• Andi Kleen's avatar
    [PATCH] i386 stack frame security fix · bc404e79
    Andi Kleen authored
    This fixes a potential security issue on i386. FXRSTOR raises an #GP
    when the MXCSR field in the FXSAVE frame contains illegal values. By
    putting an signal frame just at a border to an unmapped page a malicious
    user could potentially cause an exception in the context switch using this.
    When the EFAULT occurs in the last bytes of the signal frame the MXCSR
    check would be skipped in the old code, but the rogue value would be already
    in task_struct, causing problems later.
    
    Here is the minimal fix for this.
    
    Originally discovered by Andrea while doing x86-64 work. It was fixed in
    a different way a bit more intrusive way on x86-64 - all FXRSTOR in the
    kernel are guarded by exception handlers.
    bc404e79
i387.c 12 KB