svn commit: r236953 - head/sys/amd64/amd64 releng/7.4 releng/7.4/contrib/bind9/lib/dns releng/7.4/sys/amd64/amd64 releng/7.4/sys/conf releng/8.1 releng/8.1/contrib/bind9/lib/dns releng/8.1/sys/amd6...

Tue Jun 12 12:10:12 UTC 2012

Author: bz
Date: Tue Jun 12 12:10:10 2012
New Revision: 236953
URL: http://svn.freebsd.org/changeset/base/236953

Log:
  Fix a problem where zero-length RDATA fields can cause named(8) to crash.
  [12:03]
  
  Correct a privilege escalation when returning from kernel if
  running FreeBSD/amd64 on non-AMD processors. [12:04]
  
  Fix reference count errors in IPv6 code. [EN-12:02]
  
  Security:	CVE-2012-1667
  Security:	FreeBSD-SA-12:03.bind
  Security:	CVE-2012-0217
  Security:	FreeBSD-SA-12:04.sysret
  Security:	FreeBSD-EN-12:02.ipv6refcount
  Approved by:	so (simon, bz)

Modified:
  stable/9/sys/amd64/amd64/trap.c

Changes in other areas also in this revision:
Modified:
  head/sys/amd64/amd64/trap.c
  releng/7.4/UPDATING
  releng/7.4/contrib/bind9/lib/dns/rdata.c
  releng/7.4/contrib/bind9/lib/dns/rdataslab.c
  releng/7.4/sys/amd64/amd64/trap.c
  releng/7.4/sys/conf/newvers.sh
  releng/8.1/UPDATING
  releng/8.1/contrib/bind9/lib/dns/rdata.c
  releng/8.1/contrib/bind9/lib/dns/rdataslab.c
  releng/8.1/sys/amd64/amd64/trap.c
  releng/8.1/sys/conf/newvers.sh
  releng/8.1/sys/netinet/tcp_input.c
  releng/8.1/sys/netinet6/in6.c
  releng/8.1/sys/netinet6/ip6_input.c
  releng/8.2/UPDATING
  releng/8.2/contrib/bind9/lib/dns/rdata.c
  releng/8.2/contrib/bind9/lib/dns/rdataslab.c
  releng/8.2/sys/amd64/amd64/trap.c
  releng/8.2/sys/conf/newvers.sh
  releng/8.2/sys/netinet/tcp_input.c
  releng/8.2/sys/netinet6/in6.c
  releng/8.2/sys/netinet6/ip6_input.c
  releng/8.3/UPDATING
  releng/8.3/contrib/bind9/lib/dns/rdata.c
  releng/8.3/contrib/bind9/lib/dns/rdataslab.c
  releng/8.3/sys/amd64/amd64/trap.c
  releng/8.3/sys/conf/newvers.sh
  releng/8.3/sys/netinet/tcp_input.c
  releng/8.3/sys/netinet6/in6.c
  releng/8.3/sys/netinet6/ip6_input.c
  releng/9.0/UPDATING
  releng/9.0/contrib/bind9/lib/dns/rdata.c
  releng/9.0/contrib/bind9/lib/dns/rdataslab.c
  releng/9.0/sys/amd64/amd64/trap.c
  releng/9.0/sys/conf/newvers.sh
  releng/9.0/sys/netinet/tcp_input.c
  releng/9.0/sys/netinet6/in6.c
  releng/9.0/sys/netinet6/ip6_input.c
  stable/7/contrib/bind9/lib/dns/rdata.c
  stable/7/contrib/bind9/lib/dns/rdataslab.c
  stable/7/sys/amd64/amd64/trap.c
  stable/8/sys/amd64/amd64/trap.c

Modified: stable/9/sys/amd64/amd64/trap.c
==============================================================================

--- stable/9/sys/amd64/amd64/trap.c	Tue Jun 12 11:08:51 2012	(r236952)
+++ stable/9/sys/amd64/amd64/trap.c	Tue Jun 12 12:10:10 2012	(r236953)
@@ -977,4 +977,21 @@ amd64_syscall(struct thread *td, int tra
 	     syscallname(td->td_proc, sa.code)));
 
 	syscallret(td, error, &sa);
+
+	/*
+	 * If the user-supplied value of %rip is not a canonical
+	 * address, then some CPUs will trigger a ring 0 #GP during
+	 * the sysret instruction.  However, the fault handler would
+	 * execute with the user's %gs and %rsp in ring 0 which would
+	 * not be safe.  Instead, preemptively kill the thread with a
+	 * SIGBUS.
+	 */
+	if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) {
+		ksiginfo_init_trap(&ksi);
+		ksi.ksi_signo = SIGBUS;
+		ksi.ksi_code = BUS_OBJERR;
+		ksi.ksi_trapno = T_PROTFLT;
+		ksi.ksi_addr = (void *)td->td_frame->tf_rip;
+		trapsignal(td, &ksi);
+	}
 }
