Project

General

Profile

Bug #11068

Fixes for FreeBSD IRET handling vulnerability

Added by Xin Li about 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Expected
Assignee:
Xin Li
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Associated revisions

Revision 5a6bbadd (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068

Revision 5a6bbadd (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068

Revision 65476a14 (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068

Revision 65476a14 (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068

Revision 2cbde20b (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068

Revision 2cbde20b (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068

Revision 1158ed8c (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068 (cherry picked from commit 5a6bbadd48111763c2b11f175aebccbff9b6bdce)

Revision 1158ed8c (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068 (cherry picked from commit 5a6bbadd48111763c2b11f175aebccbff9b6bdce)

Revision 730678db (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068 (cherry picked from commit 65476a14a6d365e75300a6575411bbf603e761b8)

Revision 730678db (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068 (cherry picked from commit 65476a14a6d365e75300a6575411bbf603e761b8)

Revision e56b3493 (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068 (cherry picked from commit 2cbde20bdda68e3ab4f4e936047e1ae6f3977042)

Revision e56b3493 (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068 (cherry picked from commit 2cbde20bdda68e3ab4f4e936047e1ae6f3977042)

Revision c17ae205 (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068 (cherry picked from commit 5a6bbadd48111763c2b11f175aebccbff9b6bdce)

Revision 1227728f (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068 (cherry picked from commit 65476a14a6d365e75300a6575411bbf603e761b8)

Revision c17ae205 (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068 (cherry picked from commit 5a6bbadd48111763c2b11f175aebccbff9b6bdce)

Revision 1227728f (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068 (cherry picked from commit 65476a14a6d365e75300a6575411bbf603e761b8)

Revision 8e784096 (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068 (cherry picked from commit 2cbde20bdda68e3ab4f4e936047e1ae6f3977042)

Revision 8e784096 (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068 (cherry picked from commit 2cbde20bdda68e3ab4f4e936047e1ae6f3977042)

Revision 2744d345 (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068 (cherry picked from commit 5a6bbadd48111763c2b11f175aebccbff9b6bdce)

Revision 2744d345 (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068 (cherry picked from commit 5a6bbadd48111763c2b11f175aebccbff9b6bdce)

Revision 20c109a6 (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068 (cherry picked from commit 65476a14a6d365e75300a6575411bbf603e761b8)

Revision 20c109a6 (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068 (cherry picked from commit 65476a14a6d365e75300a6575411bbf603e761b8)

Revision f13154d3 (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068 (cherry picked from commit 2cbde20bdda68e3ab4f4e936047e1ae6f3977042)

Revision f13154d3 (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068 (cherry picked from commit 2cbde20bdda68e3ab4f4e936047e1ae6f3977042)

Revision fd57b8fa (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068 (cherry picked from commit 5a6bbadd48111763c2b11f175aebccbff9b6bdce)

Revision fd57b8fa (diff)
Added by kib about 5 years ago

MFC r275833: The iret instruction may generate #np and #ss fault, besides #gp. When returning to usermode, the handler for that exceptions is also executed with wrong gs base. Handle all three possible faults in the same way, checking for iret fault, and performing full iret. (cherry picked from commit 508ce1326999a5fc7b23accd5fba61ae05bd2bfd) Ticket: #11068 (cherry picked from commit 5a6bbadd48111763c2b11f175aebccbff9b6bdce)

Revision dad1cabf (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068 (cherry picked from commit 65476a14a6d365e75300a6575411bbf603e761b8)

Revision 9540d1ca (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068 (cherry picked from commit 2cbde20bdda68e3ab4f4e936047e1ae6f3977042)

Revision dad1cabf (diff)
Added by kib about 5 years ago

MFC r280780: The #ss fault handler erronously does not check for the fault originated from the return to usermode. #ss must be handled same as (cherry picked from commit 04ff21438ddbf8374be059d3bbedbddfaf46fba3) Ticket: #11068 (cherry picked from commit 65476a14a6d365e75300a6575411bbf603e761b8)

Revision 9540d1ca (diff)
Added by kib about 5 years ago

MFC r280781: Make it possible for the signal handler to act on #ss. (cherry picked from commit de2f133df48b2d694d41fd6206face0bc99b173d) Ticket: #11068 (cherry picked from commit 2cbde20bdda68e3ab4f4e936047e1ae6f3977042)

History

#1 Updated by Xin Li about 5 years ago

  • Status changed from Fix In Progress to Ready For Release
  • % Done changed from 0 to 100

Merges are done; there is another pending SA (SSH).

#2 Updated by Jordan Hubbard about 5 years ago

  • Status changed from Ready For Release to Resolved

#3 Updated by Xin Li about 5 years ago

  • Private changed from Yes to No
  • Seen in changed from to 9.3-STABLE-201506292332

#4 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from Unspecified to N/A

Also available in: Atom PDF