Module Name: src
Committed By: maxv
Date: Thu Feb 9 08:23:46 UTC 2017
Modified Files:
src/sys/arch/amd64/amd64: locore.S
Log Message:
Restore %ds before swapgs. Movs to segment registers are allowed to fault
in kernel mode but simply cause a signal to be sent to userland. The thing
is, in this case %gs is not restored when entering the trap routine, which
means the kernel uses userland's TLS instead of using its own. Which in
short makes it easy to escalate privileges.
Currently, this bug is triggered only in one place, which I am about to
fix too.
To generate a diff of this commit:
cvs rdiff -u -r1.119 -r1.120 src/sys/arch/amd64/amd64/locore.S
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
