Clear high 16 bits of mxcsr register, according to Intel document, if

the high 16 bits is non-zero, fxrstor instruction will generate GP fault, resulting kernel crash, this bug can be triggered by setcontext and ptrace(PT_SETXMMREGS).
2006-05-28 06:51:57 +00:00 · 2006-05-28 06:51:57 +00:00 · 4f56cbcbd5
commit 4f56cbcbd5
parent fd6f84b1df
2 changed files with 5 additions and 0 deletions
--- a/sys/i386/i386/machdep.c
+++ b/sys/i386/i386/machdep.c
@ -2710,6 +2710,9 @@ set_fpcontext(struct thread *td, const mcontext_t *mcp)
 			bcopy(&mcp->mc_fpstate, addr, sizeof(mcp->mc_fpstate));
 		}
 #ifdef DEV_NPX
+		/* clear high 16 bits of mxcsr to avoid security problem. */
+		if (cpu_fxsr)
+			addr->sv_xmm.sv_env.en_mxcsr &= 0xFFFF;
 		/*
 		 * XXX we violate the dubious requirement that npxsetregs()
 		 * be called with interrupts disabled.
--- a/sys/i386/i386/ptrace_machdep.c
+++ b/sys/i386/i386/ptrace_machdep.c
@ -59,6 +59,8 @@ cpu_ptrace(struct thread *td, int req, void *addr, int data)
 	case PT_SETXMMREGS:
 		error = copyin(addr, &td->td_pcb->pcb_save.sv_xmm,
 		    sizeof(td->td_pcb->pcb_save.sv_xmm));
+		/* clear high 16 bits of mxcsr to avoid security problem. */
+		td->td_pcb->pcb_save.sv_xmm.sv_env.en_mxcsr &= 0xFFFF;
 		break;

 	default: