Home | History | Annotate | Download | only in amd64
History log of /src/sys/compat/linux32/arch/amd64/linux32_machdep.c
RevisionDateAuthorComments
 1.48  20-Jun-2023  riastradh linux32_rt_sendsig: Memset zero before copyout.

Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.

XXX pullup-8
XXX pullup-9
XXX pullup-10
 1.47  01-Nov-2021  thorpej branches: 1.47.4;
Use "stack_t" instead of "struct sigaltstack", as the former is the
newer standardized name. NFC.
 1.46  07-Sep-2021  riastradh sys/compat: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure. If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.
 1.45  19-May-2019  maxv branches: 1.45.2;
Rename

fpu_save_area_clear -> fpu_clear
fpu_save_area_reset -> fpu_sigreset

Clearer, and reduces a future diff. No real functional change.
 1.44  24-Mar-2019  maxv Disable preemption when setting PCB_COMPAT32, to prevent a context switch
before cpu_fsgs_reload() finishes, otherwise we write garbage in the GDT.
On NetBSD-current it is harmless, however in NetBSD-8 it might cause
panics, because NetBSD-8 uses the old SegRegs model and under this model
we reload %fs and %gs during switches.
 1.43  21-Oct-2017  maxv branches: 1.43.4;
Include opt_user_ldt.h when needed.
 1.42  19-Oct-2017  maxv Always mask the 16 bits of the segregs in the trapframe. We don't zero-
extend the uint64_t's when building it, so we're leaking 48 bits of kernel
stack to userland.

Having said that, it appears that I unintentionally fixed most of this
issue in locore.S::rev1.127 - by building the frame with interrupts
disabled, we are implicitly guaranteeing that the structure doesn't get
overwritten by the kernel. Which means, we are leaking to userland data
that comes from userland anyway.

(still other places with this issue, but I'll fix them differently)
 1.41  15-Oct-2017  maxv Use two separate functions: cpu_segregs32_zero and cpu_segregs64_zero. The
way segment registers work on amd64 will diverge between 32bit and 64bit
LWPs.
 1.40  15-Oct-2017  maxv Make sure the 32bit LWPs don't have MDL_IRET set. That's not a problem
right now, but will be in the future.
 1.39  02-Sep-2017  maxv Fix a subtle ring0 escalation vulnerability in amd64, and implement a
mitigation against similar bugs.

The operations on segment registers can generate a page fault if there is
an issue when touching the in-memory gdt. Theoretically, it is never
supposed to happen, since the gdt is mapped correctly. However, in the
kernel we allow the gdt to be resized, and to do that, we allocate the
maximum amount of va needed by it, but only kenter a few pages until we
need more. Moreover, to avoid reloading the gdt each time we grow it, the
'size' field of gdtr is set to the maximum value. All of this means that
if a mov or iretq is done with a segment register whose index hits a page
that has not been kentered, a page fault is sent.

Such a page fault, if received in kernel mode, does not trigger a swapgs
on amd64; in other words, the kernel would be re-entered with the userland
tls.

And there just happens to be a place in compat_linux32 where the index of
%cs is controlled by userland, making it easy to trigger the page fault
and get kernel privileges.

The mitigation simply consists in abandoning the gdt_grow mechanism and
allocating/kentering the maximum size right away, in such a way that no
page fault can be triggered because of segment registers.
 1.38  05-Feb-2017  maxv branches: 1.38.6;
Remove #if 0 on USER_LDT.
 1.37  02-Sep-2016  maxv branches: 1.37.2;
Fix argument (does not compile anyway).
 1.36  19-Feb-2014  dsl branches: 1.36.4; 1.36.6; 1.36.8; 1.36.10; 1.36.14;
Explicitly include x86/fpu.h instead of relying in x86/frame.h including it.
 1.35  15-Feb-2014  dsl Remove all references to MDL_USEDFPU and deferred fpu initialisation.
The cost of zeroing the save area on exec is minimal.
This stops the FP registers of a random process being used the first
time an lwp uses the fpu.
sendsig_siginfo() and get_mcontext() now unconditionally copy the FP
registers.
I'll remove the double-copy for signal handlers soon.
get_mcontext() might have been leaking kernel memory to userspace - and
may still do so if i386_use_fxsave is false (short copies).
 1.34  07-Feb-2014  dsl Convert the amd64 build to use x86/cpu_extended_state.h so that the fpu
definitions match those of i386.
Mostly just structure and field renames, in addition:
1) process_xmm_to_s87() and process_s87_to_xmm() moved into
x86/convert_xmm_s87.c so they can be used by amd64's netbsd32 code.
2) The linux signal code simplified to use a structure copy for ths fxsave
data - it matches the hardware definition and won't change.
 1.33  01-Dec-2013  christos revert fpu/pcu changes until we figure out what's wrong; they cause random
freezes
 1.32  23-Oct-2013  drochner Use the MI "pcu" framework for bookkeeping of npx/fpu states on x86.
This reduces the amount of MD code enormously, and makes it easier
to implement support for newer CPU features which require more fpu
state, or for fpu usage by the kernel.
For access to FPU state across CPUs, an xcall kthread is used now
rather than a dedicated IPI.
No user visible changes intended.
 1.31  15-Jul-2012  dsl branches: 1.31.2; 1.31.4;
Rename MDP_IRET to MDL_IRET since it is an lwp flag, not a proc one.
Add an MDL_COMPAT32 flag to the lwp's md_flags, set it for 32bit lwps
and use it to force 'return to user' with iret (as is done when
MDL_IRET is set).
Split the iret/sysret code paths much later.
Remove all the replicated code for 32bit system calls - which was only
needed so that iret was always used.
frameasm.h for XEN contains '#define swapgs', while XEN probable never
needs swapgs, this is likely to be confusing.
Add a SWAPGS which is a nop on XEN and swapgs otherwise.
(I've not yet checked all the swapgs in files that include frameasm.h)
Simple x86 programs still work.
Hijack 6.99.9 kernel bump (needed for compat32 modules)
 1.30  08-Jul-2012  dsl The MDP_USEDFPU (amd64 and sh3) and MDP_SSTEP (sh3) are lwp flags not
process ones, rename to MDL_xxx.
 1.29  04-Mar-2011  joerg branches: 1.29.4; 1.29.10; 1.29.14; 1.29.16;
Refactor ps_strings access. Based on PK_32, write either the normal
version or the 32bit compat layout in execve1. Introduce a new function
copyin_psstrings for reading it back from userland and converting it to
the native layout. Refactor procfs to share most of the code with the
kern.proc_args sysctl handler.

This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.
 1.28  07-Feb-2011  chs move macros for validating fs/gs to segments.h and use them
in the linux32 code as well.
 1.27  02-Nov-2010  chs branches: 1.27.2; 1.27.4;
implement the following syscalls for linux32:
truncate64
ftruncate64
profil
ioperm
iopl
setdomainname
modify_ldt
statfs64
fstatfs64

note that iopl(), ioperm() and modify_ldt() just call
the respective 64-bit handlers, which don't do anything yet.
 1.26  12-Jul-2010  christos fix debugging build.
 1.25  07-Jul-2010  jmmv Add missing includes to bring the linux_semun type needed by
linux_syscallargs.h.
 1.24  07-Jul-2010  chs many changes for COMPAT_LINUX:
- update the linux syscall table for each platform.
- support new-style (NPTL) linux pthreads on all platforms.
clone() with CLONE_THREAD uses 1 process with many LWPs
instead of separate processes.
- move the contents of sys__lwp_setprivate() into a new
lwp_setprivate() and use that everywhere.
- update linux_release[] and linux32_release[] to "2.6.18".
- adjust placement of emul fork/exec/exit hooks as needed
and adjust other emul code to match.
- convert all struct emul definitions to use named initializers.
- change the pid allocator to allow multiple pids to refer to the same proc.
- remove a few fields from struct proc that are no longer needed.
- disable the non-functional "vdso" code in linux32/amd64,
glibc works fine without it.
- fix a race in the futex code where we could miss a wakeup after
a requeue operation.
- redo futex locking to be a little more efficient.
 1.23  23-Nov-2009  rmind branches: 1.23.2; 1.23.4;
Use lwp_getpcb() in compat code, clean from struct user.
 1.22  29-May-2009  njoly Add native to linux siginfo si_status translation, used on i386 and
amd64.
 1.21  15-Mar-2009  cegger ansify function definitions
 1.20  19-Oct-2008  njoly branches: 1.20.2; 1.20.8;
Add native to linux siginfo si_code translation, mostly for negative
values. Adjust amd64 and i386 accordingly, not sure about aother archs
i can't test.
 1.19  09-Oct-2008  njoly Fix linux32 siginfo si_signo value. Do not convert ksi_signo twice.
 1.18  18-Sep-2008  christos Define a PSL_CLEARSIG macro for the psl flags to be cleared on signal delivery
and use it everywhere.
 1.17  24-Apr-2008  ad branches: 1.17.2; 1.17.4; 1.17.8;
Merge proc::p_mutex and proc::p_smutex into a single adaptive mutex, since
we no longer need to guard against access from hardware interrupt handlers.

Additionally, if cloning a process with CLONE_SIGHAND, arrange to have the
child process share the parent's lock so that signal state may be kept in
sync. Partially addresses PR kern/37437.
 1.16  20-Dec-2007  dsl branches: 1.16.6; 1.16.8;
Convert all the system call entry points from:
int foo(struct lwp *l, void *v, register_t *retval)
to:
int foo(struct lwp *l, const struct foo_args *uap, register_t *retval)
Fixup compat code to not write into 'uap' and (in some cases) to actually
pass a correctly formatted 'uap' structure with the right name to the
next routine.
A few 'compat' routines that just call standard ones have been deleted.
All the 'compat' code compiles (along with the kernels required to test
build it).
98% done by automated scripts.
 1.15  08-Dec-2007  dsl branches: 1.15.4;
ANSIfy most of the function definitions in sys/compat (but not ndis).
All by the magic of sed ...
 1.14  04-Dec-2007  dsl Remove all the __P
 1.13  24-Nov-2007  christos branches: 1.13.2;
- move the save context before the signal reset (Arto Huusko)
- set the sigcontext cr2
 1.12  19-Oct-2007  ad branches: 1.12.2;
machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h
 1.11  21-May-2007  christos branches: 1.11.6; 1.11.8; 1.11.12;
rename si_sigval -> si_value to match POSIX RTS.
 1.10  18-Mar-2007  dsl Change all the NETBSD32PTR64(SCARG(uap, xxx))) to SCARG_P32(uap, xxx).
 1.9  16-Mar-2007  dsl remove all the double (and triple) casts used to convert 32bit userspace
pointers to and from 64bit kernel pointers. Instead use the defines
NETBSD32PTR64(p32) to read a 32bit pointer and (the new) NETBSD32PTR32(p32,p64)
to write a 32bit pointer throughout.
The 32bit pointer is now a struct to enforce the above.
amd64 (with linux emul) and sparc64 will both compile (when the arch stuff
goes in soon), and amd64 still runs some i386 binaries.
 1.8  05-Mar-2007  christos branches: 1.8.2; 1.8.4; 1.8.6;
fix caddr_t lossage
 1.7  04-Mar-2007  christos Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
 1.6  17-Feb-2007  pavel Change the process/lwp flags seen by userland via sysctl back to the
P_*/L_* naming convention, and rename the in-kernel flags to avoid
conflict. (P_ -> PK_, L_ -> LW_ ). Add back the (now unused) LSDEAD
constant.

Restores source compatibility with pre-newlock2 tools like ps or top.

Reviewed by Andrew Doran.
 1.5  15-Feb-2007  ad branches: 1.5.2;
Fix COMPAT_LINUX32.
 1.4  09-Feb-2007  ad Merge newlock2 to head.
 1.3  22-Nov-2006  christos adjust_limits takes p, not l again
 1.2  21-Nov-2006  christos From Nicolas Joly:

> It seems that 32bits programs, running under compat_netbsd32, using
> setrlimit force all other programs to have their maximum data size
> fixed at 3GB, where native 64bits apps used 8GB previously.

I tracked this one to the `netbsd32_adjust_limits()' function (called
when creating a new process under compat_netbsd32), where data and
stack limits are set without checking for shared `p_limit' structure
(p_limit->p_refcnt > 1). This explain the side effect where processes
have their limits changed when a compat_netbsd32 (or compat_linux32)
program is run.

The fix is to use `dosetrlimit()' to ensure the needed copy-on-write
behaviour for shared structure.
 1.1  09-Feb-2006  manu branches: 1.1.2; 1.1.10; 1.1.16; 1.1.20; 1.1.22; 1.1.24;
Add initial (but unfinished) COMPAT_LINUX32 for amd64. This is good enough so
that the i386 license manager part of amd64 version of Fluent works.

While I'm here, add SysV IPC to COMPAT_LINUX/amd64
 1.1.24.1  10-Dec-2006  yamt sync with head.
 1.1.22.2  09-Sep-2006  rpaulo sync with head
 1.1.22.1  09-Feb-2006  rpaulo file linux32_machdep.c was added on branch rpaulo-netinet-merge-pcb on 2006-09-09 02:45:52 +0000
 1.1.20.3  06-Feb-2007  ad More compat changes.

XXX compat_irix, compat_mach and compat_darwin need work.
 1.1.20.2  30-Jan-2007  ad Remove support for SA. Ok core@.
 1.1.20.1  12-Jan-2007  ad Sync with head.
 1.1.16.8  21-Jan-2008  yamt sync with head
 1.1.16.7  07-Dec-2007  yamt sync with head
 1.1.16.6  27-Oct-2007  yamt sync with head.
 1.1.16.5  03-Sep-2007  yamt sync with head.
 1.1.16.4  26-Feb-2007  yamt sync with head.
 1.1.16.3  30-Dec-2006  yamt sync with head.
 1.1.16.2  21-Jun-2006  yamt sync with head.
 1.1.16.1  09-Feb-2006  yamt file linux32_machdep.c was added on branch yamt-lazymbuf on 2006-06-21 14:59:27 +0000
 1.1.10.2  22-Apr-2006  simonb Sync with head.
 1.1.10.1  09-Feb-2006  simonb file linux32_machdep.c was added on branch simonb-timecounters on 2006-04-22 11:38:14 +0000
 1.1.2.2  18-Feb-2006  yamt sync with head.
 1.1.2.1  09-Feb-2006  yamt file linux32_machdep.c was added on branch yamt-uio_vmspace on 2006-02-18 15:38:59 +0000
 1.5.2.3  24-Mar-2007  yamt sync with head.
 1.5.2.2  12-Mar-2007  rmind Sync with HEAD.
 1.5.2.1  27-Feb-2007  yamt - sync with head.
- move sched_changepri back to kern_synch.c as it doesn't know PPQ anymore.
 1.8.6.2  29-Mar-2007  reinoud Pullup to -current
 1.8.6.1  18-Mar-2007  reinoud First attempt to bring branch in sync with HEAD
 1.8.4.1  11-Jul-2007  mjf Sync with head.
 1.8.2.3  23-Oct-2007  ad Sync with head.
 1.8.2.2  27-May-2007  ad Sync with head.
 1.8.2.1  10-Apr-2007  ad Sync with head.
 1.11.12.1  25-Oct-2007  bouyer Sync with HEAD.
 1.11.8.2  09-Jan-2008  matt sync with HEAD
 1.11.8.1  06-Nov-2007  matt sync with HEAD
 1.11.6.3  09-Dec-2007  jmcneill Sync with HEAD.
 1.11.6.2  27-Nov-2007  joerg Sync with HEAD. amd64 Xen support needs testing.
 1.11.6.1  26-Oct-2007  joerg Sync with HEAD.

Follow the merge of pmap.c on i386 and amd64 and move
pmap_init_tmp_pgtbl into arch/x86/x86/pmap.c. Modify the ACPI wakeup
code to restore CR4 before jumping back into kernel space as the large
page option might cover that.
 1.12.2.2  27-Dec-2007  mjf Sync with HEAD.
 1.12.2.1  08-Dec-2007  mjf Sync with HEAD.
 1.13.2.2  26-Dec-2007  ad Sync with head.
 1.13.2.1  08-Dec-2007  ad Sync with head.
 1.15.4.1  02-Jan-2008  bouyer Sync with HEAD
 1.16.8.1  18-May-2008  yamt sync with head.
 1.16.6.3  17-Jan-2009  mjf Sync with HEAD.
 1.16.6.2  28-Sep-2008  mjf Sync with HEAD.
 1.16.6.1  02-Jun-2008  mjf Sync with HEAD.
 1.17.8.1  19-Oct-2008  haad Sync with HEAD.
 1.17.4.4  10-Oct-2008  skrll Sync with HEAD.
 1.17.4.3  24-Sep-2008  wrstuden Merge in changes between wrstuden-revivesa-base-2 and
wrstuden-revivesa-base-3.
 1.17.4.2  14-May-2008  wrstuden Per discussion with ad, remove most of the #include <sys/sa.h> lines
as they were including sa.h just for the type(s) needed for syscallargs.h.

Instead, create a new file, sys/satypes.h, which contains just the
types needed for syscallargs.h. Yes, there's only one now, but that
may change and it's probably more likely to change if it'd be difficult
to handle. :-)

Per discussion with matt at n dot o, add an include of satypes.h to
sigtypes.h. Upcall handlers are kinda signal handlers, and signalling
is the header file that's already included for syscallargs.h that
closest matches SA.

This shaves about 3000 lines off of the diff of the branch relative
to the base. That also represents about 18% of the total before this
checkin.

I think this reduction is very good thing.
 1.17.4.1  10-May-2008  wrstuden Initial checkin of re-adding SA. Everything except kern_sa.c
compiles in GENERIC for i386. This is still a work-in-progress, but
this checkin covers most of the mechanical work (changing signalling
to be able to accomidate SA's process-wide signalling and re-adding
includes of sys/sa.h and savar.h). Subsequent changes will be much
more interesting.

Also, kern_sa.c has received partial cleanup. There's still more
to do, though.
 1.17.2.4  11-Aug-2010  yamt sync with head.
 1.17.2.3  11-Mar-2010  yamt sync with head
 1.17.2.2  20-Jun-2009  yamt sync with head
 1.17.2.1  04-May-2009  yamt sync with head.
 1.20.8.2  23-Jul-2009  jym Sync with HEAD.
 1.20.8.1  13-May-2009  jym Sync with HEAD.

Commit is split, to avoid a "too many arguments" protocol error.
 1.20.2.1  28-Apr-2009  skrll Sync with HEAD.
 1.23.4.1  05-Mar-2011  rmind sync with head
 1.23.2.2  06-Nov-2010  uebayasi Sync with HEAD.
 1.23.2.1  17-Aug-2010  uebayasi Sync with HEAD.
 1.27.4.2  05-Mar-2011  bouyer Sync with HEAD
 1.27.4.1  08-Feb-2011  bouyer Sync with HEAD
 1.27.2.1  06-Jun-2011  jruoho Sync with HEAD.
 1.29.16.1  09-Sep-2017  snj Pull up following revision(s) (requested by maxv in ticket #1502):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
 1.29.14.1  09-Sep-2017  snj Pull up following revision(s) (requested by maxv in ticket #1502):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
 1.29.10.1  09-Sep-2017  snj Pull up following revision(s) (requested by maxv in ticket #1502):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
 1.29.4.2  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.29.4.1  30-Oct-2012  yamt sync with head
 1.31.4.1  18-May-2014  rmind sync with head
 1.31.2.2  03-Dec-2017  jdolecek update from HEAD
 1.31.2.1  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.36.14.1  09-Sep-2017  snj Pull up following revision(s) (requested by maxv in ticket #1507):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
 1.36.10.1  20-Mar-2017  pgoyette Sync with HEAD
 1.36.8.1  09-Sep-2017  snj Pull up following revision(s) (requested by maxv in ticket #1507):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
 1.36.6.2  28-Aug-2017  skrll Sync with HEAD
 1.36.6.1  05-Oct-2016  skrll Sync with HEAD
 1.36.4.1  09-Sep-2017  snj Pull up following revision(s) (requested by maxv in ticket #1507):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
 1.37.2.1  21-Apr-2017  bouyer Sync with HEAD
 1.38.6.4  21-Jun-2023  martin Pull up following revision(s) (requested by riastradh in ticket #1841):

sys/compat/sunos32/sunos32_misc.c: revision 1.86
sys/compat/ossaudio/ossaudio.c: revision 1.85
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48

compat_sunos32: Memset zero before copyout.

Unclear if this can leak anything but let's be on the safe side.

compat_ossaudio: Zero-initialize idat before copyout.
Unclear if there are any paths to the copyout without initialization,
but let's play it safe to keep the auditing effort low.

linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.
 1.38.6.3  21-Jun-2023  martin Pull up following revision(s) (requested by riastradh in ticket #1836):

sys/compat/linux/arch/i386/linux_machdep.c: revision 1.168
sys/compat/sunos/sunos_misc.c: revision 1.177
sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.52
sys/compat/common/kern_resource_43.c: revision 1.23
sys/compat/netbsd32/netbsd32_conv.h: revision 1.46
sys/compat/linux/arch/i386/linux_ptrace.c: revision 1.35
sys/compat/common/vfs_syscalls_12.c: revision 1.38
sys/compat/ultrix/ultrix_misc.c: revision 1.126
sys/compat/common/kern_sig_43.c: revision 1.37
sys/compat/linux/common/linux_mtio.c: revision 1.8
sys/compat/freebsd/freebsd_misc.c: revision 1.34
sys/compat/linux/common/linux_olduname.c: revision 1.67
sys/compat/linux/arch/mips/linux_machdep.c: revision 1.44
sys/compat/freebsd/freebsd_sched.c: revision 1.23
sys/compat/ossaudio/ossaudio.c: revision 1.84
sys/compat/sys/time_types.h: revision 1.6
sys/compat/linux/arch/powerpc/linux_machdep.c: revision 1.51
sys/compat/linux/common/linux_file.c: revision 1.119
sys/compat/linux/arch/arm/linux_machdep.c: revision 1.34
sys/compat/netbsd32/netbsd32_wait.c: revision 1.25
sys/compat/linux32/common/linux32_time.c: revision 1.38
sys/compat/linux/arch/powerpc/linux_ptrace.c: revision 1.33
sys/compat/linux/arch/alpha/linux_machdep.c: revision 1.52
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.46
sys/compat/netbsd32/netbsd32_compat_12.c: revision 1.36
sys/compat/ultrix/ultrix_ioctl.c: revision 1.39
sys/compat/linux/common/linux_misc.c: revision 1.252
sys/compat/linux/common/linux_hdio.c: revision 1.19
sys/compat/sunos/sunos_ioctl.c: revision 1.71
sys/compat/linux/common/linux_sched.c: revision 1.79
sys/compat/common/kern_info_43.c: revision 1.40
sys/compat/linux32/common/linux32_exec_elf32.c: revision 1.20
sys/compat/linux/common/linux_socket.c: revision 1.153
sys/compat/linux/arch/amd64/linux_machdep.c: revision 1.60
sys/compat/common/vfs_syscalls_43.c: revision 1.68
sys/compat/linux/arch/powerpc/linux_exec_powerpc.c: revision 1.25
sys/compat/netbsd32/netbsd32_ptrace.c: revision 1.9
sys/compat/common/kern_time_50.c: revision 1.37
sys/compat/netbsd32/netbsd32_compat_20.c: revision 1.42
sys/compat/linux/common/linux_cdrom.c: revision 1.28
sys/compat/linux/arch/m68k/linux_machdep.c: revision 1.43
sys/compat/common/kern_info_09.c: revision 1.22
sys/compat/linux32/common/linux32_resource.c: revision 1.12
sys/compat/linux/common/linux_oldolduname.c: revision 1.67
sys/compat/netbsd32/netbsd32_nfssvc.c: revision 1.8
sys/compat/linux32/common/linux32_signal.c: revision 1.21
sys/compat/common/kern_sig_13.c: revision 1.22
sys/compat/sunos32/sunos32_ioctl.c: revision 1.36
sys/compat/netbsd32/netbsd32_compat_43.c: revision 1.62
sys/compat/linux/arch/arm/linux_ptrace.c: revision 1.23
sys/compat/netbsd32/netbsd32_time.c: revision 1.56
sys/compat/linux/common/linux_signal.c: revision 1.84
sys/compat/netbsd32/netbsd32_signal.c: revision 1.52
sys/compat/sunos32/sunos32_misc.c: revision 1.85
sys/compat/linux/common/linux_time.c: revision 1.40
sys/compat/linux/common/linux_fdio.c: revision 1.14
sys/compat/common/vfs_syscalls_30.c: revision 1.43

sys/compat: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure. If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.
 1.38.6.2  05-Apr-2019  martin Pull up following revision(s) (requested by maxv):

sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.120
sys/compat/linux/arch/amd64/linux_machdep.c: revision 1.57
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.44
sys/arch/amd64/amd64/machdep.c: revision 1.328
sys/arch/amd64/amd64/machdep.c: revision 1.329

Fix a tiny race in setregs and linux_setregs. Between the moment we set
pcb_flags to zero, and the moment cpu_segregs64_zero resets pcb_gs, we may
be preempted.

If this happens, and if the calling LWP was a 32bit thread, when switching
back to that LWP, the context switcher sees that PCB_COMPAT32 is not set in
pcb_flags and tries to perform a 64bit context switch; but pcb_gs contains
a 32bit GDT descriptor, and not a 64bit GS.base value. The wrmsr therefore
faults because the value is non-canonical, and this fault is fatal.

Rearrange the code so that the update of pcb_flags and pcb_gs/pcb_fs is non
interruptible. This fixes the problem, tested with a reproducer (which
therefore doesn't work anymore).

Likely fixes PR/53993.

Disable preemption when setting PCB_COMPAT32, to prevent a context switch
before cpu_fsgs_reload() finishes, otherwise we write garbage in the GDT.

On NetBSD-current it is harmless, however in NetBSD-8 it might cause
panics, because NetBSD-8 uses the old SegRegs model and under this model
we reload %fs and %gs during switches.
 1.38.6.1  09-Sep-2017  snj Pull up following revision(s) (requested by maxv in ticket #270):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.
 1.43.4.1  10-Jun-2019  christos Sync with HEAD
 1.45.2.2  21-Jun-2023  martin Pull up following revision(s) (requested by riastradh in ticket #1650):

sys/compat/sunos32/sunos32_misc.c: revision 1.86
sys/compat/ossaudio/ossaudio.c: revision 1.85
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48

compat_sunos32: Memset zero before copyout.

Unclear if this can leak anything but let's be on the safe side.

compat_ossaudio: Zero-initialize idat before copyout.
Unclear if there are any paths to the copyout without initialization,
but let's play it safe to keep the auditing effort low.

linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.
 1.45.2.1  03-Aug-2022  martin Pull up following revision(s), all via patch
(requested by riastradh in ticket #1487):

sys/compat/linux/arch/i386/linux_machdep.c: revision 1.168
sys/compat/sunos/sunos_misc.c: revision 1.177
sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.52
sys/compat/common/kern_resource_43.c: revision 1.23
sys/compat/netbsd32/netbsd32_conv.h: revision 1.46
sys/compat/linux/arch/i386/linux_ptrace.c: revision 1.35
sys/compat/common/vfs_syscalls_12.c: revision 1.38
sys/compat/ultrix/ultrix_misc.c: revision 1.126
sys/compat/common/kern_sig_43.c: revision 1.37
sys/compat/linux/common/linux_mtio.c: revision 1.8
sys/compat/freebsd/freebsd_misc.c: revision 1.34
sys/compat/freebsd/freebsd_machdep.c: revision 1.5
sys/compat/linux/common/linux_olduname.c: revision 1.67
sys/compat/linux/arch/mips/linux_machdep.c: revision 1.44
sys/compat/freebsd/freebsd_sched.c: revision 1.23
sys/compat/ossaudio/ossaudio.c: revision 1.84
sys/compat/sys/time_types.h: revision 1.6
sys/compat/linux/arch/powerpc/linux_machdep.c: revision 1.51
sys/compat/common/ieee80211_20.c: revision 1.7
sys/compat/linux/common/linux_file.c: revision 1.119
sys/compat/linux/arch/arm/linux_machdep.c: revision 1.34
sys/compat/netbsd32/netbsd32_wait.c: revision 1.25
sys/compat/linux32/common/linux32_time.c: revision 1.38
sys/compat/linux/arch/powerpc/linux_ptrace.c: revision 1.33
sys/compat/linux/arch/alpha/linux_machdep.c: revision 1.52
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.46
sys/compat/netbsd32/netbsd32_compat_12.c: revision 1.36
sys/compat/ultrix/ultrix_ioctl.c: revision 1.39
sys/compat/linux/common/linux_misc.c: revision 1.252
sys/compat/linux/common/linux_hdio.c: revision 1.19
sys/compat/sunos/sunos_ioctl.c: revision 1.71
sys/compat/linux/common/linux_sched.c: revision 1.79
sys/compat/common/kern_info_43.c: revision 1.40
sys/compat/linux32/common/linux32_exec_elf32.c: revision 1.20
sys/compat/linux/common/linux_socket.c: revision 1.153
sys/compat/linux/arch/amd64/linux_machdep.c: revision 1.60
sys/compat/common/vfs_syscalls_43.c: revision 1.68
sys/compat/linux/arch/powerpc/linux_exec_powerpc.c: revision 1.25
sys/compat/netbsd32/netbsd32_ptrace.c: revision 1.9
sys/compat/common/kern_time_50.c: revision 1.37
sys/compat/netbsd32/netbsd32_compat_20.c: revision 1.42
sys/compat/linux/common/linux_cdrom.c: revision 1.28
sys/compat/linux/arch/m68k/linux_machdep.c: revision 1.43
sys/compat/common/kern_info_09.c: revision 1.22
sys/compat/linux32/common/linux32_resource.c: revision 1.12
sys/compat/linux/common/linux_oldolduname.c: revision 1.67
sys/compat/common/if_media_80.c: revision 1.4
sys/compat/linux/arch/alpha/linux_osf1.c: revision 1.5
sys/compat/netbsd32/netbsd32_nfssvc.c: revision 1.8
sys/compat/linux32/common/linux32_signal.c: revision 1.21
sys/compat/common/kern_sig_13.c: revision 1.22
sys/compat/sunos32/sunos32_ioctl.c: revision 1.36
sys/compat/netbsd32/netbsd32_compat_43.c: revision 1.62
sys/compat/linux/arch/arm/linux_ptrace.c: revision 1.23
sys/compat/netbsd32/netbsd32_time.c: revision 1.56
sys/compat/linux/common/linux_signal.c: revision 1.84
sys/compat/netbsd32/netbsd32_signal.c: revision 1.52
sys/compat/sunos32/sunos32_misc.c: revision 1.85
sys/compat/linux/common/linux_time.c: revision 1.40
sys/compat/linux/common/linux_fdio.c: revision 1.14
sys/compat/common/vfs_syscalls_30.c: revision 1.43

sys/compat: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure. If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.
 1.47.4.1  21-Jun-2023  martin Pull up following revision(s) (requested by riastradh in ticket #204):

sys/compat/sunos32/sunos32_misc.c: revision 1.86
sys/compat/ossaudio/ossaudio.c: revision 1.85
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48

compat_sunos32: Memset zero before copyout.

Unclear if this can leak anything but let's be on the safe side.

compat_ossaudio: Zero-initialize idat before copyout.
Unclear if there are any paths to the copyout without initialization,
but let's play it safe to keep the auditing effort low.

linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.

RSS XML Feed