Date: Wed, 26 May 2021 20:38:20 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: bb4435255df5 - releng/12.2 - amd64: clear PSL.AC in the right frame Message-ID: <202105262038.14QKcKto054980@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/12.2 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=bb4435255df53118082b3567db6da100962b3822 commit bb4435255df53118082b3567db6da100962b3822 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2021-05-22 19:48:36 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-26 19:38:13 +0000 amd64: clear PSL.AC in the right frame If copyin family of routines fault, kernel does clear PSL.AC on the fault entry, but the AC flag of the faulted frame is kept intact. Since onfault handler is effectively jump, AC survives until syscall exit. Approved by: so Security: FreeBSD-SA-21:11.smap Security: CVE-2021-29628 Reported by: m00nbsd, via Sony Reviewed by: markj Sponsored by: The FreeBSD Foundation admbugs: 975 (cherry picked from commit 91aae953cb807d6fb7a70782b323bf9beb60d7c9) (cherry picked from commit 4590f0345956329d414611c6cee300f486732b53) --- sys/amd64/amd64/support.S | 18 ++++++++++++------ sys/amd64/linux/linux_support.s | 5 ++++- sys/amd64/linux32/linux32_support.s | 5 ++++- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/sys/amd64/amd64/support.S b/sys/amd64/amd64/support.S index f4d3f5c124c5..023ca66f0883 100644 --- a/sys/amd64/amd64/support.S +++ b/sys/amd64/amd64/support.S @@ -868,9 +868,11 @@ ENTRY(copyin_smap_erms) END(copyin_smap_erms) ALIGN_TEXT - /* Trap entry clears PSL.AC */ copy_fault: - movq $0,PCB_ONFAULT(%r11) + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movq $0,PCB_ONFAULT(%r11) movl $EFAULT,%eax POP_FRAME_POINTER ret @@ -1311,9 +1313,11 @@ ENTRY(subyte_smap) END(subyte_smap) ALIGN_TEXT - /* Fault entry clears PSL.AC */ fusufault: - movq PCPU(CURPCB),%rcx + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movq PCPU(CURPCB),%rcx xorl %eax,%eax movq %rax,PCB_ONFAULT(%rcx) decq %rax @@ -1396,8 +1400,10 @@ ENTRY(copyinstr_smap) END(copyinstr_smap) cpystrflt: - /* Fault entry clears PSL.AC */ - movl $EFAULT,%eax + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movl $EFAULT,%eax cpystrflt_x: /* set *lencopied and return %eax */ movq $0,PCB_ONFAULT(%r9) diff --git a/sys/amd64/linux/linux_support.s b/sys/amd64/linux/linux_support.s index 391f76414f22..2de778e151bf 100644 --- a/sys/amd64/linux/linux_support.s +++ b/sys/amd64/linux/linux_support.s @@ -34,7 +34,10 @@ #include "assym.inc" futex_fault: - movq $0,PCB_ONFAULT(%r8) + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movq $0,PCB_ONFAULT(%r8) movl $-EFAULT,%eax ret diff --git a/sys/amd64/linux32/linux32_support.s b/sys/amd64/linux32/linux32_support.s index 981bba9f5821..7ff3e2293f6e 100644 --- a/sys/amd64/linux32/linux32_support.s +++ b/sys/amd64/linux32/linux32_support.s @@ -34,7 +34,10 @@ #include "assym.inc" futex_fault: - movq $0,PCB_ONFAULT(%r8) + testl $CPUID_STDEXT_SMAP,cpu_stdext_feature(%rip) + je 1f + clac +1: movq $0,PCB_ONFAULT(%r8) movl $-EFAULT,%eax ret
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105262038.14QKcKto054980>