linux32_rt_sendsig: Memset zero before copyout.

Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.

XXX pullup-8
XXX pullup-9
X

linux32_rt_sendsig: Memset zero before copyout.

Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.

XXX pullup-8
XXX pullup-9
XXX pullup-10

show more ...

Use "stack_t" instead of "struct sigaltstack", as the former is the
newer standardized name. NFC.

sys/compat: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure. If the compiler can prove the memset redundant
then it can optimize it awa

sys/compat: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure. If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.

show more ...

Rename

fpu_save_area_clear -> fpu_clear
fpu_save_area_reset -> fpu_sigreset

Clearer, and reduces a future diff. No real functional change.

Disable preemption when setting PCB_COMPAT32, to prevent a context switch
before cpu_fsgs_reload() finishes, otherwise we write garbage in the GDT.
On NetBSD-current it is harmless, however in NetBSD

Disable preemption when setting PCB_COMPAT32, to prevent a context switch
before cpu_fsgs_reload() finishes, otherwise we write garbage in the GDT.
On NetBSD-current it is harmless, however in NetBSD-8 it might cause
panics, because NetBSD-8 uses the old SegRegs model and under this model
we reload %fs and %gs during switches.

show more ...

Include opt_user_ldt.h when needed.

Always mask the 16 bits of the segregs in the trapframe. We don't zero-
extend the uint64_t's when building it, so we're leaking 48 bits of kernel
stack to userland.

Having said that, it appears tha

Always mask the 16 bits of the segregs in the trapframe. We don't zero-
extend the uint64_t's when building it, so we're leaking 48 bits of kernel
stack to userland.

Having said that, it appears that I unintentionally fixed most of this
issue in locore.S::rev1.127 - by building the frame with interrupts
disabled, we are implicitly guaranteeing that the structure doesn't get
overwritten by the kernel. Which means, we are leaking to userland data
that comes from userland anyway.

(still other places with this issue, but I'll fix them differently)

show more ...

Use two separate functions: cpu_segregs32_zero and cpu_segregs64_zero. The
way segment registers work on amd64 will diverge between 32bit and 64bit
LWPs.

Make sure the 32bit LWPs don't have MDL_IRET set. That's not a problem
right now, but will be in the future.

Fix a subtle ring0 escalation vulnerability in amd64, and implement a
mitigation against similar bugs.

The operations on segment registers can generate a page fault if there is
an issue when touchin

Fix a subtle ring0 escalation vulnerability in amd64, and implement a
mitigation against similar bugs.

The operations on segment registers can generate a page fault if there is
an issue when touching the in-memory gdt. Theoretically, it is never
supposed to happen, since the gdt is mapped correctly. However, in the
kernel we allow the gdt to be resized, and to do that, we allocate the
maximum amount of va needed by it, but only kenter a few pages until we
need more. Moreover, to avoid reloading the gdt each time we grow it, the
'size' field of gdtr is set to the maximum value. All of this means that
if a mov or iretq is done with a segment register whose index hits a page
that has not been kentered, a page fault is sent.

Such a page fault, if received in kernel mode, does not trigger a swapgs
on amd64; in other words, the kernel would be re-entered with the userland
tls.

And there just happens to be a place in compat_linux32 where the index of
%cs is controlled by userland, making it easy to trigger the page fault
and get kernel privileges.

The mitigation simply consists in abandoning the gdt_grow mechanism and
allocating/kentering the maximum size right away, in such a way that no
page fault can be triggered because of segment registers.

show more ...

Remove #if 0 on USER_LDT.

Fix argument (does not compile anyway).

Explicitly include x86/fpu.h instead of relying in x86/frame.h including it.

Remove all references to MDL_USEDFPU and deferred fpu initialisation.
The cost of zeroing the save area on exec is minimal.
This stops the FP registers of a random process being used the first
time

Remove all references to MDL_USEDFPU and deferred fpu initialisation.
The cost of zeroing the save area on exec is minimal.
This stops the FP registers of a random process being used the first
time an lwp uses the fpu.
sendsig_siginfo() and get_mcontext() now unconditionally copy the FP
registers.
I'll remove the double-copy for signal handlers soon.
get_mcontext() might have been leaking kernel memory to userspace - and
may still do so if i386_use_fxsave is false (short copies).

show more ...

Convert the amd64 build to use x86/cpu_extended_state.h so that the fpu
definitions match those of i386.
Mostly just structure and field renames, in addition:
1) process_xmm_to_s87() and process_s8

Convert the amd64 build to use x86/cpu_extended_state.h so that the fpu
definitions match those of i386.
Mostly just structure and field renames, in addition:
1) process_xmm_to_s87() and process_s87_to_xmm() moved into
x86/convert_xmm_s87.c so they can be used by amd64's netbsd32 code.
2) The linux signal code simplified to use a structure copy for ths fxsave
data - it matches the hardware definition and won't change.

show more ...

revert fpu/pcu changes until we figure out what's wrong; they cause random
freezes

Use the MI "pcu" framework for bookkeeping of npx/fpu states on x86.
This reduces the amount of MD code enormously, and makes it easier
to implement support for newer CPU features which require more

Use the MI "pcu" framework for bookkeeping of npx/fpu states on x86.
This reduces the amount of MD code enormously, and makes it easier
to implement support for newer CPU features which require more fpu
state, or for fpu usage by the kernel.
For access to FPU state across CPUs, an xcall kthread is used now
rather than a dedicated IPI.
No user visible changes intended.

show more ...

Rename MDP_IRET to MDL_IRET since it is an lwp flag, not a proc one.
Add an MDL_COMPAT32 flag to the lwp's md_flags, set it for 32bit lwps
and use it to force 'return to user' with iret (as is done

Rename MDP_IRET to MDL_IRET since it is an lwp flag, not a proc one.
Add an MDL_COMPAT32 flag to the lwp's md_flags, set it for 32bit lwps
and use it to force 'return to user' with iret (as is done when
MDL_IRET is set).
Split the iret/sysret code paths much later.
Remove all the replicated code for 32bit system calls - which was only
needed so that iret was always used.
frameasm.h for XEN contains '#define swapgs', while XEN probable never
needs swapgs, this is likely to be confusing.
Add a SWAPGS which is a nop on XEN and swapgs otherwise.
(I've not yet checked all the swapgs in files that include frameasm.h)
Simple x86 programs still work.
Hijack 6.99.9 kernel bump (needed for compat32 modules)

show more ...

The MDP_USEDFPU (amd64 and sh3) and MDP_SSTEP (sh3) are lwp flags not
process ones, rename to MDL_xxx.

Refactor ps_strings access. Based on PK_32, write either the normal
version or the 32bit compat layout in execve1. Introduce a new function
copyin_psstrings for reading it back from userland and conv

Refactor ps_strings access. Based on PK_32, write either the normal
version or the 32bit compat layout in execve1. Introduce a new function
copyin_psstrings for reading it back from userland and converting it to
the native layout. Refactor procfs to share most of the code with the
kern.proc_args sysctl handler.

This material is based upon work partially supported by
The NetBSD Foundation under a contract with Joerg Sonnenberger.

show more ...

move macros for validating fs/gs to segments.h and use them
in the linux32 code as well.

implement the following syscalls for linux32:
truncate64
ftruncate64
profil
ioperm
iopl
setdomainname
modify_ldt
statfs64
fstatfs64

note that iopl(), ioperm() and modify_ldt() just

implement the following syscalls for linux32:
truncate64
ftruncate64
profil
ioperm
iopl
setdomainname
modify_ldt
statfs64
fstatfs64

note that iopl(), ioperm() and modify_ldt() just call
the respective 64-bit handlers, which don't do anything yet.

show more ...

fix debugging build.

Add missing includes to bring the linux_semun type needed by
linux_syscallargs.h.

many changes for COMPAT_LINUX:
- update the linux syscall table for each platform.
- support new-style (NPTL) linux pthreads on all platforms.
clone() with CLONE_THREAD uses 1 process with many

many changes for COMPAT_LINUX:
- update the linux syscall table for each platform.
- support new-style (NPTL) linux pthreads on all platforms.
clone() with CLONE_THREAD uses 1 process with many LWPs
instead of separate processes.
- move the contents of sys__lwp_setprivate() into a new
lwp_setprivate() and use that everywhere.
- update linux_release[] and linux32_release[] to "2.6.18".
- adjust placement of emul fork/exec/exit hooks as needed
and adjust other emul code to match.
- convert all struct emul definitions to use named initializers.
- change the pid allocator to allow multiple pids to refer to the same proc.
- remove a few fields from struct proc that are no longer needed.
- disable the non-functional "vdso" code in linux32/amd64,
glibc works fine without it.
- fix a race in the futex code where we could miss a wakeup after
a requeue operation.
- redo futex locking to be a little more efficient.

show more ...