From 6f83eb8b2179d56966b3392399d68a66f3ab9f3b Mon Sep 17 00:00:00 2001
From: Justin Hibbits <jhibbits@FreeBSD.org>
Date: Sat, 16 Nov 2019 16:36:20 +0000
Subject: [PATCH] powerpcspe: Don't leak kernel registers in SPE dumps

save_vec_int() for SPE saves off only the high word of the register, leaving
the low word as "garbage", but really containing whatever was in the kernel
register at the time.  This leaks into core dumps, and in a near future
commit also into ptrace.  Instead, save the GPR in the low word in
save_vec_nodrop(), which is used only for core dumps and ptrace.
---
 sys/powerpc/booke/spe.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/sys/powerpc/booke/spe.c b/sys/powerpc/booke/spe.c
index 597c6801b6a4..9cc0f3565615 100644
--- a/sys/powerpc/booke/spe.c
+++ b/sys/powerpc/booke/spe.c
@@ -176,19 +176,28 @@ save_vec(struct thread *td)
 
 /*
  * Save SPE state without dropping ownership.  This will only save state if
- * the current vector-thread is `td'.
+ * the current vector-thread is `td'.  This is used for taking core dumps, so
+ * don't leak kernel information; overwrite the low words of each vector with
+ * their real value, taken from the thread's trap frame, unconditionally.
  */
 void
 save_vec_nodrop(struct thread *td)
 {
 	struct thread *vtd;
+	struct pcb *pcb;
+	int i;
 
 	vtd = PCPU_GET(vecthread);
-	if (td != vtd) {
-		return;
+	if (td == vtd) {
+		save_vec_int(td);
 	}
 
-	save_vec_int(td);
+	pcb = td->td_pcb;
+
+	for (i = 0; i < 32; i++) {
+		pcb->pcb_vec.vr[i][1] =
+		    td->td_frame ? td->td_frame->fixreg[i] : 0;
+	}
 }