Module Name: src
Committed By: maxv
Date: Wed May 16 08:16:36 UTC 2018
Modified Files:
src/sys/arch/i386/i386: i386_trap.S trap.c
Log Message:
Mitigation for CVE-2018-8897 on i386. Contrary to amd64 there is no clear
way to determine if we are in kernel mode but with the user context; so we
go the hard way, and scan the IDT.
On i386 the bug is less of a problem, since we don't have GSBASE. All an
attacker can do is panicking the system.
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/sys/arch/i386/i386/i386_trap.S
cvs rdiff -u -r1.293 -r1.294 src/sys/arch/i386/i386/trap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/i386/i386/i386_trap.S
diff -u src/sys/arch/i386/i386/i386_trap.S:1.13 src/sys/arch/i386/i386/i386_trap.S:1.14
--- src/sys/arch/i386/i386/i386_trap.S:1.13 Fri Mar 16 12:48:54 2018
+++ src/sys/arch/i386/i386/i386_trap.S Wed May 16 08:16:36 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: i386_trap.S,v 1.13 2018/03/16 12:48:54 maxv Exp $ */
+/* $NetBSD: i386_trap.S,v 1.14 2018/05/16 08:16:36 maxv Exp $ */
/*
* Copyright 2002 (c) Wasabi Systems, Inc.
@@ -66,7 +66,7 @@
#if 0
#include <machine/asm.h>
-__KERNEL_RCSID(0, "$NetBSD: i386_trap.S,v 1.13 2018/03/16 12:48:54 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: i386_trap.S,v 1.14 2018/05/16 08:16:36 maxv Exp $");
#endif
/*
@@ -88,8 +88,49 @@ IDTVEC(trap00)
ZTRAP(T_DIVIDE)
IDTVEC_END(trap00)
+/*
+ * Handle the SS shadow, CVE-2018-8897.
+ *
+ * We scan the IDT to determine if we hit an entry point. If so, we leave
+ * without restoring the segregs, because we could fault while doing that.
+ */
IDTVEC(trap01)
+#ifndef XEN
+ pushl $0
+ pushl $T_TRCTRAP
+ INTRENTRY
+
+ testb $SEL_UPL,TF_CS(%esp)
+ jnz .Lnormal_dbentry
+
+ pushl %esp
+ call ss_shadow
+ addl $4,%esp
+
+ cmpl $1,%eax
+ jne .Lnormal_dbentry
+
+ /* SS shadow, ignore the exception. */
+ xorl %eax,%eax
+ movl %eax,%dr6
+
+ /* INTRFASTEXIT, but without segregs. */
+ movl TF_EDI(%esp),%edi
+ movl TF_ESI(%esp),%esi
+ movl TF_EBP(%esp),%ebp
+ movl TF_EBX(%esp),%ebx
+ movl TF_EDX(%esp),%edx
+ movl TF_ECX(%esp),%ecx
+ movl TF_EAX(%esp),%eax
+ addl $(TF_PUSHSIZE+8),%esp
+ iret
+
+.Lnormal_dbentry:
+ STI(%eax)
+ jmp _C_LABEL(calltrap)
+#else
ZTRAP(T_TRCTRAP)
+#endif
IDTVEC_END(trap01)
/*
Index: src/sys/arch/i386/i386/trap.c
diff -u src/sys/arch/i386/i386/trap.c:1.293 src/sys/arch/i386/i386/trap.c:1.294
--- src/sys/arch/i386/i386/trap.c:1.293 Tue Feb 13 01:05:18 2018
+++ src/sys/arch/i386/i386/trap.c Wed May 16 08:16:36 2018
@@ -1,5 +1,5 @@
-/* $NetBSD: trap.c,v 1.293 2018/02/13 01:05:18 christos Exp $ */
+/* $NetBSD: trap.c,v 1.294 2018/05/16 08:16:36 maxv Exp $ */
/*-
* Copyright (c) 1998, 2000, 2005, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -69,7 +69,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.293 2018/02/13 01:05:18 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.294 2018/05/16 08:16:36 maxv Exp $");
#include "opt_ddb.h"
#include "opt_kgdb.h"
@@ -128,6 +128,7 @@ dtrace_doubletrap_func_t dtrace_doubletr
void trap(struct trapframe *);
void trap_tss(struct i386tss *, int, int);
void trap_return_fault_return(struct trapframe *) __dead;
+int ss_shadow(struct trapframe *tf);
const char * const trap_type[] = {
"privileged instruction fault", /* 0 T_PRIVINFLT */
@@ -236,6 +237,25 @@ trap_print(const struct trapframe *frame
l, l->l_proc->p_pid, l->l_lid, KSTACK_LOWEST_ADDR(l));
}
+int
+ss_shadow(struct trapframe *tf)
+{
+ struct gate_descriptor *gd;
+ uintptr_t eip, func;
+ size_t i;
+
+ eip = tf->tf_eip;
+
+ for (i = 0; i < 256; i++) {
+ gd = &idt[i];
+ func = (gd->gd_hioffset << 16) | gd->gd_looffset;
+ if (eip == func)
+ return 1;
+ }
+
+ return 0;
+}
+
/*
* trap(frame): exception, fault, and trap interface to BSD kernel.
*
