Commit 6b12095a authored by Andi Kleen's avatar Andi Kleen Committed by Greg Kroah-Hartman

[PATCH] x86_64: When user could have changed RIP always force IRET (CVE-2006-0744)

Intel EM64T CPUs handle uncanonical return addresses differently from
AMD CPUs.

The exception is reported in the SYSRET, not the next instruction.
Thgis leads to the kernel exception handler running on the user stack
with the wrong GS because the kernel didn't expect exceptions on this
instruction.

This version of the patch has the teething problems that plagued an
earlier version fixed.

This is CVE-2006-0744

Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
patches.
Signed-off-by: default avatarAndi Kleen <ak@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 59b2832a
...@@ -180,6 +180,10 @@ rff_trace: ...@@ -180,6 +180,10 @@ rff_trace:
* *
* XXX if we had a free scratch register we could save the RSP into the stack frame * XXX if we had a free scratch register we could save the RSP into the stack frame
* and report it properly in ps. Unfortunately we haven't. * and report it properly in ps. Unfortunately we haven't.
*
* When user can change the frames always force IRET. That is because
* it deals with uncanonical addresses better. SYSRET has trouble
* with them due to bugs in both AMD and Intel CPUs.
*/ */
ENTRY(system_call) ENTRY(system_call)
...@@ -254,7 +258,10 @@ sysret_signal: ...@@ -254,7 +258,10 @@ sysret_signal:
xorl %esi,%esi # oldset -> arg2 xorl %esi,%esi # oldset -> arg2
call ptregscall_common call ptregscall_common
1: movl $_TIF_NEED_RESCHED,%edi 1: movl $_TIF_NEED_RESCHED,%edi
jmp sysret_check /* Use IRET because user could have changed frame. This
works because ptregscall_common has called FIXUP_TOP_OF_STACK. */
cli
jmp int_with_check
badsys: badsys:
movq $-ENOSYS,RAX-ARGOFFSET(%rsp) movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
...@@ -280,7 +287,8 @@ tracesys: ...@@ -280,7 +287,8 @@ tracesys:
call syscall_trace_leave call syscall_trace_leave
RESTORE_TOP_OF_STACK %rbx RESTORE_TOP_OF_STACK %rbx
RESTORE_REST RESTORE_REST
jmp ret_from_sys_call /* Use IRET because user could have changed frame */
jmp int_ret_from_sys_call
CFI_ENDPROC CFI_ENDPROC
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment