Fix a problem where zero-length RDATA fields can cause named(8) to crash.
[12:03] Correct a privilege escalation when returning from kernel if running FreeBSD/amd64 on non-AMD processors. [12:04] Fix reference count errors in IPv6 code. [EN-12:02] Security: CVE-2012-1667 Security: FreeBSD-SA-12:03.bind Security: CVE-2012-0217 Security: FreeBSD-SA-12:04.sysret Security: FreeBSD-EN-12:02.ipv6refcount Approved by: so (simon, bz)
This commit is contained in:
parent
2836cfaf80
commit
5f1573508a
@ -972,4 +972,21 @@ amd64_syscall(struct thread *td, int traced)
|
||||
syscallname(td->td_proc, sa.code)));
|
||||
|
||||
syscallret(td, error, &sa);
|
||||
|
||||
/*
|
||||
* If the user-supplied value of %rip is not a canonical
|
||||
* address, then some CPUs will trigger a ring 0 #GP during
|
||||
* the sysret instruction. However, the fault handler would
|
||||
* execute with the user's %gs and %rsp in ring 0 which would
|
||||
* not be safe. Instead, preemptively kill the thread with a
|
||||
* SIGBUS.
|
||||
*/
|
||||
if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) {
|
||||
ksiginfo_init_trap(&ksi);
|
||||
ksi.ksi_signo = SIGBUS;
|
||||
ksi.ksi_code = BUS_OBJERR;
|
||||
ksi.ksi_trapno = T_PROTFLT;
|
||||
ksi.ksi_addr = (void *)td->td_frame->tf_rip;
|
||||
trapsignal(td, &ksi);
|
||||
}
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user