Module Name: src Committed By: snj Date: Sat Sep 9 16:57:34 UTC 2017
Modified Files: src/sys/compat/linux32/arch/amd64 [netbsd-7-0]: linux32_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1507): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.36.8.1 \ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36.8.1 --- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36 Wed Feb 19 21:45:01 2014 +++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 9 16:57:34 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_machdep.c,v 1.36 2014/02/19 21:45:01 dsl Exp $ */ +/* $NetBSD: linux32_machdep.c,v 1.36.8.1 2017/09/09 16:57:34 snj Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.36 2014/02/19 21:45:01 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.36.8.1 2017/09/09 16:57:34 snj Exp $"); #include <sys/param.h> #include <sys/proc.h> @@ -417,8 +417,9 @@ linux32_restore_sigcontext(struct lwp *l /* * Check for security violations. */ - if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 || - !USERMODE(scp->sc_cs, scp->sc_eflags)) + if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0) + return EINVAL; + if (!VALID_USER_CSEL32(scp->sc_cs)) return EINVAL; if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&