kernel - Fix CVE-2018-8897, debug register issue

Operating Systems / DragonFlyBSD - Matthew Dillon [apollo.backplane.com] - 8 May 2018 17:00 EDT

- #DB can be delayed in a way that causes it to occur on the first instruction of the int $3 or syscall handlers. These handlers must be able to detect and handle the condition. This is a historical artifact of cpu operation that has existed for a very long time on both AMD and Intel CPUs.

- Fix by giving #DB its own trampoline stack and a way to load a deterministic %gs and %cr3 independent of the normal CS check. This is CVE-2018-8897.

- Also fix the NMI trampoline while I'm here.

- Also fix an old issue with debug register trace traps which can occur when the kernel is accessing the user's address space. This fix was lost years ago, now recovered.

Credits: Nick Peterson of Everdox Tech, LLC (original reporter) Credits: Thanks to Microsoft for coordinating the OS vendor response

85b330488d kernel - Fix CVE-2018-8897, debug register issue
sys/cpu/x86_64/include/asmacros.h | 12 +-
sys/cpu/x86_64/include/frame.h | 6 +-
sys/platform/pc64/include/globaldata.h | 16 +-
sys/platform/pc64/x86_64/exception.S | 261 +++++++++++++++++++++++++++++++--
sys/platform/pc64/x86_64/genassym.c | 3 +
sys/platform/pc64/x86_64/machdep.c | 18 ++-
sys/platform/pc64/x86_64/mp_machdep.c | 10 +-
sys/platform/pc64/x86_64/pmap.c | 4 +
sys/platform/pc64/x86_64/trap.c | 47 +++---
9 files changed, 327 insertions(+), 50 deletions(-)

Upstream: gitweb.dragonflybsd.org


  • Share