrace_machdep.c b/sys/i386/i386/ptrace_machdep.c
index 32105d6..b002651 100644
--- a/sys/i386/i386/ptrace_machdep.c
+++ b/sys/i386/i386/ptrace_machdep.c
@@ -59,6 +59,8 @@ cpu_ptrace(struct thread *td, int req, void *addr, int data)
 	case PT_SETXMMREGS:
 		error = copyin(addr, &td->td_pcb->pcb_save.sv_xmm,
 		    sizeof(td->td_pcb->pcb_save.sv_xmm));
+		/* clear high 16 bits of mxcsr to avoid security problem. */
+		td->td_pcb->pcb_save.sv_xmm.sv_env.en_mxcsr &= 0xFFFF;
 		break;
 
 	default: