[PATCH] i386 stack frame security fix
This fixes a potential security issue on i386. FXRSTOR raises an #GP when the MXCSR field in the FXSAVE frame contains illegal values. By putting an signal frame just at a border to an unmapped page a malicious user could potentially cause an exception in the context switch using this. When the EFAULT occurs in the last bytes of the signal frame the MXCSR check would be skipped in the old code, but the rogue value would be already in task_struct, causing problems later. Here is the minimal fix for this. Originally discovered by Andrea while doing x86-64 work. It was fixed in a different way a bit more intrusive way on x86-64 - all FXRSTOR in the kernel are guarded by exception handlers.
Showing
Please register or sign in to comment