Author: jhibbits
Date: Sat Nov 16 16:36:20 2019
New Revision: 354776
URL: https://svnweb.freebsd.org/changeset/base/354776
Log:
powerpcspe: Don't leak kernel registers in SPE dumps
save_vec_int() for SPE saves off only the high word of the register, leaving
the low word as "garbage", but really containing whatever was in the kernel
register at the time. This leaks into core dumps, and in a near future
commit also into ptrace. Instead, save the GPR in the low word in
save_vec_nodrop(), which is used only for core dumps and ptrace.
Modified:
head/sys/powerpc/booke/spe.c
Modified: head/sys/powerpc/booke/spe.c
==============================================================================
--- head/sys/powerpc/booke/spe.c Sat Nov 16 16:27:31 2019
(r354775)
+++ head/sys/powerpc/booke/spe.c Sat Nov 16 16:36:20 2019
(r354776)
@@ -176,19 +176,28 @@ save_vec(struct thread *td)
/*
* Save SPE state without dropping ownership. This will only save state if
- * the current vector-thread is `td'.
+ * the current vector-thread is `td'. This is used for taking core dumps, so
+ * don't leak kernel information; overwrite the low words of each vector with
+ * their real value, taken from the thread's trap frame, unconditionally.
*/
void
save_vec_nodrop(struct thread *td)
{
struct thread *vtd;
+ struct pcb *pcb;
+ int i;
vtd = PCPU_GET(vecthread);
- if (td != vtd) {
- return;
+ if (td == vtd) {
+ save_vec_int(td);
}
- save_vec_int(td);
+ pcb = td->td_pcb;
+
+ for (i = 0; i < 32; i++) {
+ pcb->pcb_vec.vr[i][1] =
+ td->td_frame ? td->td_frame->fixreg[i] : 0;
+ }
}
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
