git: kernel - Fix CVE-2018-8897, debug register issue
dillon at crater.dragonflybsd.org
Tue May 8 10:01:42 PDT 2018
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date: Mon Apr 30 20:47:20 2018 -0700
kernel - Fix CVE-2018-8897, debug register issue
* #DB can be delayed in a way that causes it to occur on the first
instruction of the int $3 or syscall handlers. These handlers must
be able to detect and handle the condition. This is a historical
artifact of cpu operation that has existed for a very long time on
both AMD and Intel CPUs.
* Fix by giving #DB its own trampoline stack and a way to load a
deterministic %gs and %cr3 independent of the normal CS check.
This is CVE-2018-8897.
* Also fix the NMI trampoline while I'm here.
* Also fix an old issue with debug register trace traps which can
occur when the kernel is accessing the user's address space.
This fix was lost years ago, now recovered.
Credits: Nick Peterson of Everdox Tech, LLC (original reporter)
Credits: Thanks to Microsoft for coordinating the OS vendor response
Summary of changes:
sys/cpu/x86_64/include/asmacros.h | 12 +-
sys/cpu/x86_64/include/frame.h | 6 +-
sys/platform/pc64/include/globaldata.h | 16 +-
sys/platform/pc64/x86_64/exception.S | 261 +++++++++++++++++++++++++++++++--
sys/platform/pc64/x86_64/genassym.c | 3 +
sys/platform/pc64/x86_64/machdep.c | 18 ++-
sys/platform/pc64/x86_64/mp_machdep.c | 10 +-
sys/platform/pc64/x86_64/pmap.c | 4 +
sys/platform/pc64/x86_64/trap.c | 47 +++---
9 files changed, 327 insertions(+), 50 deletions(-)
DragonFly BSD source repository
More information about the Commits