From 2d220d40d825a66f63f9c1f6044435a78b09abd3 Mon Sep 17 00:00:00 2001 From: kib Date: Wed, 13 Nov 2019 22:39:46 +0000 Subject: [PATCH] amd64: only set PCB_FULL_IRET pcb flag when #gp or similar exception comes from usermode. If CPU supports RDFSBASE, the flag also means that userspace fsbase and gsbase are already written into pcb, which might be not true when we handle #gp from kernel. The offender is rdmsr_safe(), and the visible result is corrupted userspace TLS base. Reported by: pstef Sponsored by: The FreeBSD Foundation MFC after: 3 days --- sys/amd64/amd64/exception.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/amd64/amd64/exception.S b/sys/amd64/amd64/exception.S index 6a0b09a474f2..68a87d36d540 100644 --- a/sys/amd64/amd64/exception.S +++ b/sys/amd64/amd64/exception.S @@ -497,8 +497,8 @@ prot_addrf: 3: cmpw $KUG32SEL,TF_GS(%rsp) jne 4f movq %rdx,PCB_GSBASE(%rdi) + orl $PCB_FULL_IRET,PCB_FLAGS(%rdi) /* full iret from user #gp */ 4: call handle_ibrs_entry - orl $PCB_FULL_IRET,PCB_FLAGS(%rdi) /* always full iret from GPF */ movw %es,TF_ES(%rsp) movw %ds,TF_DS(%rsp) testl $PSL_I,TF_RFLAGS(%rsp)