Module Name: src
Committed By: snj
Date: Sun Apr 8 06:14:18 UTC 2018
Modified Files:
src/sys/arch/amd64/amd64 [netbsd-8]: trap.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #705):
sys/arch/amd64/amd64/trap.c: 1.113
Mmh. We shouldn't read %cr2 here. %cr2 is initialized by the CPU only
during page faults (T_PAGEFLT), so here we're reading a value that comes
from a previous page fault.
That's a real problem; if you launch an unprivileged process, set up a
signal handler, make it sleep 10 seconds, and trigger a T_ALIGNFLT fault,
you get in si_addr the address of another LWP's page - and perhaps this
can be used to defeat userland ASLR.
This bug has been there since 2003.
To generate a diff of this commit:
cvs rdiff -u -r1.96.4.2 -r1.96.4.3 src/sys/arch/amd64/amd64/trap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/amd64/amd64/trap.c
diff -u src/sys/arch/amd64/amd64/trap.c:1.96.4.2 src/sys/arch/amd64/amd64/trap.c:1.96.4.3
--- src/sys/arch/amd64/amd64/trap.c:1.96.4.2 Thu Mar 22 16:59:03 2018
+++ src/sys/arch/amd64/amd64/trap.c Sun Apr 8 06:14:18 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: trap.c,v 1.96.4.2 2018/03/22 16:59:03 martin Exp $ */
+/* $NetBSD: trap.c,v 1.96.4.3 2018/04/08 06:14:18 snj Exp $ */
/*-
* Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.96.4.2 2018/03/22 16:59:03 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.96.4.3 2018/04/08 06:14:18 snj Exp $");
#include "opt_ddb.h"
#include "opt_kgdb.h"
@@ -389,7 +389,7 @@ copyfault:
#endif
KSI_INIT_TRAP(&ksi);
ksi.ksi_trap = type & ~T_USER;
- ksi.ksi_addr = (void *)rcr2();
+ ksi.ksi_addr = (void *)frame->tf_rip;
switch (type) {
case T_SEGNPFLT|T_USER:
case T_STKFLT|T_USER:
