From owner-svn-src-head@FreeBSD.ORG Sat Feb 5 15:10:27 2011 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5EDF106566B; Sat, 5 Feb 2011 15:10:27 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id A31B68FC0A; Sat, 5 Feb 2011 15:10:27 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p15FARwI031671; Sat, 5 Feb 2011 15:10:27 GMT (envelope-from kib@svn.freebsd.org) Received: (from kib@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p15FARXr031666; Sat, 5 Feb 2011 15:10:27 GMT (envelope-from kib@svn.freebsd.org) Message-Id: <201102051510.p15FARXr031666@svn.freebsd.org> From: Konstantin Belousov Date: Sat, 5 Feb 2011 15:10:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r218327 - in head/sys: amd64/amd64 amd64/ia32 i386/i386 kern X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Feb 2011 15:10:27 -0000 Author: kib Date: Sat Feb 5 15:10:27 2011 New Revision: 218327 URL: http://svn.freebsd.org/changeset/base/218327 Log: Clear the padding when returning context to the usermode, for MI ucontext_t and x86 MD parts. Kernel allocates the structures on the stack, and not clearing reserved fields and paddings causes leakage. Noted and discussed with: bde MFC after: 2 weeks Modified: head/sys/amd64/amd64/machdep.c head/sys/amd64/ia32/ia32_signal.c head/sys/i386/i386/machdep.c head/sys/kern/kern_context.c Modified: head/sys/amd64/amd64/machdep.c ============================================================================== --- head/sys/amd64/amd64/machdep.c Sat Feb 5 15:09:55 2011 (r218326) +++ head/sys/amd64/amd64/machdep.c Sat Feb 5 15:10:27 2011 (r218327) @@ -331,6 +331,9 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, fpstate_drop(td); sf.sf_uc.uc_mcontext.mc_fsbase = pcb->pcb_fsbase; sf.sf_uc.uc_mcontext.mc_gsbase = pcb->pcb_gsbase; + bzero(sf.sf_uc.uc_mcontext.mc_spare, + sizeof(sf.sf_uc.uc_mcontext.mc_spare)); + bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__)); /* Allocate space for the signal handler context. */ if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack && @@ -352,6 +355,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, /* Build the argument list for the signal handler. */ regs->tf_rdi = sig; /* arg 1 in %rdi */ regs->tf_rdx = (register_t)&sfp->sf_uc; /* arg 3 in %rdx */ + bzero(&sf.sf_si, sizeof(sf.sf_si)); if (SIGISMEMBER(psp->ps_siginfo, sig)) { /* Signal handler installed with SA_SIGINFO. */ regs->tf_rsi = (register_t)&sfp->sf_si; /* arg 2 in %rsi */ @@ -2043,6 +2047,7 @@ get_mcontext(struct thread *td, mcontext get_fpcontext(td, mcp); mcp->mc_fsbase = pcb->pcb_fsbase; mcp->mc_gsbase = pcb->pcb_gsbase; + bzero(mcp->mc_spare, sizeof(mcp->mc_spare)); return (0); } Modified: head/sys/amd64/ia32/ia32_signal.c ============================================================================== --- head/sys/amd64/ia32/ia32_signal.c Sat Feb 5 15:09:55 2011 (r218326) +++ head/sys/amd64/ia32/ia32_signal.c Sat Feb 5 15:10:27 2011 (r218327) @@ -167,6 +167,8 @@ ia32_get_mcontext(struct thread *td, str ia32_get_fpcontext(td, mcp); mcp->mc_fsbase = pcb->pcb_fsbase; mcp->mc_gsbase = pcb->pcb_gsbase; + bzero(mcp->mc_spare1, sizeof(mcp->mc_spare1)); + bzero(mcp->mc_spare2, sizeof(mcp->mc_spare2)); set_pcb_flags(pcb, PCB_FULL_IRET); return (0); } @@ -233,6 +235,7 @@ freebsd32_getcontext(struct thread *td, PROC_LOCK(td->td_proc); uc.uc_sigmask = td->td_sigmask; PROC_UNLOCK(td->td_proc); + bzero(&uc.__spare__, sizeof(uc.__spare__)); ret = copyout(&uc, uap->ucp, UC_COPY_SIZE); } return (ret); @@ -348,6 +351,11 @@ freebsd4_ia32_sendsig(sig_t catcher, ksi sf.sf_uc.uc_mcontext.mc_es = regs->tf_es; sf.sf_uc.uc_mcontext.mc_fs = regs->tf_fs; sf.sf_uc.uc_mcontext.mc_gs = regs->tf_gs; + bzero(sf.sf_uc.uc_mcontext.mc_fpregs, + sizeof(sf.sf_uc.uc_mcontext.mc_fpregs)); + bzero(sf.sf_uc.uc_mcontext.__spare__, + sizeof(sf.sf_uc.uc_mcontext.__spare__)); + bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__)); /* Allocate space for the signal handler context. */ if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack && @@ -365,6 +373,7 @@ freebsd4_ia32_sendsig(sig_t catcher, ksi /* Build the argument list for the signal handler. */ sf.sf_signum = sig; sf.sf_ucontext = (register_t)&sfp->sf_uc; + bzero(&sf.sf_si, sizeof(sf.sf_si)); if (SIGISMEMBER(psp->ps_siginfo, sig)) { /* Signal handler installed with SA_SIGINFO. */ sf.sf_siginfo = (u_int32_t)(uintptr_t)&sfp->sf_si; @@ -468,6 +477,7 @@ ia32_sendsig(sig_t catcher, ksiginfo_t * fpstate_drop(td); sf.sf_uc.uc_mcontext.mc_fsbase = td->td_pcb->pcb_fsbase; sf.sf_uc.uc_mcontext.mc_gsbase = td->td_pcb->pcb_gsbase; + bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__)); /* Allocate space for the signal handler context. */ if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack && @@ -487,6 +497,7 @@ ia32_sendsig(sig_t catcher, ksiginfo_t * /* Build the argument list for the signal handler. */ sf.sf_signum = sig; sf.sf_ucontext = (register_t)&sfp->sf_uc; + bzero(&sf.sf_si, sizeof(sf.sf_si)); if (SIGISMEMBER(psp->ps_siginfo, sig)) { /* Signal handler installed with SA_SIGINFO. */ sf.sf_siginfo = (u_int32_t)(uintptr_t)&sfp->sf_si; Modified: head/sys/i386/i386/machdep.c ============================================================================== --- head/sys/i386/i386/machdep.c Sat Feb 5 15:09:55 2011 (r218326) +++ head/sys/i386/i386/machdep.c Sat Feb 5 15:10:27 2011 (r218327) @@ -376,12 +376,14 @@ osendsig(sig_t catcher, ksiginfo_t *ksi, /* Build the argument list for the signal handler. */ sf.sf_signum = sig; sf.sf_scp = (register_t)&fp->sf_siginfo.si_sc; + bzero(&sf.sf_siginfo, sizeof(sf.sf_siginfo)); if (SIGISMEMBER(psp->ps_siginfo, sig)) { /* Signal handler installed with SA_SIGINFO. */ sf.sf_arg2 = (register_t)&fp->sf_siginfo; sf.sf_siginfo.si_signo = sig; sf.sf_siginfo.si_code = ksi->ksi_code; sf.sf_ahu.sf_action = (__osiginfohandler_t *)catcher; + sf.sf_addr = 0; } else { /* Old FreeBSD-style arguments. */ sf.sf_arg2 = ksi->ksi_code; @@ -495,6 +497,11 @@ freebsd4_sendsig(sig_t catcher, ksiginfo sf.sf_uc.uc_mcontext.mc_onstack = (oonstack) ? 1 : 0; sf.sf_uc.uc_mcontext.mc_gs = rgs(); bcopy(regs, &sf.sf_uc.uc_mcontext.mc_fs, sizeof(*regs)); + bzero(sf.sf_uc.uc_mcontext.mc_fpregs, + sizeof(sf.sf_uc.uc_mcontext.mc_fpregs)); + bzero(sf.sf_uc.uc_mcontext.__spare__, + sizeof(sf.sf_uc.uc_mcontext.__spare__)); + bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__)); /* Allocate space for the signal handler context. */ if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack && @@ -514,6 +521,7 @@ freebsd4_sendsig(sig_t catcher, ksiginfo /* Build the argument list for the signal handler. */ sf.sf_signum = sig; sf.sf_ucontext = (register_t)&sfp->sf_uc; + bzero(&sf.sf_si, sizeof(sf.sf_si)); if (SIGISMEMBER(psp->ps_siginfo, sig)) { /* Signal handler installed with SA_SIGINFO. */ sf.sf_siginfo = (register_t)&sfp->sf_si; @@ -640,6 +648,11 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sdp = &td->td_pcb->pcb_gsd; sf.sf_uc.uc_mcontext.mc_gsbase = sdp->sd_hibase << 24 | sdp->sd_lobase; + bzero(sf.sf_uc.uc_mcontext.mc_spare1, + sizeof(sf.sf_uc.uc_mcontext.mc_spare1)); + bzero(sf.sf_uc.uc_mcontext.mc_spare2, + sizeof(sf.sf_uc.uc_mcontext.mc_spare2)); + bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__)); /* Allocate space for the signal handler context. */ if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack && @@ -661,6 +674,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, /* Build the argument list for the signal handler. */ sf.sf_signum = sig; sf.sf_ucontext = (register_t)&sfp->sf_uc; + bzero(&sf.sf_si, sizeof(sf.sf_si)); if (SIGISMEMBER(psp->ps_siginfo, sig)) { /* Signal handler installed with SA_SIGINFO. */ sf.sf_siginfo = (register_t)&sfp->sf_si; @@ -3286,7 +3300,8 @@ get_mcontext(struct thread *td, mcontext mcp->mc_fsbase = sdp->sd_hibase << 24 | sdp->sd_lobase; sdp = &td->td_pcb->pcb_gsd; mcp->mc_gsbase = sdp->sd_hibase << 24 | sdp->sd_lobase; - + bzero(mcp->mc_spare1, sizeof(mcp->mc_spare1)); + bzero(mcp->mc_spare2, sizeof(mcp->mc_spare2)); return (0); } @@ -3335,6 +3350,7 @@ get_fpcontext(struct thread *td, mcontex #ifndef DEV_NPX mcp->mc_fpformat = _MC_FPFMT_NODEV; mcp->mc_ownedfp = _MC_FPOWNED_NONE; + bzero(mcp->mc_fpstate, sizeof(mcp->mc_fpstate)); #else mcp->mc_ownedfp = npxgetregs(td); bcopy(&td->td_pcb->pcb_user_save, &mcp->mc_fpstate, Modified: head/sys/kern/kern_context.c ============================================================================== --- head/sys/kern/kern_context.c Sat Feb 5 15:09:55 2011 (r218326) +++ head/sys/kern/kern_context.c Sat Feb 5 15:10:27 2011 (r218327) @@ -72,6 +72,7 @@ getcontext(struct thread *td, struct get PROC_LOCK(td->td_proc); uc.uc_sigmask = td->td_sigmask; PROC_UNLOCK(td->td_proc); + bzero(uc.__spare__, sizeof(uc.__spare__)); ret = copyout(&uc, uap->ucp, UC_COPY_SIZE); } return (ret); @@ -108,6 +109,7 @@ swapcontext(struct thread *td, struct sw ret = EINVAL; else { get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET); + bzero(uc.__spare__, sizeof(uc.__spare__)); PROC_LOCK(td->td_proc); uc.uc_sigmask = td->td_sigmask; PROC_UNLOCK(td->td_proc);