d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Clear the padding when returning context to the usermode, for

Browse Source 
MI ucontext_t and x86 MD parts.
Kernel allocates the structures on the stack, and not clearing
reserved fields and paddings causes leakage.

Noted and discussed with:	bde
MFC after:	2 weeks
This commit is contained in:
Konstantin Belousov 2011-02-05 15:10:27 +00:00
parent b15e9aa322
commit 6f9ec5aab0
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=218327
4 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/amd64/amd64/machdep.c
View File

@ -331,6 +331,9 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
fpstate_drop(td);
sf.sf_uc.uc_mcontext.mc_fsbase = pcb->pcb_fsbase;
sf.sf_uc.uc_mcontext.mc_gsbase = pcb->pcb_gsbase;
bzero(sf.sf_uc.uc_mcontext.mc_spare,
sizeof(sf.sf_uc.uc_mcontext.mc_spare));
bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__));
/* Allocate space for the signal handler context. */
if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack &&
@ -352,6 +355,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
/* Build the argument list for the signal handler. */
regs->tf_rdi = sig; /* arg 1 in %rdi */
regs->tf_rdx = (register_t)&sfp->sf_uc; /* arg 3 in %rdx */
bzero(&sf.sf_si, sizeof(sf.sf_si));
if (SIGISMEMBER(psp->ps_siginfo, sig)) {
/* Signal handler installed with SA_SIGINFO. */
regs->tf_rsi = (register_t)&sfp->sf_si; /* arg 2 in %rsi */
@ -2043,6 +2047,7 @@ get_mcontext(struct thread *td, mcontext_t *mcp, int flags)
get_fpcontext(td, mcp);
mcp->mc_fsbase = pcb->pcb_fsbase;
mcp->mc_gsbase = pcb->pcb_gsbase;
bzero(mcp->mc_spare, sizeof(mcp->mc_spare));
return (0);
}

11
sys/amd64/ia32/ia32_signal.c
View File

@ -167,6 +167,8 @@ ia32_get_mcontext(struct thread *td, struct ia32_mcontext *mcp, int flags)
ia32_get_fpcontext(td, mcp);
mcp->mc_fsbase = pcb->pcb_fsbase;
mcp->mc_gsbase = pcb->pcb_gsbase;
bzero(mcp->mc_spare1, sizeof(mcp->mc_spare1));
bzero(mcp->mc_spare2, sizeof(mcp->mc_spare2));
set_pcb_flags(pcb, PCB_FULL_IRET);
return (0);
}
@ -233,6 +235,7 @@ freebsd32_getcontext(struct thread *td, struct freebsd32_getcontext_args *uap)
PROC_LOCK(td->td_proc);
uc.uc_sigmask = td->td_sigmask;
PROC_UNLOCK(td->td_proc);
bzero(&uc.__spare__, sizeof(uc.__spare__));
ret = copyout(&uc, uap->ucp, UC_COPY_SIZE);
}
return (ret);
@ -348,6 +351,11 @@ freebsd4_ia32_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
sf.sf_uc.uc_mcontext.mc_es = regs->tf_es;
sf.sf_uc.uc_mcontext.mc_fs = regs->tf_fs;
sf.sf_uc.uc_mcontext.mc_gs = regs->tf_gs;
bzero(sf.sf_uc.uc_mcontext.mc_fpregs,
sizeof(sf.sf_uc.uc_mcontext.mc_fpregs));
bzero(sf.sf_uc.uc_mcontext.__spare__,
sizeof(sf.sf_uc.uc_mcontext.__spare__));
bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__));
/* Allocate space for the signal handler context. */
if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack &&
@ -365,6 +373,7 @@ freebsd4_ia32_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
/* Build the argument list for the signal handler. */
sf.sf_signum = sig;
sf.sf_ucontext = (register_t)&sfp->sf_uc;
bzero(&sf.sf_si, sizeof(sf.sf_si));
if (SIGISMEMBER(psp->ps_siginfo, sig)) {
/* Signal handler installed with SA_SIGINFO. */
sf.sf_siginfo = (u_int32_t)(uintptr_t)&sfp->sf_si;
@ -468,6 +477,7 @@ ia32_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
fpstate_drop(td);
sf.sf_uc.uc_mcontext.mc_fsbase = td->td_pcb->pcb_fsbase;
sf.sf_uc.uc_mcontext.mc_gsbase = td->td_pcb->pcb_gsbase;
bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__));
/* Allocate space for the signal handler context. */
if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack &&
@ -487,6 +497,7 @@ ia32_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
/* Build the argument list for the signal handler. */
sf.sf_signum = sig;
sf.sf_ucontext = (register_t)&sfp->sf_uc;
bzero(&sf.sf_si, sizeof(sf.sf_si));
if (SIGISMEMBER(psp->ps_siginfo, sig)) {
/* Signal handler installed with SA_SIGINFO. */
sf.sf_siginfo = (u_int32_t)(uintptr_t)&sfp->sf_si;

18
sys/i386/i386/machdep.c
View File

@ -376,12 +376,14 @@ osendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
/* Build the argument list for the signal handler. */
sf.sf_signum = sig;
sf.sf_scp = (register_t)&fp->sf_siginfo.si_sc;
bzero(&sf.sf_siginfo, sizeof(sf.sf_siginfo));
if (SIGISMEMBER(psp->ps_siginfo, sig)) {
/* Signal handler installed with SA_SIGINFO. */
sf.sf_arg2 = (register_t)&fp->sf_siginfo;
sf.sf_siginfo.si_signo = sig;
sf.sf_siginfo.si_code = ksi->ksi_code;
sf.sf_ahu.sf_action = (__osiginfohandler_t *)catcher;
sf.sf_addr = 0;
} else {
/* Old FreeBSD-style arguments. */
sf.sf_arg2 = ksi->ksi_code;
@ -495,6 +497,11 @@ freebsd4_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
sf.sf_uc.uc_mcontext.mc_onstack = (oonstack) ? 1 : 0;
sf.sf_uc.uc_mcontext.mc_gs = rgs();
bcopy(regs, &sf.sf_uc.uc_mcontext.mc_fs, sizeof(*regs));
bzero(sf.sf_uc.uc_mcontext.mc_fpregs,
sizeof(sf.sf_uc.uc_mcontext.mc_fpregs));
bzero(sf.sf_uc.uc_mcontext.__spare__,
sizeof(sf.sf_uc.uc_mcontext.__spare__));
bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__));
/* Allocate space for the signal handler context. */
if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack &&
@ -514,6 +521,7 @@ freebsd4_sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
/* Build the argument list for the signal handler. */
sf.sf_signum = sig;
sf.sf_ucontext = (register_t)&sfp->sf_uc;
bzero(&sf.sf_si, sizeof(sf.sf_si));
if (SIGISMEMBER(psp->ps_siginfo, sig)) {
/* Signal handler installed with SA_SIGINFO. */
sf.sf_siginfo = (register_t)&sfp->sf_si;
@ -640,6 +648,11 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
sdp = &td->td_pcb->pcb_gsd;
sf.sf_uc.uc_mcontext.mc_gsbase = sdp->sd_hibase << 24 |
sdp->sd_lobase;
bzero(sf.sf_uc.uc_mcontext.mc_spare1,
sizeof(sf.sf_uc.uc_mcontext.mc_spare1));
bzero(sf.sf_uc.uc_mcontext.mc_spare2,
sizeof(sf.sf_uc.uc_mcontext.mc_spare2));
bzero(sf.sf_uc.__spare__, sizeof(sf.sf_uc.__spare__));
/* Allocate space for the signal handler context. */
if ((td->td_pflags & TDP_ALTSTACK) != 0 && !oonstack &&
@ -661,6 +674,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
/* Build the argument list for the signal handler. */
sf.sf_signum = sig;
sf.sf_ucontext = (register_t)&sfp->sf_uc;
bzero(&sf.sf_si, sizeof(sf.sf_si));
if (SIGISMEMBER(psp->ps_siginfo, sig)) {
/* Signal handler installed with SA_SIGINFO. */
sf.sf_siginfo = (register_t)&sfp->sf_si;
@ -3286,7 +3300,8 @@ get_mcontext(struct thread *td, mcontext_t *mcp, int flags)
mcp->mc_fsbase = sdp->sd_hibase << 24 | sdp->sd_lobase;
sdp = &td->td_pcb->pcb_gsd;
mcp->mc_gsbase = sdp->sd_hibase << 24 | sdp->sd_lobase;
bzero(mcp->mc_spare1, sizeof(mcp->mc_spare1));
bzero(mcp->mc_spare2, sizeof(mcp->mc_spare2));
return (0);
}
@ -3335,6 +3350,7 @@ get_fpcontext(struct thread *td, mcontext_t *mcp)
#ifndef DEV_NPX
mcp->mc_fpformat = _MC_FPFMT_NODEV;
mcp->mc_ownedfp = _MC_FPOWNED_NONE;
bzero(mcp->mc_fpstate, sizeof(mcp->mc_fpstate));
#else
mcp->mc_ownedfp = npxgetregs(td);
bcopy(&td->td_pcb->pcb_user_save, &mcp->mc_fpstate,

2
sys/kern/kern_context.c
View File

@ -72,6 +72,7 @@ getcontext(struct thread *td, struct getcontext_args *uap)
PROC_LOCK(td->td_proc);
uc.uc_sigmask = td->td_sigmask;
PROC_UNLOCK(td->td_proc);
bzero(uc.__spare__, sizeof(uc.__spare__));
ret = copyout(&uc, uap->ucp, UC_COPY_SIZE);
}
return (ret);
@ -108,6 +109,7 @@ swapcontext(struct thread *td, struct swapcontext_args *uap)
ret = EINVAL;
else {
get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET);
bzero(uc.__spare__, sizeof(uc.__spare__));
PROC_LOCK(td->td_proc);
uc.uc_sigmask = td->td_sigmask;
PROC_UNLOCK(td->td_proc);