git: kernel - Fix CVE-2018-8897, debug register issue

Matthew Dillon dillon at crater.dragonflybsd.org
Tue May 8 10:01:42 PDT 2018


commit 85b330488d50cf339de9949ba74ca1faed71d996
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Mon Apr 30 20:47:20 2018 -0700

    kernel - Fix CVE-2018-8897, debug register issue
    
    * #DB can be delayed in a way that causes it to occur on the first
      instruction of the int $3 or syscall handlers.  These handlers must
      be able to detect and handle the condition.  This is a historical
      artifact of cpu operation that has existed for a very long time on
      both AMD and Intel CPUs.
    
    * Fix by giving #DB its own trampoline stack and a way to load a
      deterministic %gs and %cr3 independent of the normal CS check.
      This is CVE-2018-8897.
    
    * Also fix the NMI trampoline while I'm here.
    
    * Also fix an old issue with debug register trace traps which can
      occur when the kernel is accessing the user's address space.
      This fix was lost years ago, now recovered.
    
    Credits: Nick Peterson of Everdox Tech, LLC (original reporter)
    Credits: Thanks to Microsoft for coordinating the OS vendor response

Summary of changes:
 sys/cpu/x86_64/include/asmacros.h      |  12 +-
 sys/cpu/x86_64/include/frame.h         |   6 +-
 sys/platform/pc64/include/globaldata.h |  16 +-
 sys/platform/pc64/x86_64/exception.S   | 261 +++++++++++++++++++++++++++++++--
 sys/platform/pc64/x86_64/genassym.c    |   3 +
 sys/platform/pc64/x86_64/machdep.c     |  18 ++-
 sys/platform/pc64/x86_64/mp_machdep.c  |  10 +-
 sys/platform/pc64/x86_64/pmap.c        |   4 +
 sys/platform/pc64/x86_64/trap.c        |  47 +++---
 9 files changed, 327 insertions(+), 50 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/85b330488d50cf339de9949ba74ca1faed71d996


-- 
DragonFly BSD source repository



More information about the Commits mailing list