#
7b47706c |
| 20-Jun-2023 |
riastradh <riastradh@NetBSD.org> |
linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big structure, fairly likely, so let's be rather safe than sorry.
XXX pullup-8 XXX pullup-9 X
linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big structure, fairly likely, so let's be rather safe than sorry.
XXX pullup-8 XXX pullup-9 XXX pullup-10
show more ...
|
#
eb96f2eb |
| 01-Nov-2021 |
thorpej <thorpej@NetBSD.org> |
Use "stack_t" instead of "struct sigaltstack", as the former is the newer standardized name. NFC.
|
#
d50c96bb |
| 07-Sep-2021 |
riastradh <riastradh@NetBSD.org> |
sys/compat: Memset zero before copyout.
Just in case of uninitialized padding which would lead to kernel stack disclosure. If the compiler can prove the memset redundant then it can optimize it awa
sys/compat: Memset zero before copyout.
Just in case of uninitialized padding which would lead to kernel stack disclosure. If the compiler can prove the memset redundant then it can optimize it away; otherwise better safe than sorry.
show more ...
|
#
48f82a0f |
| 19-May-2019 |
maxv <maxv@NetBSD.org> |
Rename
fpu_save_area_clear -> fpu_clear fpu_save_area_reset -> fpu_sigreset
Clearer, and reduces a future diff. No real functional change.
|
#
4db6bed4 |
| 24-Mar-2019 |
maxv <maxv@NetBSD.org> |
Disable preemption when setting PCB_COMPAT32, to prevent a context switch before cpu_fsgs_reload() finishes, otherwise we write garbage in the GDT. On NetBSD-current it is harmless, however in NetBSD
Disable preemption when setting PCB_COMPAT32, to prevent a context switch before cpu_fsgs_reload() finishes, otherwise we write garbage in the GDT. On NetBSD-current it is harmless, however in NetBSD-8 it might cause panics, because NetBSD-8 uses the old SegRegs model and under this model we reload %fs and %gs during switches.
show more ...
|
#
719f9711 |
| 21-Oct-2017 |
maxv <maxv@NetBSD.org> |
Include opt_user_ldt.h when needed.
|
#
961a3f96 |
| 19-Oct-2017 |
maxv <maxv@NetBSD.org> |
Always mask the 16 bits of the segregs in the trapframe. We don't zero- extend the uint64_t's when building it, so we're leaking 48 bits of kernel stack to userland.
Having said that, it appears tha
Always mask the 16 bits of the segregs in the trapframe. We don't zero- extend the uint64_t's when building it, so we're leaking 48 bits of kernel stack to userland.
Having said that, it appears that I unintentionally fixed most of this issue in locore.S::rev1.127 - by building the frame with interrupts disabled, we are implicitly guaranteeing that the structure doesn't get overwritten by the kernel. Which means, we are leaking to userland data that comes from userland anyway.
(still other places with this issue, but I'll fix them differently)
show more ...
|
#
54316c62 |
| 15-Oct-2017 |
maxv <maxv@NetBSD.org> |
Use two separate functions: cpu_segregs32_zero and cpu_segregs64_zero. The way segment registers work on amd64 will diverge between 32bit and 64bit LWPs.
|
#
c4ae9ce9 |
| 15-Oct-2017 |
maxv <maxv@NetBSD.org> |
Make sure the 32bit LWPs don't have MDL_IRET set. That's not a problem right now, but will be in the future.
|
#
e3054dda |
| 02-Sep-2017 |
maxv <maxv@NetBSD.org> |
Fix a subtle ring0 escalation vulnerability in amd64, and implement a mitigation against similar bugs.
The operations on segment registers can generate a page fault if there is an issue when touchin
Fix a subtle ring0 escalation vulnerability in amd64, and implement a mitigation against similar bugs.
The operations on segment registers can generate a page fault if there is an issue when touching the in-memory gdt. Theoretically, it is never supposed to happen, since the gdt is mapped correctly. However, in the kernel we allow the gdt to be resized, and to do that, we allocate the maximum amount of va needed by it, but only kenter a few pages until we need more. Moreover, to avoid reloading the gdt each time we grow it, the 'size' field of gdtr is set to the maximum value. All of this means that if a mov or iretq is done with a segment register whose index hits a page that has not been kentered, a page fault is sent.
Such a page fault, if received in kernel mode, does not trigger a swapgs on amd64; in other words, the kernel would be re-entered with the userland tls.
And there just happens to be a place in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges.
The mitigation simply consists in abandoning the gdt_grow mechanism and allocating/kentering the maximum size right away, in such a way that no page fault can be triggered because of segment registers.
show more ...
|
#
461bd691 |
| 05-Feb-2017 |
maxv <maxv@NetBSD.org> |
Remove #if 0 on USER_LDT.
|
#
68b5f6e4 |
| 02-Sep-2016 |
maxv <maxv@NetBSD.org> |
Fix argument (does not compile anyway).
|
#
88dda990 |
| 19-Feb-2014 |
dsl <dsl@NetBSD.org> |
Explicitly include x86/fpu.h instead of relying in x86/frame.h including it.
|
#
663a6b84 |
| 15-Feb-2014 |
dsl <dsl@NetBSD.org> |
Remove all references to MDL_USEDFPU and deferred fpu initialisation. The cost of zeroing the save area on exec is minimal. This stops the FP registers of a random process being used the first time
Remove all references to MDL_USEDFPU and deferred fpu initialisation. The cost of zeroing the save area on exec is minimal. This stops the FP registers of a random process being used the first time an lwp uses the fpu. sendsig_siginfo() and get_mcontext() now unconditionally copy the FP registers. I'll remove the double-copy for signal handlers soon. get_mcontext() might have been leaking kernel memory to userspace - and may still do so if i386_use_fxsave is false (short copies).
show more ...
|
#
d41378b3 |
| 07-Feb-2014 |
dsl <dsl@NetBSD.org> |
Convert the amd64 build to use x86/cpu_extended_state.h so that the fpu definitions match those of i386. Mostly just structure and field renames, in addition: 1) process_xmm_to_s87() and process_s8
Convert the amd64 build to use x86/cpu_extended_state.h so that the fpu definitions match those of i386. Mostly just structure and field renames, in addition: 1) process_xmm_to_s87() and process_s87_to_xmm() moved into x86/convert_xmm_s87.c so they can be used by amd64's netbsd32 code. 2) The linux signal code simplified to use a structure copy for ths fxsave data - it matches the hardware definition and won't change.
show more ...
|
#
c959d6a1 |
| 01-Dec-2013 |
christos <christos@NetBSD.org> |
revert fpu/pcu changes until we figure out what's wrong; they cause random freezes
|
#
0f75fe56 |
| 23-Oct-2013 |
drochner <drochner@NetBSD.org> |
Use the MI "pcu" framework for bookkeeping of npx/fpu states on x86. This reduces the amount of MD code enormously, and makes it easier to implement support for newer CPU features which require more
Use the MI "pcu" framework for bookkeeping of npx/fpu states on x86. This reduces the amount of MD code enormously, and makes it easier to implement support for newer CPU features which require more fpu state, or for fpu usage by the kernel. For access to FPU state across CPUs, an xcall kthread is used now rather than a dedicated IPI. No user visible changes intended.
show more ...
|
#
63092990 |
| 15-Jul-2012 |
dsl <dsl@NetBSD.org> |
Rename MDP_IRET to MDL_IRET since it is an lwp flag, not a proc one. Add an MDL_COMPAT32 flag to the lwp's md_flags, set it for 32bit lwps and use it to force 'return to user' with iret (as is done
Rename MDP_IRET to MDL_IRET since it is an lwp flag, not a proc one. Add an MDL_COMPAT32 flag to the lwp's md_flags, set it for 32bit lwps and use it to force 'return to user' with iret (as is done when MDL_IRET is set). Split the iret/sysret code paths much later. Remove all the replicated code for 32bit system calls - which was only needed so that iret was always used. frameasm.h for XEN contains '#define swapgs', while XEN probable never needs swapgs, this is likely to be confusing. Add a SWAPGS which is a nop on XEN and swapgs otherwise. (I've not yet checked all the swapgs in files that include frameasm.h) Simple x86 programs still work. Hijack 6.99.9 kernel bump (needed for compat32 modules)
show more ...
|
#
9b60e463 |
| 08-Jul-2012 |
dsl <dsl@NetBSD.org> |
The MDP_USEDFPU (amd64 and sh3) and MDP_SSTEP (sh3) are lwp flags not process ones, rename to MDL_xxx.
|
#
c3454f5a |
| 04-Mar-2011 |
joerg <joerg@NetBSD.org> |
Refactor ps_strings access. Based on PK_32, write either the normal version or the 32bit compat layout in execve1. Introduce a new function copyin_psstrings for reading it back from userland and conv
Refactor ps_strings access. Based on PK_32, write either the normal version or the 32bit compat layout in execve1. Introduce a new function copyin_psstrings for reading it back from userland and converting it to the native layout. Refactor procfs to share most of the code with the kern.proc_args sysctl handler.
This material is based upon work partially supported by The NetBSD Foundation under a contract with Joerg Sonnenberger.
show more ...
|
#
efa7b2c5 |
| 07-Feb-2011 |
chs <chs@NetBSD.org> |
move macros for validating fs/gs to segments.h and use them in the linux32 code as well.
|
#
fc7a1961 |
| 02-Nov-2010 |
chs <chs@NetBSD.org> |
implement the following syscalls for linux32: truncate64 ftruncate64 profil ioperm iopl setdomainname modify_ldt statfs64 fstatfs64
note that iopl(), ioperm() and modify_ldt() just
implement the following syscalls for linux32: truncate64 ftruncate64 profil ioperm iopl setdomainname modify_ldt statfs64 fstatfs64
note that iopl(), ioperm() and modify_ldt() just call the respective 64-bit handlers, which don't do anything yet.
show more ...
|
#
e86c1254 |
| 12-Jul-2010 |
christos <christos@NetBSD.org> |
fix debugging build.
|
#
6f196907 |
| 07-Jul-2010 |
jmmv <jmmv@NetBSD.org> |
Add missing includes to bring the linux_semun type needed by linux_syscallargs.h.
|
#
33fa5ccb |
| 07-Jul-2010 |
chs <chs@NetBSD.org> |
many changes for COMPAT_LINUX: - update the linux syscall table for each platform. - support new-style (NPTL) linux pthreads on all platforms. clone() with CLONE_THREAD uses 1 process with many
many changes for COMPAT_LINUX: - update the linux syscall table for each platform. - support new-style (NPTL) linux pthreads on all platforms. clone() with CLONE_THREAD uses 1 process with many LWPs instead of separate processes. - move the contents of sys__lwp_setprivate() into a new lwp_setprivate() and use that everywhere. - update linux_release[] and linux32_release[] to "2.6.18". - adjust placement of emul fork/exec/exit hooks as needed and adjust other emul code to match. - convert all struct emul definitions to use named initializers. - change the pid allocator to allow multiple pids to refer to the same proc. - remove a few fields from struct proc that are no longer needed. - disable the non-functional "vdso" code in linux32/amd64, glibc works fine without it. - fix a race in the futex code where we could miss a wakeup after a requeue operation. - redo futex locking to be a little more efficient.
show more ...
|