CVS commit: [netbsd-6-0] src/sys/compat/linux/arch/amd64

[Soren Jacobsen]

Module Name:    src
Committed By:   snj
Date:           Tue Feb 14 16:57:57 UTC 2017

Modified Files:
        src/sys/compat/linux/arch/amd64 [netbsd-6-0]: linux_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1433):
        sys/compat/linux/arch/amd64/linux_machdep.c: 1.50, 1.51
Don't let userland choose %rip. This is the Intel Sysret vulnerability
again.
--
Make sure %rip is in userland. This is harmless, since the return to
userland is made with iret instead of sysret in this path. While here, use
size_t.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.10.1 \
    src/sys/compat/linux/arch/amd64/linux_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/compat/linux/arch/amd64/linux_machdep.c
diff -u src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39 src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39.10.1
--- src/sys/compat/linux/arch/amd64/linux_machdep.c:1.39	Fri Nov 18 04:07:43 2011
+++ src/sys/compat/linux/arch/amd64/linux_machdep.c	Tue Feb 14 16:57:57 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $ */
+/*	$NetBSD: linux_machdep.c,v 1.39.10.1 2017/02/14 16:57:57 snj Exp $ */
 
 /*-
  * Copyright (c) 2005 Emmanuel Dreyfus, all rights reserved.
@@ -33,7 +33,7 @@
 
 #include <sys/cdefs.h>
 
-__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39 2011/11/18 04:07:43 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_machdep.c,v 1.39.10.1 2017/02/14 16:57:57 snj Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -254,7 +254,12 @@ linux_sendsig(const ksiginfo_t *ksi, con
 	if (error != 0) {
 		sigexit(l, SIGILL);
 		return;
-	}	
+	}
+
+	if ((vaddr_t)catcher >= VM_MAXUSER_ADDRESS) {
+		sigexit(l, SIGILL);
+		return;
+	}
 
 	linux_buildcontext(l, catcher, sp);
 	tf->tf_rdi = sigframe.info.lsi_signo;
@@ -485,7 +490,7 @@ linux_usertrap(struct lwp *l, vaddr_t tr
 {
 	struct trapframe *tf = arg;
 	uint64_t retaddr;
-	int vsyscallnr;
+	size_t vsyscallnr;
 
 	/*
 	 * Check for a vsyscall. %rip must be the fault address,
@@ -515,6 +520,8 @@ linux_usertrap(struct lwp *l, vaddr_t tr
 	 */
 	if (copyin((void *)tf->tf_rsp, &retaddr, sizeof retaddr) != 0)
 		return 0;
+	if ((vaddr_t)retaddr >= VM_MAXUSER_ADDRESS)
+		return 0;
 	tf->tf_rip = retaddr;
 	tf->tf_rax = linux_vsyscall_to_syscall[vsyscallnr];
 	tf->tf_rsp += 8;	/* "pop" the return address */