From 4f56cbcbd564c16d72eaea9faeba60e14eadd0b7 Mon Sep 17 00:00:00 2001
From: David Xu <davidxu@FreeBSD.org>
Date: Sun, 28 May 2006 06:51:57 +0000
Subject: [PATCH] Clear high 16 bits of mxcsr register, according to Intel
 document, if the high 16 bits is non-zero, fxrstor instruction will generate
 GP fault, resulting kernel crash, this bug can be triggered by setcontext and
 ptrace(PT_SETXMMREGS).

---
 sys/i386/i386/machdep.c        | 3 +++
 sys/i386/i386/ptrace_machdep.c | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/sys/i386/i386/machdep.c b/sys/i386/i386/machdep.c
index 279544a778e1..ce4891f3648e 100644
--- a/sys/i386/i386/machdep.c
+++ b/sys/i386/i386/machdep.c
@@ -2710,6 +2710,9 @@ set_fpcontext(struct thread *td, const mcontext_t *mcp)
 			bcopy(&mcp->mc_fpstate, addr, sizeof(mcp->mc_fpstate));
 		}
 #ifdef DEV_NPX
+		/* clear high 16 bits of mxcsr to avoid security problem. */
+		if (cpu_fxsr)
+			addr->sv_xmm.sv_env.en_mxcsr &= 0xFFFF;
 		/*
 		 * XXX we violate the dubious requirement that npxsetregs()
 		 * be called with interrupts disabled.
diff --git a/sys/i386/i386/ptrace_machdep.c b/sys/i386/i386/ptrace_machdep.c
index 32105d6a6d88..b002651bf10e 100644
--- a/sys/i386/i386/ptrace_machdep.c
+++ b/sys/i386/i386/ptrace_machdep.c
@@ -59,6 +59,8 @@ cpu_ptrace(struct thread *td, int req, void *addr, int data)
 	case PT_SETXMMREGS:
 		error = copyin(addr, &td->td_pcb->pcb_save.sv_xmm,
 		    sizeof(td->td_pcb->pcb_save.sv_xmm));
+		/* clear high 16 bits of mxcsr to avoid security problem. */
+		td->td_pcb->pcb_save.sv_xmm.sv_env.en_mxcsr &= 0xFFFF;
 		break;
 
 	default: