git: a03e4799e76b - main - irettraps: i386 does not push %ss/%esp when exception does not switch rings

Wed, 24 Aug 2022 12:25:20 -0700 

The branch main has been updated by kib:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=a03e4799e76bdfe432f560d96448895ba6ee6133

commit a03e4799e76bdfe432f560d96448895ba6ee6133
Author:     Konstantin Belousov <[email protected]>
AuthorDate: 2022-08-22 01:20:28 +0000
Commit:     Konstantin Belousov <[email protected]>
CommitDate: 2022-08-24 19:11:49 +0000

    irettraps: i386 does not push %ss/%esp when exception does not switch rings
    
    Which means that we must not copy top 8 bytes from the trampoline stack
    for the exception frame to the regular thread kstack.  As consequence,
    this stops corruption of the pcb.  The visible effect was often a broken
    fork(2) on the CPU where corruption occured.
    
    Account for the detail by substracting 8 from the copy byte count when
    moving exception frames from trampoline to the regular stack.
    
    [irettraps handles segmentation/stack/protection faults which could
    occur on the doreti path, where we might already switched stack and
    address space]
    
    Reported and tested by: pho
    Reviewed by:    jhb
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential revision:  https://reviews.freebsd.org/D36302
---
 sys/i386/i386/exception.s | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/sys/i386/i386/exception.s b/sys/i386/i386/exception.s
index 42e9c474c3cd..5eef9c1d512c 100644
--- a/sys/i386/i386/exception.s
+++ b/sys/i386/i386/exception.s
@@ -229,22 +229,23 @@ irettraps:
        leal    (doreti_iret - 1b)(%ebx), %edx
        cmpl    %edx, TF_EIP(%esp)
        jne     2f
-       movl    $(2 * TF_SZ - TF_EIP), %ecx
+       /* -8 because exception did not switch ring */
+       movl    $(2 * TF_SZ - TF_EIP - 8), %ecx
        jmp     6f
 2:     leal    (doreti_popl_ds - 1b)(%ebx), %edx
        cmpl    %edx, TF_EIP(%esp)
        jne     3f
-       movl    $(2 * TF_SZ - TF_DS), %ecx
+       movl    $(2 * TF_SZ - TF_DS - 8), %ecx
        jmp     6f
 3:     leal    (doreti_popl_es - 1b)(%ebx), %edx
        cmpl    %edx, TF_EIP(%esp)
        jne     4f
-       movl    $(2 * TF_SZ - TF_ES), %ecx
+       movl    $(2 * TF_SZ - TF_ES - 8), %ecx
        jmp     6f
 4:     leal    (doreti_popl_fs - 1b)(%ebx), %edx
        cmpl    %edx, TF_EIP(%esp)
        jne     5f
-       movl    $(2 * TF_SZ - TF_FS), %ecx
+       movl    $(2 * TF_SZ - TF_FS - 8), %ecx
        jmp     6f
        /* kernel mode, normal */
 5:     jmp     calltrap

Reply via email to