History log of /src/sys/compat/linux32/arch/amd64/linux32_machdep.c |
Revision | | Date | Author | Comments |
1.48 |
| 20-Jun-2023 |
riastradh | linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big structure, fairly likely, so let's be rather safe than sorry.
XXX pullup-8 XXX pullup-9 XXX pullup-10
|
1.47 |
| 01-Nov-2021 |
thorpej | branches: 1.47.4; Use "stack_t" instead of "struct sigaltstack", as the former is the newer standardized name. NFC.
|
1.46 |
| 07-Sep-2021 |
riastradh | sys/compat: Memset zero before copyout.
Just in case of uninitialized padding which would lead to kernel stack disclosure. If the compiler can prove the memset redundant then it can optimize it away; otherwise better safe than sorry.
|
1.45 |
| 19-May-2019 |
maxv | branches: 1.45.2; Rename
fpu_save_area_clear -> fpu_clear fpu_save_area_reset -> fpu_sigreset
Clearer, and reduces a future diff. No real functional change.
|
1.44 |
| 24-Mar-2019 |
maxv | Disable preemption when setting PCB_COMPAT32, to prevent a context switch before cpu_fsgs_reload() finishes, otherwise we write garbage in the GDT. On NetBSD-current it is harmless, however in NetBSD-8 it might cause panics, because NetBSD-8 uses the old SegRegs model and under this model we reload %fs and %gs during switches.
|
1.43 |
| 21-Oct-2017 |
maxv | branches: 1.43.4; Include opt_user_ldt.h when needed.
|
1.42 |
| 19-Oct-2017 |
maxv | Always mask the 16 bits of the segregs in the trapframe. We don't zero- extend the uint64_t's when building it, so we're leaking 48 bits of kernel stack to userland.
Having said that, it appears that I unintentionally fixed most of this issue in locore.S::rev1.127 - by building the frame with interrupts disabled, we are implicitly guaranteeing that the structure doesn't get overwritten by the kernel. Which means, we are leaking to userland data that comes from userland anyway.
(still other places with this issue, but I'll fix them differently)
|
1.41 |
| 15-Oct-2017 |
maxv | Use two separate functions: cpu_segregs32_zero and cpu_segregs64_zero. The way segment registers work on amd64 will diverge between 32bit and 64bit LWPs.
|
1.40 |
| 15-Oct-2017 |
maxv | Make sure the 32bit LWPs don't have MDL_IRET set. That's not a problem right now, but will be in the future.
|
1.39 |
| 02-Sep-2017 |
maxv | Fix a subtle ring0 escalation vulnerability in amd64, and implement a mitigation against similar bugs.
The operations on segment registers can generate a page fault if there is an issue when touching the in-memory gdt. Theoretically, it is never supposed to happen, since the gdt is mapped correctly. However, in the kernel we allow the gdt to be resized, and to do that, we allocate the maximum amount of va needed by it, but only kenter a few pages until we need more. Moreover, to avoid reloading the gdt each time we grow it, the 'size' field of gdtr is set to the maximum value. All of this means that if a mov or iretq is done with a segment register whose index hits a page that has not been kentered, a page fault is sent.
Such a page fault, if received in kernel mode, does not trigger a swapgs on amd64; in other words, the kernel would be re-entered with the userland tls.
And there just happens to be a place in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges.
The mitigation simply consists in abandoning the gdt_grow mechanism and allocating/kentering the maximum size right away, in such a way that no page fault can be triggered because of segment registers.
|
1.38 |
| 05-Feb-2017 |
maxv | branches: 1.38.6; Remove #if 0 on USER_LDT.
|
1.37 |
| 02-Sep-2016 |
maxv | branches: 1.37.2; Fix argument (does not compile anyway).
|
1.36 |
| 19-Feb-2014 |
dsl | branches: 1.36.4; 1.36.6; 1.36.8; 1.36.10; 1.36.14; Explicitly include x86/fpu.h instead of relying in x86/frame.h including it.
|
1.35 |
| 15-Feb-2014 |
dsl | Remove all references to MDL_USEDFPU and deferred fpu initialisation. The cost of zeroing the save area on exec is minimal. This stops the FP registers of a random process being used the first time an lwp uses the fpu. sendsig_siginfo() and get_mcontext() now unconditionally copy the FP registers. I'll remove the double-copy for signal handlers soon. get_mcontext() might have been leaking kernel memory to userspace - and may still do so if i386_use_fxsave is false (short copies).
|
1.34 |
| 07-Feb-2014 |
dsl | Convert the amd64 build to use x86/cpu_extended_state.h so that the fpu definitions match those of i386. Mostly just structure and field renames, in addition: 1) process_xmm_to_s87() and process_s87_to_xmm() moved into x86/convert_xmm_s87.c so they can be used by amd64's netbsd32 code. 2) The linux signal code simplified to use a structure copy for ths fxsave data - it matches the hardware definition and won't change.
|
1.33 |
| 01-Dec-2013 |
christos | revert fpu/pcu changes until we figure out what's wrong; they cause random freezes
|
1.32 |
| 23-Oct-2013 |
drochner | Use the MI "pcu" framework for bookkeeping of npx/fpu states on x86. This reduces the amount of MD code enormously, and makes it easier to implement support for newer CPU features which require more fpu state, or for fpu usage by the kernel. For access to FPU state across CPUs, an xcall kthread is used now rather than a dedicated IPI. No user visible changes intended.
|
1.31 |
| 15-Jul-2012 |
dsl | branches: 1.31.2; 1.31.4; Rename MDP_IRET to MDL_IRET since it is an lwp flag, not a proc one. Add an MDL_COMPAT32 flag to the lwp's md_flags, set it for 32bit lwps and use it to force 'return to user' with iret (as is done when MDL_IRET is set). Split the iret/sysret code paths much later. Remove all the replicated code for 32bit system calls - which was only needed so that iret was always used. frameasm.h for XEN contains '#define swapgs', while XEN probable never needs swapgs, this is likely to be confusing. Add a SWAPGS which is a nop on XEN and swapgs otherwise. (I've not yet checked all the swapgs in files that include frameasm.h) Simple x86 programs still work. Hijack 6.99.9 kernel bump (needed for compat32 modules)
|
1.30 |
| 08-Jul-2012 |
dsl | The MDP_USEDFPU (amd64 and sh3) and MDP_SSTEP (sh3) are lwp flags not process ones, rename to MDL_xxx.
|
1.29 |
| 04-Mar-2011 |
joerg | branches: 1.29.4; 1.29.10; 1.29.14; 1.29.16; Refactor ps_strings access. Based on PK_32, write either the normal version or the 32bit compat layout in execve1. Introduce a new function copyin_psstrings for reading it back from userland and converting it to the native layout. Refactor procfs to share most of the code with the kern.proc_args sysctl handler.
This material is based upon work partially supported by The NetBSD Foundation under a contract with Joerg Sonnenberger.
|
1.28 |
| 07-Feb-2011 |
chs | move macros for validating fs/gs to segments.h and use them in the linux32 code as well.
|
1.27 |
| 02-Nov-2010 |
chs | branches: 1.27.2; 1.27.4; implement the following syscalls for linux32: truncate64 ftruncate64 profil ioperm iopl setdomainname modify_ldt statfs64 fstatfs64
note that iopl(), ioperm() and modify_ldt() just call the respective 64-bit handlers, which don't do anything yet.
|
1.26 |
| 12-Jul-2010 |
christos | fix debugging build.
|
1.25 |
| 07-Jul-2010 |
jmmv | Add missing includes to bring the linux_semun type needed by linux_syscallargs.h.
|
1.24 |
| 07-Jul-2010 |
chs | many changes for COMPAT_LINUX: - update the linux syscall table for each platform. - support new-style (NPTL) linux pthreads on all platforms. clone() with CLONE_THREAD uses 1 process with many LWPs instead of separate processes. - move the contents of sys__lwp_setprivate() into a new lwp_setprivate() and use that everywhere. - update linux_release[] and linux32_release[] to "2.6.18". - adjust placement of emul fork/exec/exit hooks as needed and adjust other emul code to match. - convert all struct emul definitions to use named initializers. - change the pid allocator to allow multiple pids to refer to the same proc. - remove a few fields from struct proc that are no longer needed. - disable the non-functional "vdso" code in linux32/amd64, glibc works fine without it. - fix a race in the futex code where we could miss a wakeup after a requeue operation. - redo futex locking to be a little more efficient.
|
1.23 |
| 23-Nov-2009 |
rmind | branches: 1.23.2; 1.23.4; Use lwp_getpcb() in compat code, clean from struct user.
|
1.22 |
| 29-May-2009 |
njoly | Add native to linux siginfo si_status translation, used on i386 and amd64.
|
1.21 |
| 15-Mar-2009 |
cegger | ansify function definitions
|
1.20 |
| 19-Oct-2008 |
njoly | branches: 1.20.2; 1.20.8; Add native to linux siginfo si_code translation, mostly for negative values. Adjust amd64 and i386 accordingly, not sure about aother archs i can't test.
|
1.19 |
| 09-Oct-2008 |
njoly | Fix linux32 siginfo si_signo value. Do not convert ksi_signo twice.
|
1.18 |
| 18-Sep-2008 |
christos | Define a PSL_CLEARSIG macro for the psl flags to be cleared on signal delivery and use it everywhere.
|
1.17 |
| 24-Apr-2008 |
ad | branches: 1.17.2; 1.17.4; 1.17.8; Merge proc::p_mutex and proc::p_smutex into a single adaptive mutex, since we no longer need to guard against access from hardware interrupt handlers.
Additionally, if cloning a process with CLONE_SIGHAND, arrange to have the child process share the parent's lock so that signal state may be kept in sync. Partially addresses PR kern/37437.
|
1.16 |
| 20-Dec-2007 |
dsl | branches: 1.16.6; 1.16.8; Convert all the system call entry points from: int foo(struct lwp *l, void *v, register_t *retval) to: int foo(struct lwp *l, const struct foo_args *uap, register_t *retval) Fixup compat code to not write into 'uap' and (in some cases) to actually pass a correctly formatted 'uap' structure with the right name to the next routine. A few 'compat' routines that just call standard ones have been deleted. All the 'compat' code compiles (along with the kernels required to test build it). 98% done by automated scripts.
|
1.15 |
| 08-Dec-2007 |
dsl | branches: 1.15.4; ANSIfy most of the function definitions in sys/compat (but not ndis). All by the magic of sed ...
|
1.14 |
| 04-Dec-2007 |
dsl | Remove all the __P
|
1.13 |
| 24-Nov-2007 |
christos | branches: 1.13.2; - move the save context before the signal reset (Arto Huusko) - set the sigcontext cr2
|
1.12 |
| 19-Oct-2007 |
ad | branches: 1.12.2; machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h
|
1.11 |
| 21-May-2007 |
christos | branches: 1.11.6; 1.11.8; 1.11.12; rename si_sigval -> si_value to match POSIX RTS.
|
1.10 |
| 18-Mar-2007 |
dsl | Change all the NETBSD32PTR64(SCARG(uap, xxx))) to SCARG_P32(uap, xxx).
|
1.9 |
| 16-Mar-2007 |
dsl | remove all the double (and triple) casts used to convert 32bit userspace pointers to and from 64bit kernel pointers. Instead use the defines NETBSD32PTR64(p32) to read a 32bit pointer and (the new) NETBSD32PTR32(p32,p64) to write a 32bit pointer throughout. The 32bit pointer is now a struct to enforce the above. amd64 (with linux emul) and sparc64 will both compile (when the arch stuff goes in soon), and amd64 still runs some i386 binaries.
|
1.8 |
| 05-Mar-2007 |
christos | branches: 1.8.2; 1.8.4; 1.8.6; fix caddr_t lossage
|
1.7 |
| 04-Mar-2007 |
christos | Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
1.6 |
| 17-Feb-2007 |
pavel | Change the process/lwp flags seen by userland via sysctl back to the P_*/L_* naming convention, and rename the in-kernel flags to avoid conflict. (P_ -> PK_, L_ -> LW_ ). Add back the (now unused) LSDEAD constant.
Restores source compatibility with pre-newlock2 tools like ps or top.
Reviewed by Andrew Doran.
|
1.5 |
| 15-Feb-2007 |
ad | branches: 1.5.2; Fix COMPAT_LINUX32.
|
1.4 |
| 09-Feb-2007 |
ad | Merge newlock2 to head.
|
1.3 |
| 22-Nov-2006 |
christos | adjust_limits takes p, not l again
|
1.2 |
| 21-Nov-2006 |
christos | From Nicolas Joly:
> It seems that 32bits programs, running under compat_netbsd32, using > setrlimit force all other programs to have their maximum data size > fixed at 3GB, where native 64bits apps used 8GB previously.
I tracked this one to the `netbsd32_adjust_limits()' function (called when creating a new process under compat_netbsd32), where data and stack limits are set without checking for shared `p_limit' structure (p_limit->p_refcnt > 1). This explain the side effect where processes have their limits changed when a compat_netbsd32 (or compat_linux32) program is run.
The fix is to use `dosetrlimit()' to ensure the needed copy-on-write behaviour for shared structure.
|
1.1 |
| 09-Feb-2006 |
manu | branches: 1.1.2; 1.1.10; 1.1.16; 1.1.20; 1.1.22; 1.1.24; Add initial (but unfinished) COMPAT_LINUX32 for amd64. This is good enough so that the i386 license manager part of amd64 version of Fluent works.
While I'm here, add SysV IPC to COMPAT_LINUX/amd64
|
1.1.24.1 |
| 10-Dec-2006 |
yamt | sync with head.
|
1.1.22.2 |
| 09-Sep-2006 |
rpaulo | sync with head
|
1.1.22.1 |
| 09-Feb-2006 |
rpaulo | file linux32_machdep.c was added on branch rpaulo-netinet-merge-pcb on 2006-09-09 02:45:52 +0000
|
1.1.20.3 |
| 06-Feb-2007 |
ad | More compat changes.
XXX compat_irix, compat_mach and compat_darwin need work.
|
1.1.20.2 |
| 30-Jan-2007 |
ad | Remove support for SA. Ok core@.
|
1.1.20.1 |
| 12-Jan-2007 |
ad | Sync with head.
|
1.1.16.8 |
| 21-Jan-2008 |
yamt | sync with head
|
1.1.16.7 |
| 07-Dec-2007 |
yamt | sync with head
|
1.1.16.6 |
| 27-Oct-2007 |
yamt | sync with head.
|
1.1.16.5 |
| 03-Sep-2007 |
yamt | sync with head.
|
1.1.16.4 |
| 26-Feb-2007 |
yamt | sync with head.
|
1.1.16.3 |
| 30-Dec-2006 |
yamt | sync with head.
|
1.1.16.2 |
| 21-Jun-2006 |
yamt | sync with head.
|
1.1.16.1 |
| 09-Feb-2006 |
yamt | file linux32_machdep.c was added on branch yamt-lazymbuf on 2006-06-21 14:59:27 +0000
|
1.1.10.2 |
| 22-Apr-2006 |
simonb | Sync with head.
|
1.1.10.1 |
| 09-Feb-2006 |
simonb | file linux32_machdep.c was added on branch simonb-timecounters on 2006-04-22 11:38:14 +0000
|
1.1.2.2 |
| 18-Feb-2006 |
yamt | sync with head.
|
1.1.2.1 |
| 09-Feb-2006 |
yamt | file linux32_machdep.c was added on branch yamt-uio_vmspace on 2006-02-18 15:38:59 +0000
|
1.5.2.3 |
| 24-Mar-2007 |
yamt | sync with head.
|
1.5.2.2 |
| 12-Mar-2007 |
rmind | Sync with HEAD.
|
1.5.2.1 |
| 27-Feb-2007 |
yamt | - sync with head. - move sched_changepri back to kern_synch.c as it doesn't know PPQ anymore.
|
1.8.6.2 |
| 29-Mar-2007 |
reinoud | Pullup to -current
|
1.8.6.1 |
| 18-Mar-2007 |
reinoud | First attempt to bring branch in sync with HEAD
|
1.8.4.1 |
| 11-Jul-2007 |
mjf | Sync with head.
|
1.8.2.3 |
| 23-Oct-2007 |
ad | Sync with head.
|
1.8.2.2 |
| 27-May-2007 |
ad | Sync with head.
|
1.8.2.1 |
| 10-Apr-2007 |
ad | Sync with head.
|
1.11.12.1 |
| 25-Oct-2007 |
bouyer | Sync with HEAD.
|
1.11.8.2 |
| 09-Jan-2008 |
matt | sync with HEAD
|
1.11.8.1 |
| 06-Nov-2007 |
matt | sync with HEAD
|
1.11.6.3 |
| 09-Dec-2007 |
jmcneill | Sync with HEAD.
|
1.11.6.2 |
| 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
1.11.6.1 |
| 26-Oct-2007 |
joerg | Sync with HEAD.
Follow the merge of pmap.c on i386 and amd64 and move pmap_init_tmp_pgtbl into arch/x86/x86/pmap.c. Modify the ACPI wakeup code to restore CR4 before jumping back into kernel space as the large page option might cover that.
|
1.12.2.2 |
| 27-Dec-2007 |
mjf | Sync with HEAD.
|
1.12.2.1 |
| 08-Dec-2007 |
mjf | Sync with HEAD.
|
1.13.2.2 |
| 26-Dec-2007 |
ad | Sync with head.
|
1.13.2.1 |
| 08-Dec-2007 |
ad | Sync with head.
|
1.15.4.1 |
| 02-Jan-2008 |
bouyer | Sync with HEAD
|
1.16.8.1 |
| 18-May-2008 |
yamt | sync with head.
|
1.16.6.3 |
| 17-Jan-2009 |
mjf | Sync with HEAD.
|
1.16.6.2 |
| 28-Sep-2008 |
mjf | Sync with HEAD.
|
1.16.6.1 |
| 02-Jun-2008 |
mjf | Sync with HEAD.
|
1.17.8.1 |
| 19-Oct-2008 |
haad | Sync with HEAD.
|
1.17.4.4 |
| 10-Oct-2008 |
skrll | Sync with HEAD.
|
1.17.4.3 |
| 24-Sep-2008 |
wrstuden | Merge in changes between wrstuden-revivesa-base-2 and wrstuden-revivesa-base-3.
|
1.17.4.2 |
| 14-May-2008 |
wrstuden | Per discussion with ad, remove most of the #include <sys/sa.h> lines as they were including sa.h just for the type(s) needed for syscallargs.h.
Instead, create a new file, sys/satypes.h, which contains just the types needed for syscallargs.h. Yes, there's only one now, but that may change and it's probably more likely to change if it'd be difficult to handle. :-)
Per discussion with matt at n dot o, add an include of satypes.h to sigtypes.h. Upcall handlers are kinda signal handlers, and signalling is the header file that's already included for syscallargs.h that closest matches SA.
This shaves about 3000 lines off of the diff of the branch relative to the base. That also represents about 18% of the total before this checkin.
I think this reduction is very good thing.
|
1.17.4.1 |
| 10-May-2008 |
wrstuden | Initial checkin of re-adding SA. Everything except kern_sa.c compiles in GENERIC for i386. This is still a work-in-progress, but this checkin covers most of the mechanical work (changing signalling to be able to accomidate SA's process-wide signalling and re-adding includes of sys/sa.h and savar.h). Subsequent changes will be much more interesting.
Also, kern_sa.c has received partial cleanup. There's still more to do, though.
|
1.17.2.4 |
| 11-Aug-2010 |
yamt | sync with head.
|
1.17.2.3 |
| 11-Mar-2010 |
yamt | sync with head
|
1.17.2.2 |
| 20-Jun-2009 |
yamt | sync with head
|
1.17.2.1 |
| 04-May-2009 |
yamt | sync with head.
|
1.20.8.2 |
| 23-Jul-2009 |
jym | Sync with HEAD.
|
1.20.8.1 |
| 13-May-2009 |
jym | Sync with HEAD.
Commit is split, to avoid a "too many arguments" protocol error.
|
1.20.2.1 |
| 28-Apr-2009 |
skrll | Sync with HEAD.
|
1.23.4.1 |
| 05-Mar-2011 |
rmind | sync with head
|
1.23.2.2 |
| 06-Nov-2010 |
uebayasi | Sync with HEAD.
|
1.23.2.1 |
| 17-Aug-2010 |
uebayasi | Sync with HEAD.
|
1.27.4.2 |
| 05-Mar-2011 |
bouyer | Sync with HEAD
|
1.27.4.1 |
| 08-Feb-2011 |
bouyer | Sync with HEAD
|
1.27.2.1 |
| 06-Jun-2011 |
jruoho | Sync with HEAD.
|
1.29.16.1 |
| 09-Sep-2017 |
snj | Pull up following revision(s) (requested by maxv in ticket #1502): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges.
|
1.29.14.1 |
| 09-Sep-2017 |
snj | Pull up following revision(s) (requested by maxv in ticket #1502): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges.
|
1.29.10.1 |
| 09-Sep-2017 |
snj | Pull up following revision(s) (requested by maxv in ticket #1502): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges.
|
1.29.4.2 |
| 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments")
|
1.29.4.1 |
| 30-Oct-2012 |
yamt | sync with head
|
1.31.4.1 |
| 18-May-2014 |
rmind | sync with head
|
1.31.2.2 |
| 03-Dec-2017 |
jdolecek | update from HEAD
|
1.31.2.1 |
| 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
1.36.14.1 |
| 09-Sep-2017 |
snj | Pull up following revision(s) (requested by maxv in ticket #1507): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges.
|
1.36.10.1 |
| 20-Mar-2017 |
pgoyette | Sync with HEAD
|
1.36.8.1 |
| 09-Sep-2017 |
snj | Pull up following revision(s) (requested by maxv in ticket #1507): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges.
|
1.36.6.2 |
| 28-Aug-2017 |
skrll | Sync with HEAD
|
1.36.6.1 |
| 05-Oct-2016 |
skrll | Sync with HEAD
|
1.36.4.1 |
| 09-Sep-2017 |
snj | Pull up following revision(s) (requested by maxv in ticket #1507): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges.
|
1.37.2.1 |
| 21-Apr-2017 |
bouyer | Sync with HEAD
|
1.38.6.4 |
| 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1841):
sys/compat/sunos32/sunos32_misc.c: revision 1.86 sys/compat/ossaudio/ossaudio.c: revision 1.85 sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48
compat_sunos32: Memset zero before copyout.
Unclear if this can leak anything but let's be on the safe side.
compat_ossaudio: Zero-initialize idat before copyout. Unclear if there are any paths to the copyout without initialization, but let's play it safe to keep the auditing effort low.
linux32_rt_sendsig: Memset zero before copyout. Not sure if there's any padding here, but it's a pretty big structure, fairly likely, so let's be rather safe than sorry.
|
1.38.6.3 |
| 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1836):
sys/compat/linux/arch/i386/linux_machdep.c: revision 1.168 sys/compat/sunos/sunos_misc.c: revision 1.177 sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.52 sys/compat/common/kern_resource_43.c: revision 1.23 sys/compat/netbsd32/netbsd32_conv.h: revision 1.46 sys/compat/linux/arch/i386/linux_ptrace.c: revision 1.35 sys/compat/common/vfs_syscalls_12.c: revision 1.38 sys/compat/ultrix/ultrix_misc.c: revision 1.126 sys/compat/common/kern_sig_43.c: revision 1.37 sys/compat/linux/common/linux_mtio.c: revision 1.8 sys/compat/freebsd/freebsd_misc.c: revision 1.34 sys/compat/linux/common/linux_olduname.c: revision 1.67 sys/compat/linux/arch/mips/linux_machdep.c: revision 1.44 sys/compat/freebsd/freebsd_sched.c: revision 1.23 sys/compat/ossaudio/ossaudio.c: revision 1.84 sys/compat/sys/time_types.h: revision 1.6 sys/compat/linux/arch/powerpc/linux_machdep.c: revision 1.51 sys/compat/linux/common/linux_file.c: revision 1.119 sys/compat/linux/arch/arm/linux_machdep.c: revision 1.34 sys/compat/netbsd32/netbsd32_wait.c: revision 1.25 sys/compat/linux32/common/linux32_time.c: revision 1.38 sys/compat/linux/arch/powerpc/linux_ptrace.c: revision 1.33 sys/compat/linux/arch/alpha/linux_machdep.c: revision 1.52 sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.46 sys/compat/netbsd32/netbsd32_compat_12.c: revision 1.36 sys/compat/ultrix/ultrix_ioctl.c: revision 1.39 sys/compat/linux/common/linux_misc.c: revision 1.252 sys/compat/linux/common/linux_hdio.c: revision 1.19 sys/compat/sunos/sunos_ioctl.c: revision 1.71 sys/compat/linux/common/linux_sched.c: revision 1.79 sys/compat/common/kern_info_43.c: revision 1.40 sys/compat/linux32/common/linux32_exec_elf32.c: revision 1.20 sys/compat/linux/common/linux_socket.c: revision 1.153 sys/compat/linux/arch/amd64/linux_machdep.c: revision 1.60 sys/compat/common/vfs_syscalls_43.c: revision 1.68 sys/compat/linux/arch/powerpc/linux_exec_powerpc.c: revision 1.25 sys/compat/netbsd32/netbsd32_ptrace.c: revision 1.9 sys/compat/common/kern_time_50.c: revision 1.37 sys/compat/netbsd32/netbsd32_compat_20.c: revision 1.42 sys/compat/linux/common/linux_cdrom.c: revision 1.28 sys/compat/linux/arch/m68k/linux_machdep.c: revision 1.43 sys/compat/common/kern_info_09.c: revision 1.22 sys/compat/linux32/common/linux32_resource.c: revision 1.12 sys/compat/linux/common/linux_oldolduname.c: revision 1.67 sys/compat/netbsd32/netbsd32_nfssvc.c: revision 1.8 sys/compat/linux32/common/linux32_signal.c: revision 1.21 sys/compat/common/kern_sig_13.c: revision 1.22 sys/compat/sunos32/sunos32_ioctl.c: revision 1.36 sys/compat/netbsd32/netbsd32_compat_43.c: revision 1.62 sys/compat/linux/arch/arm/linux_ptrace.c: revision 1.23 sys/compat/netbsd32/netbsd32_time.c: revision 1.56 sys/compat/linux/common/linux_signal.c: revision 1.84 sys/compat/netbsd32/netbsd32_signal.c: revision 1.52 sys/compat/sunos32/sunos32_misc.c: revision 1.85 sys/compat/linux/common/linux_time.c: revision 1.40 sys/compat/linux/common/linux_fdio.c: revision 1.14 sys/compat/common/vfs_syscalls_30.c: revision 1.43
sys/compat: Memset zero before copyout.
Just in case of uninitialized padding which would lead to kernel stack disclosure. If the compiler can prove the memset redundant then it can optimize it away; otherwise better safe than sorry.
|
1.38.6.2 |
| 05-Apr-2019 |
martin | Pull up following revision(s) (requested by maxv):
sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.120 sys/compat/linux/arch/amd64/linux_machdep.c: revision 1.57 sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.44 sys/arch/amd64/amd64/machdep.c: revision 1.328 sys/arch/amd64/amd64/machdep.c: revision 1.329
Fix a tiny race in setregs and linux_setregs. Between the moment we set pcb_flags to zero, and the moment cpu_segregs64_zero resets pcb_gs, we may be preempted.
If this happens, and if the calling LWP was a 32bit thread, when switching back to that LWP, the context switcher sees that PCB_COMPAT32 is not set in pcb_flags and tries to perform a 64bit context switch; but pcb_gs contains a 32bit GDT descriptor, and not a 64bit GS.base value. The wrmsr therefore faults because the value is non-canonical, and this fault is fatal.
Rearrange the code so that the update of pcb_flags and pcb_gs/pcb_fs is non interruptible. This fixes the problem, tested with a reproducer (which therefore doesn't work anymore).
Likely fixes PR/53993.
Disable preemption when setting PCB_COMPAT32, to prevent a context switch before cpu_fsgs_reload() finishes, otherwise we write garbage in the GDT.
On NetBSD-current it is harmless, however in NetBSD-8 it might cause panics, because NetBSD-8 uses the old SegRegs model and under this model we reload %fs and %gs during switches.
|
1.38.6.1 |
| 09-Sep-2017 |
snj | Pull up following revision(s) (requested by maxv in ticket #270): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges.
|
1.43.4.1 |
| 10-Jun-2019 |
christos | Sync with HEAD
|
1.45.2.2 |
| 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1650):
sys/compat/sunos32/sunos32_misc.c: revision 1.86 sys/compat/ossaudio/ossaudio.c: revision 1.85 sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48
compat_sunos32: Memset zero before copyout.
Unclear if this can leak anything but let's be on the safe side.
compat_ossaudio: Zero-initialize idat before copyout. Unclear if there are any paths to the copyout without initialization, but let's play it safe to keep the auditing effort low.
linux32_rt_sendsig: Memset zero before copyout. Not sure if there's any padding here, but it's a pretty big structure, fairly likely, so let's be rather safe than sorry.
|
1.45.2.1 |
| 03-Aug-2022 |
martin | Pull up following revision(s), all via patch (requested by riastradh in ticket #1487):
sys/compat/linux/arch/i386/linux_machdep.c: revision 1.168 sys/compat/sunos/sunos_misc.c: revision 1.177 sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.52 sys/compat/common/kern_resource_43.c: revision 1.23 sys/compat/netbsd32/netbsd32_conv.h: revision 1.46 sys/compat/linux/arch/i386/linux_ptrace.c: revision 1.35 sys/compat/common/vfs_syscalls_12.c: revision 1.38 sys/compat/ultrix/ultrix_misc.c: revision 1.126 sys/compat/common/kern_sig_43.c: revision 1.37 sys/compat/linux/common/linux_mtio.c: revision 1.8 sys/compat/freebsd/freebsd_misc.c: revision 1.34 sys/compat/freebsd/freebsd_machdep.c: revision 1.5 sys/compat/linux/common/linux_olduname.c: revision 1.67 sys/compat/linux/arch/mips/linux_machdep.c: revision 1.44 sys/compat/freebsd/freebsd_sched.c: revision 1.23 sys/compat/ossaudio/ossaudio.c: revision 1.84 sys/compat/sys/time_types.h: revision 1.6 sys/compat/linux/arch/powerpc/linux_machdep.c: revision 1.51 sys/compat/common/ieee80211_20.c: revision 1.7 sys/compat/linux/common/linux_file.c: revision 1.119 sys/compat/linux/arch/arm/linux_machdep.c: revision 1.34 sys/compat/netbsd32/netbsd32_wait.c: revision 1.25 sys/compat/linux32/common/linux32_time.c: revision 1.38 sys/compat/linux/arch/powerpc/linux_ptrace.c: revision 1.33 sys/compat/linux/arch/alpha/linux_machdep.c: revision 1.52 sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.46 sys/compat/netbsd32/netbsd32_compat_12.c: revision 1.36 sys/compat/ultrix/ultrix_ioctl.c: revision 1.39 sys/compat/linux/common/linux_misc.c: revision 1.252 sys/compat/linux/common/linux_hdio.c: revision 1.19 sys/compat/sunos/sunos_ioctl.c: revision 1.71 sys/compat/linux/common/linux_sched.c: revision 1.79 sys/compat/common/kern_info_43.c: revision 1.40 sys/compat/linux32/common/linux32_exec_elf32.c: revision 1.20 sys/compat/linux/common/linux_socket.c: revision 1.153 sys/compat/linux/arch/amd64/linux_machdep.c: revision 1.60 sys/compat/common/vfs_syscalls_43.c: revision 1.68 sys/compat/linux/arch/powerpc/linux_exec_powerpc.c: revision 1.25 sys/compat/netbsd32/netbsd32_ptrace.c: revision 1.9 sys/compat/common/kern_time_50.c: revision 1.37 sys/compat/netbsd32/netbsd32_compat_20.c: revision 1.42 sys/compat/linux/common/linux_cdrom.c: revision 1.28 sys/compat/linux/arch/m68k/linux_machdep.c: revision 1.43 sys/compat/common/kern_info_09.c: revision 1.22 sys/compat/linux32/common/linux32_resource.c: revision 1.12 sys/compat/linux/common/linux_oldolduname.c: revision 1.67 sys/compat/common/if_media_80.c: revision 1.4 sys/compat/linux/arch/alpha/linux_osf1.c: revision 1.5 sys/compat/netbsd32/netbsd32_nfssvc.c: revision 1.8 sys/compat/linux32/common/linux32_signal.c: revision 1.21 sys/compat/common/kern_sig_13.c: revision 1.22 sys/compat/sunos32/sunos32_ioctl.c: revision 1.36 sys/compat/netbsd32/netbsd32_compat_43.c: revision 1.62 sys/compat/linux/arch/arm/linux_ptrace.c: revision 1.23 sys/compat/netbsd32/netbsd32_time.c: revision 1.56 sys/compat/linux/common/linux_signal.c: revision 1.84 sys/compat/netbsd32/netbsd32_signal.c: revision 1.52 sys/compat/sunos32/sunos32_misc.c: revision 1.85 sys/compat/linux/common/linux_time.c: revision 1.40 sys/compat/linux/common/linux_fdio.c: revision 1.14 sys/compat/common/vfs_syscalls_30.c: revision 1.43
sys/compat: Memset zero before copyout.
Just in case of uninitialized padding which would lead to kernel stack disclosure. If the compiler can prove the memset redundant then it can optimize it away; otherwise better safe than sorry.
|
1.47.4.1 |
| 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #204):
sys/compat/sunos32/sunos32_misc.c: revision 1.86 sys/compat/ossaudio/ossaudio.c: revision 1.85 sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48
compat_sunos32: Memset zero before copyout.
Unclear if this can leak anything but let's be on the safe side.
compat_ossaudio: Zero-initialize idat before copyout. Unclear if there are any paths to the copyout without initialization, but let's play it safe to keep the auditing effort low.
linux32_rt_sendsig: Memset zero before copyout. Not sure if there's any padding here, but it's a pretty big structure, fairly likely, so let's be rather safe than sorry.
|