kernel - Add safety for Intel SYSRET issue

Operating Systems / DragonFlyBSD - Matthew Dillon [apollo.backplane.com] - 15 July 2014 14:37 UTC

- First, insofar as we can tell DragonFly was *NOT* vulnerable to the Intel SYSRET issue. We have a RQF_QUICKRET flag that determines if SYSRET can be used. Any heavy weight process switch, signal delivery, signal return, or set_regs() call clears this flag and forces the system call to return via IRET.

- However, the ptrace() path is a bit convoluted. Insofar as I can tell it just won't allow %rip to be changed unless the target process is in a SSTOPped state, meaning that a heavy weight context switch must occur before the new %rip is used which means we should be safe.

Still, we are adding a safety to ptrace_set_pc() to cannonicalize the %rip anyway, to ensure that this bug cannot bite us indirectly in the future.

db2ac89 kernel - Add safety for Intel SYSRET issue
sys/platform/pc64/x86_64/machdep.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

Upstream: gitweb.dragonflybsd.org

  • Share