From owner-svn-src-all@FreeBSD.ORG Mon Nov 25 15:58:50 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5B720ED3; Mon, 25 Nov 2013 15:58:50 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 47A0A23BD; Mon, 25 Nov 2013 15:58:50 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rAPFwoig003912; Mon, 25 Nov 2013 15:58:50 GMT (envelope-from emaste@svn.freebsd.org) Received: (from emaste@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id rAPFwmTA003904; Mon, 25 Nov 2013 15:58:48 GMT (envelope-from emaste@svn.freebsd.org) Message-Id: <201311251558.rAPFwmTA003904@svn.freebsd.org> From: Ed Maste Date: Mon, 25 Nov 2013 15:58:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r258559 - in stable/10/sys: amd64/amd64 amd64/ia32 amd64/linux32 i386/i386 i386/include i386/linux pc98/pc98 x86/include X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Nov 2013 15:58:50 -0000 Author: emaste Date: Mon Nov 25 15:58:48 2013 New Revision: 258559 URL: http://svnweb.freebsd.org/changeset/base/258559 Log: MFC r258135: x86: Allow users to change PSL_RF via ptrace(PT_SETREGS...) Debuggers may need to change PSL_RF. Note that tf_eflags is already stored in the signal context during signal handling and PSL_RF previously could be modified via sigreturn, so this change should not provide any new ability to userspace. For background see the thread at: http://lists.freebsd.org/pipermail/freebsd-i386/2007-September/005910.html Reviewed by: jhb, kib Sponsored by: DARPA, AFRL Approved by: re (gjb) Modified: stable/10/sys/amd64/amd64/machdep.c stable/10/sys/amd64/ia32/ia32_signal.c stable/10/sys/amd64/linux32/linux32_sysvec.c stable/10/sys/i386/i386/machdep.c stable/10/sys/i386/include/vm86.h stable/10/sys/i386/linux/linux_sysvec.c stable/10/sys/pc98/pc98/machdep.c stable/10/sys/x86/include/psl.h Directory Properties: stable/10/sys/ (props changed) Modified: stable/10/sys/amd64/amd64/machdep.c ============================================================================== --- stable/10/sys/amd64/amd64/machdep.c Mon Nov 25 15:54:18 2013 (r258558) +++ stable/10/sys/amd64/amd64/machdep.c Mon Nov 25 15:58:48 2013 (r258559) @@ -486,17 +486,7 @@ sys_sigreturn(td, uap) /* * Don't allow users to change privileged or reserved flags. */ - /* - * XXX do allow users to change the privileged flag PSL_RF. - * The cpu sets PSL_RF in tf_rflags for faults. Debuggers - * should sometimes set it there too. tf_rflags is kept in - * the signal context during signal handling and there is no - * other place to remember it, so the PSL_RF bit may be - * corrupted by the signal handler without us knowing. - * Corruption of the PSL_RF bit at worst causes one more or - * one less debugger trap, so allowing it is fairly harmless. - */ - if (!EFL_SECURE(rflags & ~PSL_RF, regs->tf_rflags & ~PSL_RF)) { + if (!EFL_SECURE(rflags, regs->tf_rflags)) { uprintf("pid %d (%s): sigreturn rflags = 0x%lx\n", p->p_pid, td->td_name, rflags); return (EINVAL); Modified: stable/10/sys/amd64/ia32/ia32_signal.c ============================================================================== --- stable/10/sys/amd64/ia32/ia32_signal.c Mon Nov 25 15:54:18 2013 (r258558) +++ stable/10/sys/amd64/ia32/ia32_signal.c Mon Nov 25 15:58:48 2013 (r258559) @@ -719,7 +719,7 @@ ofreebsd32_sigreturn(struct thread *td, return (error); scp = ≻ eflags = scp->sc_eflags; - if (!EFL_SECURE(eflags & ~PSL_RF, regs->tf_rflags & ~PSL_RF)) { + if (!EFL_SECURE(eflags, regs->tf_rflags)) { return (EINVAL); } if (!CS_SECURE(scp->sc_cs)) { @@ -787,17 +787,7 @@ freebsd4_freebsd32_sigreturn(td, uap) /* * Don't allow users to change privileged or reserved flags. */ - /* - * XXX do allow users to change the privileged flag PSL_RF. - * The cpu sets PSL_RF in tf_eflags for faults. Debuggers - * should sometimes set it there too. tf_eflags is kept in - * the signal context during signal handling and there is no - * other place to remember it, so the PSL_RF bit may be - * corrupted by the signal handler without us knowing. - * Corruption of the PSL_RF bit at worst causes one more or - * one less debugger trap, so allowing it is fairly harmless. - */ - if (!EFL_SECURE(eflags & ~PSL_RF, regs->tf_rflags & ~PSL_RF)) { + if (!EFL_SECURE(eflags, regs->tf_rflags)) { uprintf("pid %d (%s): freebsd4_freebsd32_sigreturn eflags = 0x%x\n", td->td_proc->p_pid, td->td_name, eflags); return (EINVAL); @@ -873,17 +863,7 @@ freebsd32_sigreturn(td, uap) /* * Don't allow users to change privileged or reserved flags. */ - /* - * XXX do allow users to change the privileged flag PSL_RF. - * The cpu sets PSL_RF in tf_eflags for faults. Debuggers - * should sometimes set it there too. tf_eflags is kept in - * the signal context during signal handling and there is no - * other place to remember it, so the PSL_RF bit may be - * corrupted by the signal handler without us knowing. - * Corruption of the PSL_RF bit at worst causes one more or - * one less debugger trap, so allowing it is fairly harmless. - */ - if (!EFL_SECURE(eflags & ~PSL_RF, regs->tf_rflags & ~PSL_RF)) { + if (!EFL_SECURE(eflags, regs->tf_rflags)) { uprintf("pid %d (%s): freebsd32_sigreturn eflags = 0x%x\n", td->td_proc->p_pid, td->td_name, eflags); return (EINVAL); Modified: stable/10/sys/amd64/linux32/linux32_sysvec.c ============================================================================== --- stable/10/sys/amd64/linux32/linux32_sysvec.c Mon Nov 25 15:54:18 2013 (r258558) +++ stable/10/sys/amd64/linux32/linux32_sysvec.c Mon Nov 25 15:58:48 2013 (r258559) @@ -587,17 +587,7 @@ linux_sigreturn(struct thread *td, struc */ #define EFLAGS_SECURE(ef, oef) ((((ef) ^ (oef)) & ~PSL_USERCHANGE) == 0) eflags = frame.sf_sc.sc_eflags; - /* - * XXX do allow users to change the privileged flag PSL_RF. The - * cpu sets PSL_RF in tf_eflags for faults. Debuggers should - * sometimes set it there too. tf_eflags is kept in the signal - * context during signal handling and there is no other place - * to remember it, so the PSL_RF bit may be corrupted by the - * signal handler without us knowing. Corruption of the PSL_RF - * bit at worst causes one more or one less debugger trap, so - * allowing it is fairly harmless. - */ - if (!EFLAGS_SECURE(eflags & ~PSL_RF, regs->tf_rflags & ~PSL_RF)) + if (!EFLAGS_SECURE(eflags, regs->tf_rflags)) return(EINVAL); /* @@ -689,17 +679,7 @@ linux_rt_sigreturn(struct thread *td, st */ #define EFLAGS_SECURE(ef, oef) ((((ef) ^ (oef)) & ~PSL_USERCHANGE) == 0) eflags = context->sc_eflags; - /* - * XXX do allow users to change the privileged flag PSL_RF. The - * cpu sets PSL_RF in tf_eflags for faults. Debuggers should - * sometimes set it there too. tf_eflags is kept in the signal - * context during signal handling and there is no other place - * to remember it, so the PSL_RF bit may be corrupted by the - * signal handler without us knowing. Corruption of the PSL_RF - * bit at worst causes one more or one less debugger trap, so - * allowing it is fairly harmless. - */ - if (!EFLAGS_SECURE(eflags & ~PSL_RF, regs->tf_rflags & ~PSL_RF)) + if (!EFLAGS_SECURE(eflags, regs->tf_rflags)) return(EINVAL); /* Modified: stable/10/sys/i386/i386/machdep.c ============================================================================== --- stable/10/sys/i386/i386/machdep.c Mon Nov 25 15:54:18 2013 (r258558) +++ stable/10/sys/i386/i386/machdep.c Mon Nov 25 15:58:48 2013 (r258559) @@ -842,17 +842,7 @@ osigreturn(td, uap) /* * Don't allow users to change privileged or reserved flags. */ - /* - * XXX do allow users to change the privileged flag PSL_RF. - * The cpu sets PSL_RF in tf_eflags for faults. Debuggers - * should sometimes set it there too. tf_eflags is kept in - * the signal context during signal handling and there is no - * other place to remember it, so the PSL_RF bit may be - * corrupted by the signal handler without us knowing. - * Corruption of the PSL_RF bit at worst causes one more or - * one less debugger trap, so allowing it is fairly harmless. - */ - if (!EFL_SECURE(eflags & ~PSL_RF, regs->tf_eflags & ~PSL_RF)) { + if (!EFL_SECURE(eflags, regs->tf_eflags)) { return (EINVAL); } @@ -968,17 +958,7 @@ freebsd4_sigreturn(td, uap) /* * Don't allow users to change privileged or reserved flags. */ - /* - * XXX do allow users to change the privileged flag PSL_RF. - * The cpu sets PSL_RF in tf_eflags for faults. Debuggers - * should sometimes set it there too. tf_eflags is kept in - * the signal context during signal handling and there is no - * other place to remember it, so the PSL_RF bit may be - * corrupted by the signal handler without us knowing. - * Corruption of the PSL_RF bit at worst causes one more or - * one less debugger trap, so allowing it is fairly harmless. - */ - if (!EFL_SECURE(eflags & ~PSL_RF, regs->tf_eflags & ~PSL_RF)) { + if (!EFL_SECURE(eflags, regs->tf_eflags)) { uprintf("pid %d (%s): freebsd4_sigreturn eflags = 0x%x\n", td->td_proc->p_pid, td->td_name, eflags); return (EINVAL); @@ -1082,17 +1062,7 @@ sys_sigreturn(td, uap) /* * Don't allow users to change privileged or reserved flags. */ - /* - * XXX do allow users to change the privileged flag PSL_RF. - * The cpu sets PSL_RF in tf_eflags for faults. Debuggers - * should sometimes set it there too. tf_eflags is kept in - * the signal context during signal handling and there is no - * other place to remember it, so the PSL_RF bit may be - * corrupted by the signal handler without us knowing. - * Corruption of the PSL_RF bit at worst causes one more or - * one less debugger trap, so allowing it is fairly harmless. - */ - if (!EFL_SECURE(eflags & ~PSL_RF, regs->tf_eflags & ~PSL_RF)) { + if (!EFL_SECURE(eflags, regs->tf_eflags)) { uprintf("pid %d (%s): sigreturn eflags = 0x%x\n", td->td_proc->p_pid, td->td_name, eflags); return (EINVAL); Modified: stable/10/sys/i386/include/vm86.h ============================================================================== --- stable/10/sys/i386/include/vm86.h Mon Nov 25 15:54:18 2013 (r258558) +++ stable/10/sys/i386/include/vm86.h Mon Nov 25 15:58:48 2013 (r258559) @@ -113,7 +113,7 @@ struct vm86context { } pmap[VM86_PMAPSIZE]; }; -#define VM_USERCHANGE (PSL_USERCHANGE | PSL_RF) +#define VM_USERCHANGE (PSL_USERCHANGE) #define VME_USERCHANGE (VM_USERCHANGE | PSL_VIP | PSL_VIF) struct vm86_kernel { Modified: stable/10/sys/i386/linux/linux_sysvec.c ============================================================================== --- stable/10/sys/i386/linux/linux_sysvec.c Mon Nov 25 15:54:18 2013 (r258558) +++ stable/10/sys/i386/linux/linux_sysvec.c Mon Nov 25 15:58:48 2013 (r258559) @@ -684,17 +684,7 @@ linux_sigreturn(struct thread *td, struc */ #define EFLAGS_SECURE(ef, oef) ((((ef) ^ (oef)) & ~PSL_USERCHANGE) == 0) eflags = frame.sf_sc.sc_eflags; - /* - * XXX do allow users to change the privileged flag PSL_RF. The - * cpu sets PSL_RF in tf_eflags for faults. Debuggers should - * sometimes set it there too. tf_eflags is kept in the signal - * context during signal handling and there is no other place - * to remember it, so the PSL_RF bit may be corrupted by the - * signal handler without us knowing. Corruption of the PSL_RF - * bit at worst causes one more or one less debugger trap, so - * allowing it is fairly harmless. - */ - if (!EFLAGS_SECURE(eflags & ~PSL_RF, regs->tf_eflags & ~PSL_RF)) + if (!EFLAGS_SECURE(eflags, regs->tf_eflags)) return(EINVAL); /* @@ -785,17 +775,7 @@ linux_rt_sigreturn(struct thread *td, st */ #define EFLAGS_SECURE(ef, oef) ((((ef) ^ (oef)) & ~PSL_USERCHANGE) == 0) eflags = context->sc_eflags; - /* - * XXX do allow users to change the privileged flag PSL_RF. The - * cpu sets PSL_RF in tf_eflags for faults. Debuggers should - * sometimes set it there too. tf_eflags is kept in the signal - * context during signal handling and there is no other place - * to remember it, so the PSL_RF bit may be corrupted by the - * signal handler without us knowing. Corruption of the PSL_RF - * bit at worst causes one more or one less debugger trap, so - * allowing it is fairly harmless. - */ - if (!EFLAGS_SECURE(eflags & ~PSL_RF, regs->tf_eflags & ~PSL_RF)) + if (!EFLAGS_SECURE(eflags, regs->tf_eflags)) return(EINVAL); /* Modified: stable/10/sys/pc98/pc98/machdep.c ============================================================================== --- stable/10/sys/pc98/pc98/machdep.c Mon Nov 25 15:54:18 2013 (r258558) +++ stable/10/sys/pc98/pc98/machdep.c Mon Nov 25 15:58:48 2013 (r258559) @@ -773,17 +773,7 @@ osigreturn(td, uap) /* * Don't allow users to change privileged or reserved flags. */ - /* - * XXX do allow users to change the privileged flag PSL_RF. - * The cpu sets PSL_RF in tf_eflags for faults. Debuggers - * should sometimes set it there too. tf_eflags is kept in - * the signal context during signal handling and there is no - * other place to remember it, so the PSL_RF bit may be - * corrupted by the signal handler without us knowing. - * Corruption of the PSL_RF bit at worst causes one more or - * one less debugger trap, so allowing it is fairly harmless. - */ - if (!EFL_SECURE(eflags & ~PSL_RF, regs->tf_eflags & ~PSL_RF)) { + if (!EFL_SECURE(eflags, regs->tf_eflags)) { return (EINVAL); } @@ -899,17 +889,7 @@ freebsd4_sigreturn(td, uap) /* * Don't allow users to change privileged or reserved flags. */ - /* - * XXX do allow users to change the privileged flag PSL_RF. - * The cpu sets PSL_RF in tf_eflags for faults. Debuggers - * should sometimes set it there too. tf_eflags is kept in - * the signal context during signal handling and there is no - * other place to remember it, so the PSL_RF bit may be - * corrupted by the signal handler without us knowing. - * Corruption of the PSL_RF bit at worst causes one more or - * one less debugger trap, so allowing it is fairly harmless. - */ - if (!EFL_SECURE(eflags & ~PSL_RF, regs->tf_eflags & ~PSL_RF)) { + if (!EFL_SECURE(eflags, regs->tf_eflags)) { uprintf("pid %d (%s): freebsd4_sigreturn eflags = 0x%x\n", td->td_proc->p_pid, td->td_name, eflags); return (EINVAL); @@ -1013,17 +993,7 @@ sys_sigreturn(td, uap) /* * Don't allow users to change privileged or reserved flags. */ - /* - * XXX do allow users to change the privileged flag PSL_RF. - * The cpu sets PSL_RF in tf_eflags for faults. Debuggers - * should sometimes set it there too. tf_eflags is kept in - * the signal context during signal handling and there is no - * other place to remember it, so the PSL_RF bit may be - * corrupted by the signal handler without us knowing. - * Corruption of the PSL_RF bit at worst causes one more or - * one less debugger trap, so allowing it is fairly harmless. - */ - if (!EFL_SECURE(eflags & ~PSL_RF, regs->tf_eflags & ~PSL_RF)) { + if (!EFL_SECURE(eflags, regs->tf_eflags)) { uprintf("pid %d (%s): sigreturn eflags = 0x%x\n", td->td_proc->p_pid, td->td_name, eflags); return (EINVAL); Modified: stable/10/sys/x86/include/psl.h ============================================================================== --- stable/10/sys/x86/include/psl.h Mon Nov 25 15:54:18 2013 (r258558) +++ stable/10/sys/x86/include/psl.h Mon Nov 25 15:58:48 2013 (r258559) @@ -77,8 +77,16 @@ * is undesirable but it may as well be allowed since users can inflict * it on the kernel directly. Changes to PSL_AC are silently ignored on * 386's. + * + * Users are allowed to change the privileged flag PSL_RF. The cpu sets PSL_RF + * in tf_eflags for faults. Debuggers should sometimes set it there too. + * tf_eflags is kept in the signal context during signal handling and there is + * no other place to remember it, so the PSL_RF bit may be corrupted by the + * signal handler without us knowing. Corruption of the PSL_RF bit at worst + * causes one more or one less debugger trap, so allowing it is fairly + * harmless. */ #define PSL_USERCHANGE (PSL_C | PSL_PF | PSL_AF | PSL_Z | PSL_N | PSL_T \ - | PSL_D | PSL_V | PSL_NT | PSL_AC | PSL_ID) + | PSL_D | PSL_V | PSL_NT | PSL_RF | PSL_AC | PSL_ID) #endif /* !_MACHINE_PSL_H_ */