d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5efe338f3d
freebsd-dev/sys/kern
History
Konstantin Belousov 5efe338f3d Fix handling of the segment registers on i386. 
Suppose that userspace is executing with the non-standard segment
descriptors.  Then, until exception or interrupt handler executed
SET_KERNEL_SEGS, kernel is still executing with user %ds, %es and %fs.
If an interrupt occurs in this window, the interrupt handler is
executed unsafely, relying on usability of the usermode registers.  If
the interrupt results in the context switch on return, the
contamination of the kernel state spreads to the thread we switched
to.  As result, kernel data accesses might fault or, if only the base
is changed, completely messed up.

More, if the user segment was allocated in LDT, another thread might
mark the descriptor as invalid before doreti code tried to reload
them.  In this case kernel panics.

The issue exists for all exception entry points which use trap gate,
and thus do not automatically disable interrupts on entry, and for
lcall_handler.

Fix is two-fold: first, we need to disable interrupts for all kernel
entries, changing the IDT descriptor types from trap gate to interrupt
gate.  Interrupts are re-enabled not earlier than the kernel segments
are loaded into the segment registers.  Second, we only load the
segment registers from the trap frame when returning to usermode.  For
the later, all interrupt return paths must happen through the doreti
common code.

There is no way to disable interrupts on call gate, which is the
supposed mode of servicing for lcall $7,$0 syscalls.  Change the LDT
descriptor 0 into a code segment type and point it to the userspace
trampoline which redirects the syscall to int $0x80.

All the measures make the segment register handling similar to that of
amd64.  We do not apply amd64 optimizations of not reloading segment
registers on return from the syscall.

Reported by:	Maxime Villard <max@m00nbsd.net>
Tested by:	pho (the non-lcall part)
Reviewed by:	jhb
Sponsored by:	The FreeBSD Foundation
MFC after:	2 weeks
Differential revision:	https://reviews.freebsd.org/D12402
2017-09-18 20:22:42 +00:00
..
bus_if.m "Buses" is the preferred plural of "bus" 2017-01-15 17:54:01 +00:00
capabilities.conf Correct sysent flags for dynamically loaded syscalls. 2017-07-14 09:34:44 +00:00
clock_if.m
cpufreq_if.m
device_if.m Import the 'iflib' API library for network drivers. From the author: 2016-05-18 04:35:58 +00:00
genassym.sh Don't prefix zero with 0x in assym.s. 2017-04-13 15:43:44 +00:00
imgact_aout.c Fix handling of the segment registers on i386. 2017-09-18 20:22:42 +00:00
imgact_binmisc.c tighten buffer bounds in imgact_binmisc_populate_interp 2017-03-21 18:02:14 +00:00
imgact_elf32.c
imgact_elf64.c
imgact_elf.c Add AT_HWCAP and AT_EHDRFLAGS on all platforms. 2017-09-14 14:26:55 +00:00
imgact_gzip.c
imgact_shell.c
inflate.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00
init_main.c Move struct syscall_args syscall arguments parameters container into 2017-06-12 21:03:23 +00:00
init_sysent.c Regen. 2017-06-17 00:58:19 +00:00
kern_acct.c Commit the 64-bit inode project. 2017-05-23 09:29:05 +00:00
kern_alq.c Use SI_SUB_LAST instead of SI_SUB_SMP as the "catch-all" subsystem. 2016-03-11 23:18:06 +00:00
kern_clock.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00
kern_clocksource.c Remove cpu_deepest_sleep variable. 2017-02-24 16:11:55 +00:00
kern_condvar.c Introduce SCHEDULER_STOPPED_TD for use when the thread pointer was already read 2017-02-17 06:45:04 +00:00
kern_conf.c Undo r309891. Konstantin is right in that this condition normally 2016-12-12 19:11:04 +00:00
kern_cons.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_context.c
kern_cpu.c Add an EARLY_AP_STARTUP option to start APs earlier during boot. 2016-05-14 18:22:52 +00:00
kern_cpuset.c Fix size to copyout(9) for cpuset_getid(2). 2017-08-22 20:46:29 +00:00
kern_ctf.c Fix improper use of "its". 2016-11-08 23:59:41 +00:00
kern_descrip.c ddb show files: fix up file types and whitespace 2017-06-14 07:46:52 +00:00
kern_dtrace.c Sprinkle __read_frequently on few obvious places. 2017-09-06 20:33:33 +00:00
kern_dump.c Rename mkdumpheader() and group EKCD functions in kern_shutdown.c. 2017-08-18 04:04:09 +00:00
kern_environment.c Create wrappers for uint64_t and int64_t for the tunables. While not 2016-04-15 03:09:55 +00:00
kern_et.c Add labels to sysctls related to clocks. 2016-12-14 12:56:58 +00:00
kern_event.c Do not cast struct kevent_args or struct freebsd11_kevent_args to 2017-06-29 14:40:33 +00:00
kern_exec.c Resolve confusion between different error code spaces. 2017-07-03 20:44:01 +00:00
kern_exit.c Avoid reusing p_ksi while it is on queue. 2017-03-12 13:58:51 +00:00
kern_fail.c Avoid open-coding PRI_UNCHANGED. 2017-05-18 18:24:11 +00:00
kern_ffclock.c kernel: use our nitems() macro when it is available through param.h. 2016-04-19 23:48:27 +00:00
kern_fork.c If the user tries to set kern.randompid to 1 (which is meaningless), set 2017-09-10 15:01:29 +00:00
kern_gzio.c
kern_hhook.c Get closer to a VIMAGE network stack teardown from top to bottom rather 2016-06-21 13:48:49 +00:00
kern_idle.c
kern_intr.c Extend cpuset_get/setaffinity() APIs 2017-05-03 18:41:08 +00:00
kern_jail.c Jails: Optionally prevent jailed root from binding to privileged ports 2017-06-06 02:15:00 +00:00
kern_khelp.c
kern_kthread.c Re-schedule signals after kthread exits, since apparently there are 2016-08-10 13:47:12 +00:00
kern_ktr.c Fix a couple of comment typos 2017-08-15 02:21:02 +00:00
kern_ktrace.c Ktracing kevent(2) calls with unusual arguments might leads to an 2017-03-12 13:48:24 +00:00
kern_linker.c kldstat: Use sizeof in place of named constants for sizing 2017-07-29 23:31:21 +00:00
kern_lock.c lockmgr: implement fast path 2017-02-12 09:49:44 +00:00
kern_lockf.c put very expensive sanity checks of advisory locks under DIAGNOSTIC 2017-01-30 15:20:13 +00:00
kern_lockstat.c Sprinkle __read_frequently on few obvious places. 2017-09-06 20:33:33 +00:00
kern_loginclass.c
kern_malloc.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
kern_mbuf.c Import the 'iflib' API library for network drivers. From the author: 2016-05-18 04:35:58 +00:00
kern_mib.c All these files need sys/vmmeter.h, but now they got it implicitly 2017-04-17 17:07:00 +00:00
kern_module.c
kern_mtxpool.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
kern_mutex.c Annotate Giant with __exclusive_cache_line 2017-09-08 06:46:24 +00:00
kern_ntptime.c ANSIfy kern_ntptime.c 2017-01-25 20:22:32 +00:00
kern_numa.c Remove unneeded include of vm_phys.h. 2017-04-17 16:51:04 +00:00
kern_osd.c osd(9): Change array pointer to array pointer type from void* 2016-04-26 19:57:35 +00:00
kern_physio.c Add four new RCTL resources - readbps, readiops, writebps and writeiops, 2016-04-07 04:23:25 +00:00
kern_pmc.c Cast values to (int) before comparing them to the range of the 2017-02-24 01:39:12 +00:00
kern_poll.c
kern_priv.c
kern_proc.c Annotate global process locks with __exclusive_cache_line 2017-09-08 06:46:02 +00:00
kern_procctl.c reaper: Make REAPER_KILL_SUBTREE actually work. 2016-12-14 22:49:20 +00:00
kern_prot.c Add security.bsd.see_jail_proc 2017-05-23 16:59:24 +00:00
kern_racct.c try to fix RACCT_RSS accounting 2017-02-14 13:54:05 +00:00
kern_rangelock.c
kern_rctl.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
kern_resource.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00
kern_rmlock.c Corrected misspelled versions of rendezvous. 2017-04-09 02:00:03 +00:00
kern_rwlock.c Sprinkle __read_frequently on few obvious places. 2017-09-06 20:33:33 +00:00
kern_sdt.c
kern_sema.c
kern_sendfile.c Use soref() in sendfile(2) instead fhold() to reference a socket. 2017-09-13 22:11:05 +00:00
kern_sharedpage.c
kern_shutdown.c Remove some unneeded subroutines for padding writes to dump devices. 2017-08-18 04:07:25 +00:00
kern_sig.c Make it possible to request nosys logging to console. 2017-07-27 20:45:41 +00:00
kern_switch.c Add comments explaining unobvious td_critnest adjustments in 2017-01-22 19:41:42 +00:00
kern_sx.c Sprinkle __read_frequently on few obvious places. 2017-09-06 20:33:33 +00:00
kern_synch.c - Remove 'struct vmmeter' from 'struct pcpu', leaving only global vmmeter 2017-04-17 17:34:47 +00:00
kern_syscalls.c
kern_sysctl.c Enhance debugibility of sysctl leaf re-use warnings 2017-08-27 17:12:30 +00:00
kern_tc.c Add missing pieces of r315280 2017-03-14 22:02:02 +00:00
kern_thr.c Defer ptracestop() signals that cannot be delivered immediately 2017-02-20 15:53:16 +00:00
kern_thread.c Move struct syscall_args syscall arguments parameters container into 2017-06-12 21:03:23 +00:00
kern_time.c Add clock_nanosleep() 2017-03-19 00:51:12 +00:00
kern_timeout.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00
kern_umtx.c When the RTC is adjusted, reevaluate absolute sleep times based on the RTC 2017-03-14 19:06:44 +00:00
kern_uuid.c Hint at the intended usage for the "ll" field of struct uuid_private. 2017-06-13 15:37:04 +00:00
kern_xxx.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00
ksched.c
link_elf_obj.c Reduce stack usage in link_elf_load_file(), allocating struct nameidata. 2017-03-09 00:45:15 +00:00
link_elf.c kern: for pointers replace 0 with NULL. 2016-04-15 16:10:11 +00:00
linker_if.m sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
Make.tags.inc
Makefile Don't create pointless backups of generated files in "make sysent". 2016-07-28 21:29:04 +00:00
makesyscalls.sh Commit the 64-bit inode project. 2017-05-23 09:29:05 +00:00
md4c.c crypto routines: Hint minimum buffer sizes to the compiler 2016-05-26 19:29:29 +00:00
md5c.c crypto routines: Hint minimum buffer sizes to the compiler 2016-05-26 19:29:29 +00:00
msi_if.m Introduce MSI and MSI-X support to intrng. This adds a new msi device 2016-05-16 09:11:40 +00:00
p1003_1b.c
pic_if.m INTRNG: Rework handling with resources. Partially revert r301453. 2016-08-19 10:52:39 +00:00
posix4_mib.c Make p1003_1b.aio_listio_max a tunable 2017-08-08 16:14:31 +00:00
sched_4bsd.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00
sched_ule.c move thread switch tracing from mi_switch to sched_switch 2017-03-23 08:57:04 +00:00
serdev_if.m
stack_protector.c
subr_acl_nfs4.c
subr_acl_posix1e.c
subr_autoconf.c Add config_intrhook_oneshot(): schedule an intrhook function and unregister 2017-08-13 18:10:24 +00:00
subr_blist.c Modify blst_leaf_alloc to take only the cursor argument. 2017-09-16 18:12:15 +00:00
subr_bufring.c
subr_bus_dma.c Add CAM/NVMe support for CAM_DATA_SG 2017-08-29 15:29:57 +00:00
subr_bus.c "Buses" is the preferred plural of "bus" 2017-01-15 17:54:01 +00:00
subr_busdma_bufalloc.c
subr_capability.c
subr_clock.c Add common code to support realtime clocks that store year without century. 2017-07-23 21:28:00 +00:00
subr_counter.c Zero return value when counter_rate() switches over to next second and 2016-12-13 20:11:45 +00:00
subr_devmap.c o Replace __riscv__ with __riscv 2017-08-07 14:09:57 +00:00
subr_devstat.c Add support for managing Shingled Magnetic Recording (SMR) drives. 2016-05-19 14:08:36 +00:00
subr_disk.c
subr_dummy_vdso_tc.c
subr_eventhandler.c
subr_fattime.c
subr_firmware.c Fix improper use of "its". 2016-11-08 23:59:41 +00:00
subr_gtaskqueue.c Revert r323516 (iflib rollup) 2017-09-16 02:41:38 +00:00
subr_hash.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_hints.c
subr_intr.c Fix compile error with option DEBUG. This is fallout from some long-ago 2017-08-16 16:51:55 +00:00
subr_kdb.c
subr_kobj.c - Also outside of the KOBJOPLOOKUP macro - which in turn is used by 2017-05-08 21:08:39 +00:00
subr_lock.c locks: follow up r313386 2017-02-07 16:01:07 +00:00
subr_log.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_mbpool.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
subr_mchain.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_module.c
subr_msgbuf.c sys/kern: spelling fixes in comments. 2016-04-29 22:15:33 +00:00
subr_param.c Allow sysctl kern.vm_guest to return bhyve when running under bhyve. 2017-06-08 04:02:14 +00:00
subr_pcpu.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_pctrie.c Make the number of children for pctrie node available outside subr_pctrie.c. 2017-07-27 16:40:14 +00:00
subr_power.c
subr_prf.c kvprintf %b enhancements 2017-07-12 07:30:14 +00:00
subr_prof.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_rman.c Add new bus methods for mapping resources. 2016-05-20 17:57:47 +00:00
subr_rtc.c Add clock_schedule(), a feature that allows realtime clock drivers to 2017-07-31 01:18:21 +00:00
subr_sbuf.c An off-by-one error exists in sbuf_vprintf()'s use of SBUF_HASROOM() when an 2017-08-18 02:06:28 +00:00
subr_scanf.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
subr_sfbuf.c subr_sfbus.c need sys/proc.h for struct thread definition. 2017-02-07 17:31:24 +00:00
subr_sglist.c Add sglist_append_sglist(). 2017-05-16 23:31:52 +00:00
subr_sleepqueue.c Add missing pieces of r315280 2017-03-14 22:02:02 +00:00
subr_smp.c Improve scheduler performance 2017-08-27 05:14:48 +00:00
subr_stack.c
subr_syscall.c Move struct syscall_args syscall arguments parameters container into 2017-06-12 21:03:23 +00:00
subr_taskqueue.c Add taskqueue_enqueue_timeout_sbt(), because sometimes you want more control 2017-07-31 00:54:50 +00:00
subr_terminal.c Oops, my fix for bright colors broke bright black some more (in cases 2017-03-27 10:48:28 +00:00
subr_trap.c - Remove 'struct vmmeter' from 'struct pcpu', leaving only global vmmeter 2017-04-17 17:34:47 +00:00
subr_turnstile.c Remove unused declaration and update ddb.4 2017-08-24 19:16:25 +00:00
subr_uio.c Simplify UIO_SYSSPACE and UIO_NOCOPY paths in uiomove 2017-07-06 15:03:54 +00:00
subr_unit.c Clean up trailing whitespace 2017-01-14 04:16:13 +00:00
subr_vmem.c Start annotating global _padalign locks with __exclusive_cache_line 2017-09-06 20:28:18 +00:00
subr_witness.c Amend r321884 to check the refcount and update the class with w_mtx held. 2017-08-01 23:14:38 +00:00
sys_capability.c capsicum: perform copyout without the fildesc lock held in sys_cap_ioctls_get 2016-10-21 16:12:23 +00:00
sys_generic.c Fix NULL pointer dereference and panic with shm file pread/pwrite. 2017-03-10 10:09:44 +00:00
sys_pipe.c Generate syscall tables and update pipe() implementation after r302094. 2016-06-22 21:18:19 +00:00
sys_procdesc.c Hide the boottime and bootimebin globals, provide the getboottime(9) 2016-07-27 11:08:59 +00:00
sys_process.c Store a 32-bit PT_LWPINFO struct for 32-bit process core dumps. 2017-06-29 21:31:13 +00:00
sys_socket.c Don't grab SOCK_LOCK for soref() when queuing an AIO request. 2017-08-25 23:10:27 +00:00
syscalls.c Regen. 2017-06-17 00:58:19 +00:00
syscalls.master Add abstime kqueue(2) timers and expand struct kevent members. 2017-06-17 00:57:26 +00:00
systrace_args.c Regen. 2017-06-17 00:58:19 +00:00
sysv_ipc.c
sysv_msg.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00
sysv_sem.c Audit arguments to System V IPC system calls implementing sempahores, 2017-03-30 22:26:15 +00:00
sysv_shm.c Audit arguments to System V IPC system calls implementing sempahores, 2017-03-30 22:26:15 +00:00
tty_compat.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
tty_info.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
tty_inq.c Check tty_gone() after allocating IO buffers. The tty lock has to be 2017-01-13 16:37:38 +00:00
tty_outq.c Check tty_gone() after allocating IO buffers. The tty lock has to be 2017-01-13 16:37:38 +00:00
tty_pts.c Commit the 64-bit inode project. 2017-05-23 09:29:05 +00:00
tty_tty.c
tty_ttydisc.c
tty.c Commit the 64-bit inode project. 2017-05-23 09:29:05 +00:00
uipc_accf.c Listening sockets improvements. 2017-06-08 21:30:34 +00:00
uipc_debug.c ddb show socket debugging 2017-06-15 04:49:12 +00:00
uipc_domain.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
uipc_mbuf2.c Remove writability requirement for single-mbuf, contiguous-range 2017-01-12 06:38:03 +00:00
uipc_mbuf.c Fix one more place uio_resid is truncated to int 2017-06-27 17:23:20 +00:00
uipc_mbufhash.c
uipc_mqueue.c Correct sysent flags for dynamically loaded syscalls. 2017-07-14 09:34:44 +00:00
uipc_sem.c Audit arguments to POSIX message queues, semaphores, and shared memory. 2017-03-31 13:43:00 +00:00
uipc_shm.c Do not ignore an error from vm_mmap_object(). 2017-06-27 20:12:13 +00:00
uipc_sockbuf.c Third take on the r319685 and r320480. Actually allow for call soisconnected() 2017-08-24 20:49:19 +00:00
uipc_socket.c Fix locking in soisconnected(). 2017-09-14 18:05:54 +00:00
uipc_syscalls.c Listening sockets improvements. 2017-06-08 21:30:34 +00:00
uipc_usrreq.c Fix two issues with not ready data in sockets (read: sendfile) 2017-09-13 16:47:23 +00:00
vfs_acl.c Add system-call argument auditing for ACL-related system calls. 2017-03-30 22:00:58 +00:00
vfs_aio.c Make p1003_1b.aio_listio_max a tunable 2017-08-08 16:14:31 +00:00
vfs_bio.c Start annotating global _padalign locks with __exclusive_cache_line 2017-09-06 20:28:18 +00:00
vfs_cache.c namecache: clean up struct namecache_ts handling 2017-09-10 11:17:32 +00:00
vfs_cluster.c Move bogus_page declaration to vm_page.h and initialization to vm_page.c. 2017-01-04 22:27:19 +00:00
vfs_default.c For UNIX sockets make vnode point not to the socket, but to the UNIX PCB, 2017-06-02 17:31:25 +00:00
vfs_export.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00
vfs_extattr.c
vfs_hash.c Add vfs_hash_ref(9) function, which finds a vnode by the hash value 2016-05-11 06:32:22 +00:00
vfs_init.c Renumber license clauses in sys/kern to avoid skipping #3 2016-09-15 13:16:20 +00:00
vfs_lookup.c Use UMA_ALIGN_PTR instead of sizeof(void *) for zone alignment. 2017-03-15 18:23:32 +00:00
vfs_mount.c dounmount: do not release the mount point's reference on the covered vnode 2017-09-14 08:47:06 +00:00
vfs_mountroot.c Make root_mount_rel(9) ignore NULL arguments, like it used to before r313351. 2017-09-05 14:32:56 +00:00
vfs_subr.c Allow vdrop() of a vnode not yet on the per-mount list after r306512. 2017-08-28 19:29:51 +00:00
vfs_syscalls.c Implement proper Linux /dev/fd and /proc/self/fd behavior by adding 2017-08-01 03:40:19 +00:00
vfs_vnops.c Use whole mnt_stat.f_fsid bits for st_dev. 2017-05-27 17:00:30 +00:00
vnode_if.src For UNIX sockets make vnode point not to the socket, but to the UNIX PCB, 2017-06-02 17:31:25 +00:00