search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: e67830a) | patch
kernel - Fix CVE-2018-8897, debug register issue
commit85b330488d50cf339de9949ba74ca1faed71d996
authorMatthew Dillon <dillon@apollo.backplane.com>
Tue, 1 May 2018 03:47:20 +0000 (30 20:47 -0700)
committerMatthew Dillon <dillon@apollo.backplane.com>
Tue, 8 May 2018 17:00:20 +0000 (8 10:00 -0700)
tree113bbfa9f87eab9c5f723cd3d745ff0216978bfftree | snapshot (tar.gz zip)
parente67830ab65d8edc88185f325ce40427b8113a8a1commit | diff
kernel - Fix CVE-2018-8897, debug register issue

* #DB can be delayed in a way that causes it to occur on the first
  instruction of the int $3 or syscall handlers.  These handlers must
  be able to detect and handle the condition.  This is a historical
  artifact of cpu operation that has existed for a very long time on
  both AMD and Intel CPUs.

* Fix by giving #DB its own trampoline stack and a way to load a
  deterministic %gs and %cr3 independent of the normal CS check.
  This is CVE-2018-8897.

* Also fix the NMI trampoline while I'm here.

* Also fix an old issue with debug register trace traps which can
  occur when the kernel is accessing the user's address space.
  This fix was lost years ago, now recovered.

Credits: Nick Peterson of Everdox Tech, LLC (original reporter)
Credits: Thanks to Microsoft for coordinating the OS vendor response
sys/cpu/x86_64/include/asmacros.h diff | blob | blame | history
sys/cpu/x86_64/include/frame.h diff | blob | blame | history
sys/platform/pc64/include/globaldata.h diff | blob | blame | history
sys/platform/pc64/x86_64/exception.S diff | blob | blame | history
sys/platform/pc64/x86_64/genassym.c diff | blob | blame | history
sys/platform/pc64/x86_64/machdep.c diff | blob | blame | history
sys/platform/pc64/x86_64/mp_machdep.c diff | blob | blame | history
sys/platform/pc64/x86_64/pmap.c diff | blob | blame | history
sys/platform/pc64/x86_64/trap.c diff | blob | blame | history
DragonFly BSD