Fix a problem where zero-length RDATA fields can cause named(8) to crash.

[12:03]

Correct a privilege escalation when returning from kernel if
running FreeBSD/amd64 on non-AMD processors. [12:04]

Fix reference count errors in IPv6 code. [EN-12:02]

Security:	CVE-2012-1667
Security:	FreeBSD-SA-12:03.bind
Security:	CVE-2012-0217
Security:	FreeBSD-SA-12:04.sysret
Security:	FreeBSD-EN-12:02.ipv6refcount
Approved by:	so (simon, bz)
This commit is contained in:
bz 2012-06-12 12:10:10 +00:00
parent 2836cfaf80
commit 5f1573508a

View File

@ -972,4 +972,21 @@ amd64_syscall(struct thread *td, int traced)
syscallname(td->td_proc, sa.code)));
syscallret(td, error, &sa);
/*
* If the user-supplied value of %rip is not a canonical
* address, then some CPUs will trigger a ring 0 #GP during
* the sysret instruction. However, the fault handler would
* execute with the user's %gs and %rsp in ring 0 which would
* not be safe. Instead, preemptively kill the thread with a
* SIGBUS.
*/
if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) {
ksiginfo_init_trap(&ksi);
ksi.ksi_signo = SIGBUS;
ksi.ksi_code = BUS_OBJERR;
ksi.ksi_trapno = T_PROTFLT;
ksi.ksi_addr = (void *)td->td_frame->tf_rip;
trapsignal(td, &ksi);
}
}