CVE-2012-0217 Intel's sysret Kernel Privilege Escalation and FreeBSD 6.2/6.3

Wed Jul 18 20:26:59 UTC 2012

Xin,

Thanks for the reply!

Unfortunately I tried to put the code from the patch in place but there
seems to be some missing functions in the header file and too many
arguments to a function and some other errors below:

../../../amd64/amd64/trap.c: In function `syscall':
../../../amd64/amd64/trap.c:884: warning: implicit declaration of function
`ksiginfo_init_trap'
../../../amd64/amd64/trap.c:884: warning: nested extern declaration of
`ksiginfo_init_trap'
../../../amd64/amd64/trap.c:884: error: `ksi' undeclared (first use in this
function)
../../../amd64/amd64/trap.c:884: error: (Each undeclared identifier is
reported only once
../../../amd64/amd64/trap.c:884: error: for each function it appears in.)
../../../amd64/amd64/trap.c:886: error: `BUS_OBJERR' undeclared (first use
in this function)
../../../amd64/amd64/trap.c:889: error: too few arguments to function
`trapsignal'
*** Error code 1

I can possibly take a stab at writing something to handle this...but I
don't write in C very often and I am sure others are much more experienced
in the FreeBSD kernel than I am.

If anyone can help further please let me know.

Thanks!

On Thu, Jul 12, 2012 at 6:11 PM, Xin Li <delphij at delphij.net> wrote:

> On 07/12/12 09:36, Bill Crisp wrote:
>
>> Good Morning!
>>
>> This was also posted to the FreeBSD forums:
>>
>> I have been researching CVE-2012-0217 and while I have patched the kernels
>> on servers with 7.3/8.2 that I have, I would like to see if anyone knows
>> for sure if 6.2/6.3 are also vulnerable? I am aware that those kernels are
>> out of support from looking at the documentation. I have looked at the
>> code
>> in trap.c to see if the current patch would work with 6.3 source but it
>> won't based on what I saw. I am also aware of upgrading as an option to
>> resolve this unfortunately in some cases I have this is not possible right
>> now.
>>
> I believe that 6.x are vulnerable.  You will have to backport the change
> (something like this against sys/amd64/amd64/trap.c, in syscall() right
> after
>
>         PTRACESTOP_SC(p, td, S_PT_SCX);
>
> Add:
>
> +       /*
> +        * If the user-supplied value of %rip is not a canonical
> +        * address, then some CPUs will trigger a ring 0 #GP during
> +        * the sysret instruction.  However, the fault handler would
> +        * execute with the user's %gs and %rsp in ring 0 which would
> +        * not be safe.  Instead, preemptively kill the thread with a
> +        * SIGBUS.
> +        */
> +       if (td->td_frame->tf_rip>= VM_MAXUSER_ADDRESS) {
> +               ksiginfo_init_trap(&ksi);
> +               ksi.ksi_signo = SIGBUS;
> +               ksi.ksi_code = BUS_OBJERR;
> +               ksi.ksi_trapno = T_PROTFLT;
> +               ksi.ksi_addr = (void *)td->td_frame->tf_rip;
> +               trapsignal(td,&ksi);
> +       }
>
> Right before:
>
>         WITNESS_WARN(...)
>
>
> Cheers,
>
>
>