socsvn commit: r269487 - soc2014/op/freebsd-base/sys/i386/i386

op at FreeBSD.org op at FreeBSD.org
Thu Jun 12 22:30:16 UTC 2014 

Author: op
Date: Thu Jun 12 22:30:15 2014
New Revision: 269487
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=269487

Log:
  SMAP i386: added related trap handler
  
  git: https://github.com/opntr/opBSD/tree/op/gsoc2014/smap
  
  Signed-off-by: Oliver Pinter <oliver.pntr at gmail.com>
  
  

Modified:
  soc2014/op/freebsd-base/sys/i386/i386/trap.c

Modified: soc2014/op/freebsd-base/sys/i386/i386/trap.c
==============================================================================
--- soc2014/op/freebsd-base/sys/i386/i386/trap.c	Thu Jun 12 22:29:50 2014	(r269486)
+++ soc2014/op/freebsd-base/sys/i386/i386/trap.c	Thu Jun 12 22:30:15 2014	(r269487)
@@ -860,6 +860,16 @@
 		map = &vm->vm_map;
 
 		/*
+		 * If CPL < 3, SMAP protections are disabled if EFLAGS.AC = 1.
+		 * If CPL = 3, SMAP applies to all supervisor-mode data accesses
+		 *  (these are implicit supervisor accesses) regardless of the
+		 *  value of EFLAGS.AC." - Intel Ref. # 319433-014 9.3.2
+		 */
+		if (__predict_false(smap_access_violation(frame, usermode))) {
+			panic("SMAP!");
+		}
+
+		/*
 		 * When accessing a user-space address, kernel must be
 		 * ready to accept the page fault, and provide a
 		 * handling routine.  Since accessing the address
@@ -1020,6 +1030,32 @@
 		panic("unknown/reserved trap");
 }
 
+
+/*
+ * Supervisor Mode Access Prevention violation
+ *
+ * If CPL < 3, SMAP protections are disabled if EFLAGS.AC = 1.
+ * If CPL = 3, SMAP applies to all supervisor-mode data accesses
+ *  (these are implicit supervisor accesses) regardless of the
+ *  value of EFLAGS.AC." - Intel Ref. # 319433-014 9.3.2
+ */
+static bool
+smap_access_violation(struct trapframe *frame, int usermode)
+{
+	/* SMAP disabled */
+	if ((cpu_stdext_feature & CPUID_STDEXT_SMAP) == 0)
+		return (false);
+
+	/* CPL == 3 or EFLAGS.AC == 1 */
+	if (usermode || (frame->tf_rflags & PSL_AC) != 0)
+		return (false);
+
+	/*
+	 * CPL < 3 and EFLAGS.AC == 0
+	 */
+	return (true);
+}
+
 /*
  * Double fault handler. Called when a fault occurs while writing
  * a frame for a trap/exception onto the stack. This usually occurs

More information about the svn-soc-all mailing list