Module Name:    src
Committed By:   maxv
Date:           Wed May 16 08:16:36 UTC 2018

Modified Files:
        src/sys/arch/i386/i386: i386_trap.S trap.c

Log Message:
Mitigation for CVE-2018-8897 on i386. Contrary to amd64 there is no clear
way to determine if we are in kernel mode but with the user context; so we
go the hard way, and scan the IDT.

On i386 the bug is less of a problem, since we don't have GSBASE. All an
attacker can do is panicking the system.


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/sys/arch/i386/i386/i386_trap.S
cvs rdiff -u -r1.293 -r1.294 src/sys/arch/i386/i386/trap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/i386/i386_trap.S
diff -u src/sys/arch/i386/i386/i386_trap.S:1.13 src/sys/arch/i386/i386/i386_trap.S:1.14
--- src/sys/arch/i386/i386/i386_trap.S:1.13	Fri Mar 16 12:48:54 2018
+++ src/sys/arch/i386/i386/i386_trap.S	Wed May 16 08:16:36 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: i386_trap.S,v 1.13 2018/03/16 12:48:54 maxv Exp $	*/
+/*	$NetBSD: i386_trap.S,v 1.14 2018/05/16 08:16:36 maxv Exp $	*/
 
 /*
  * Copyright 2002 (c) Wasabi Systems, Inc.
@@ -66,7 +66,7 @@
 
 #if 0
 #include <machine/asm.h>
-__KERNEL_RCSID(0, "$NetBSD: i386_trap.S,v 1.13 2018/03/16 12:48:54 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: i386_trap.S,v 1.14 2018/05/16 08:16:36 maxv Exp $");
 #endif
 
 /*
@@ -88,8 +88,49 @@ IDTVEC(trap00)
 	ZTRAP(T_DIVIDE)
 IDTVEC_END(trap00)
 
+/*
+ * Handle the SS shadow, CVE-2018-8897.
+ *
+ * We scan the IDT to determine if we hit an entry point. If so, we leave
+ * without restoring the segregs, because we could fault while doing that.
+ */
 IDTVEC(trap01)
+#ifndef XEN
+	pushl	$0
+	pushl	$T_TRCTRAP
+	INTRENTRY
+
+	testb	$SEL_UPL,TF_CS(%esp)
+	jnz	.Lnormal_dbentry
+
+	pushl	%esp
+	call	ss_shadow
+	addl	$4,%esp
+
+	cmpl	$1,%eax
+	jne	.Lnormal_dbentry
+
+	/* SS shadow, ignore the exception. */
+	xorl	%eax,%eax
+	movl	%eax,%dr6
+
+	/* INTRFASTEXIT, but without segregs. */
+	movl	TF_EDI(%esp),%edi
+	movl	TF_ESI(%esp),%esi
+	movl	TF_EBP(%esp),%ebp
+	movl	TF_EBX(%esp),%ebx
+	movl	TF_EDX(%esp),%edx
+	movl	TF_ECX(%esp),%ecx
+	movl	TF_EAX(%esp),%eax
+	addl	$(TF_PUSHSIZE+8),%esp
+	iret
+
+.Lnormal_dbentry:
+	STI(%eax)
+	jmp _C_LABEL(calltrap)
+#else
 	ZTRAP(T_TRCTRAP)
+#endif
 IDTVEC_END(trap01)
 
 /*

Index: src/sys/arch/i386/i386/trap.c
diff -u src/sys/arch/i386/i386/trap.c:1.293 src/sys/arch/i386/i386/trap.c:1.294
--- src/sys/arch/i386/i386/trap.c:1.293	Tue Feb 13 01:05:18 2018
+++ src/sys/arch/i386/i386/trap.c	Wed May 16 08:16:36 2018
@@ -1,5 +1,5 @@
 
-/*	$NetBSD: trap.c,v 1.293 2018/02/13 01:05:18 christos Exp $	*/
+/*	$NetBSD: trap.c,v 1.294 2018/05/16 08:16:36 maxv Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2000, 2005, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -69,7 +69,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.293 2018/02/13 01:05:18 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.294 2018/05/16 08:16:36 maxv Exp $");
 
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
@@ -128,6 +128,7 @@ dtrace_doubletrap_func_t	dtrace_doubletr
 void trap(struct trapframe *);
 void trap_tss(struct i386tss *, int, int);
 void trap_return_fault_return(struct trapframe *) __dead;
+int ss_shadow(struct trapframe *tf);
 
 const char * const trap_type[] = {
 	"privileged instruction fault",		/*  0 T_PRIVINFLT */
@@ -236,6 +237,25 @@ trap_print(const struct trapframe *frame
 	    l, l->l_proc->p_pid, l->l_lid, KSTACK_LOWEST_ADDR(l));
 }
 
+int
+ss_shadow(struct trapframe *tf)
+{
+	struct gate_descriptor *gd;
+	uintptr_t eip, func;
+	size_t i;
+
+	eip = tf->tf_eip;
+
+	for (i = 0; i < 256; i++) {
+		gd = &idt[i];
+		func = (gd->gd_hioffset << 16) | gd->gd_looffset;
+		if (eip == func)
+			return 1;
+	}
+
+	return 0;
+}
+
 /*
  * trap(frame): exception, fault, and trap interface to BSD kernel.
  *

Reply via email to