From owner-svn-src-head@freebsd.org Sat Nov 16 16:36:21 2019 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E39B71A8E45; Sat, 16 Nov 2019 16:36:21 +0000 (UTC) (envelope-from jhibbits@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47FgpF5l7Sz3Ly7; Sat, 16 Nov 2019 16:36:21 +0000 (UTC) (envelope-from jhibbits@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 701284596; Sat, 16 Nov 2019 16:36:21 +0000 (UTC) (envelope-from jhibbits@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id xAGGaLt3076424; Sat, 16 Nov 2019 16:36:21 GMT (envelope-from jhibbits@FreeBSD.org) Received: (from jhibbits@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id xAGGaL6e076423; Sat, 16 Nov 2019 16:36:21 GMT (envelope-from jhibbits@FreeBSD.org) Message-Id: <201911161636.xAGGaL6e076423@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhibbits set sender to jhibbits@FreeBSD.org using -f From: Justin Hibbits Date: Sat, 16 Nov 2019 16:36:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r354776 - head/sys/powerpc/booke X-SVN-Group: head X-SVN-Commit-Author: jhibbits X-SVN-Commit-Paths: head/sys/powerpc/booke X-SVN-Commit-Revision: 354776 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Nov 2019 16:36:22 -0000 Author: jhibbits Date: Sat Nov 16 16:36:20 2019 New Revision: 354776 URL: https://svnweb.freebsd.org/changeset/base/354776 Log: powerpcspe: Don't leak kernel registers in SPE dumps save_vec_int() for SPE saves off only the high word of the register, leaving the low word as "garbage", but really containing whatever was in the kernel register at the time. This leaks into core dumps, and in a near future commit also into ptrace. Instead, save the GPR in the low word in save_vec_nodrop(), which is used only for core dumps and ptrace. Modified: head/sys/powerpc/booke/spe.c Modified: head/sys/powerpc/booke/spe.c ============================================================================== --- head/sys/powerpc/booke/spe.c Sat Nov 16 16:27:31 2019 (r354775) +++ head/sys/powerpc/booke/spe.c Sat Nov 16 16:36:20 2019 (r354776) @@ -176,19 +176,28 @@ save_vec(struct thread *td) /* * Save SPE state without dropping ownership. This will only save state if - * the current vector-thread is `td'. + * the current vector-thread is `td'. This is used for taking core dumps, so + * don't leak kernel information; overwrite the low words of each vector with + * their real value, taken from the thread's trap frame, unconditionally. */ void save_vec_nodrop(struct thread *td) { struct thread *vtd; + struct pcb *pcb; + int i; vtd = PCPU_GET(vecthread); - if (td != vtd) { - return; + if (td == vtd) { + save_vec_int(td); } - save_vec_int(td); + pcb = td->td_pcb; + + for (i = 0; i < 32; i++) { + pcb->pcb_vec.vr[i][1] = + td->td_frame ? td->td_frame->fixreg[i] : 0; + } }