CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and FreeBSD 6.2/6.3

Thu Jul 12 22:11:41 UTC 2012

On 07/12/12 09:36, Bill Crisp wrote:
> Good Morning!
>
> This was also posted to the FreeBSD forums:
>
> I have been researching CVE-2012-0217 and while I have patched the kernels
> on servers with 7.3/8.2 that I have, I would like to see if anyone knows
> for sure if 6.2/6.3 are also vulnerable? I am aware that those kernels are
> out of support from looking at the documentation. I have looked at the code
> in trap.c to see if the current patch would work with 6.3 source but it
> won't based on what I saw. I am also aware of upgrading as an option to
> resolve this unfortunately in some cases I have this is not possible right
> now.
I believe that 6.x are vulnerable.  You will have to backport the change 
(something like this against sys/amd64/amd64/trap.c, in syscall() right 
after

  	PTRACESTOP_SC(p, td, S_PT_SCX);

Add:

+	/*
+	 * If the user-supplied value of %rip is not a canonical
+	 * address, then some CPUs will trigger a ring 0 #GP during
+	 * the sysret instruction.  However, the fault handler would
+	 * execute with the user's %gs and %rsp in ring 0 which would
+	 * not be safe.  Instead, preemptively kill the thread with a
+	 * SIGBUS.
+	 */
+	if (td->td_frame->tf_rip>= VM_MAXUSER_ADDRESS) {
+		ksiginfo_init_trap(&ksi);
+		ksi.ksi_signo = SIGBUS;
+		ksi.ksi_code = BUS_OBJERR;
+		ksi.ksi_trapno = T_PROTFLT;
+		ksi.ksi_addr = (void *)td->td_frame->tf_rip;
+		trapsignal(td,&ksi);
+	}

Right before:

	WITNESS_WARN(...)

Cheers,