Module Name: src
Committed By: snj
Date: Sat Sep 9 17:01:23 UTC 2017
Modified Files:
src/sys/compat/linux32/arch/amd64 [netbsd-8]: linux32_machdep.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #270):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.38.6.1 \
src/sys/compat/linux32/arch/amd64/linux32_machdep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c
diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.38 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.38.6.1
--- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.38 Sun Feb 5 08:52:11 2017
+++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 9 17:01:23 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: linux32_machdep.c,v 1.38 2017/02/05 08:52:11 maxv Exp $ */
+/* $NetBSD: linux32_machdep.c,v 1.38.6.1 2017/09/09 17:01:23 snj Exp $ */
/*-
* Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved.
@@ -31,7 +31,7 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.38 2017/02/05 08:52:11 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.38.6.1 2017/09/09 17:01:23 snj Exp $");
#include <sys/param.h>
#include <sys/proc.h>
@@ -417,8 +417,9 @@ linux32_restore_sigcontext(struct lwp *l
/*
* Check for security violations.
*/
- if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 ||
- !USERMODE(scp->sc_cs, scp->sc_eflags))
+ if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0)
+ return EINVAL;
+ if (!VALID_USER_CSEL32(scp->sc_cs))
return EINVAL;
if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
