On 07/12/12 09:36, Bill Crisp wrote:
Good Morning!
This was also posted to the FreeBSD forums:
I have been researching CVE-2012-0217 and while I have patched the kernels
on servers with 7.3/8.2 that I have, I would like to see if anyone knows
for sure if 6.2/6.3 are also vulnerable? I am aware that those kernels are
out of support from looking at the documentation. I have looked at the code
in trap.c to see if the current patch would work with 6.3 source but it
won't based on what I saw. I am also aware of upgrading as an option to
resolve this unfortunately in some cases I have this is not possible right
now.
I believe that 6.x are vulnerable. You will have to backport the change
(something like this against sys/amd64/amd64/trap.c, in syscall() right
after
PTRACESTOP_SC(p, td, S_PT_SCX);
Add:
+ /*
+ * If the user-supplied value of %rip is not a canonical
+ * address, then some CPUs will trigger a ring 0 #GP during
+ * the sysret instruction. However, the fault handler would
+ * execute with the user's %gs and %rsp in ring 0 which would
+ * not be safe. Instead, preemptively kill the thread with a
+ * SIGBUS.
+ */
+ if (td->td_frame->tf_rip>= VM_MAXUSER_ADDRESS) {
+ ksiginfo_init_trap(&ksi);
+ ksi.ksi_signo = SIGBUS;
+ ksi.ksi_code = BUS_OBJERR;
+ ksi.ksi_trapno = T_PROTFLT;
+ ksi.ksi_addr = (void *)td->td_frame->tf_rip;
+ trapsignal(td,&ksi);
+ }
Right before:
WITNESS_WARN(...)
Cheers,
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
