diff options
| author | David Xu <davidxu@FreeBSD.org> | 2006-05-28 06:51:57 +0000 |
|---|---|---|
| committer | David Xu <davidxu@FreeBSD.org> | 2006-05-28 06:51:57 +0000 |
| commit | 4f56cbcbd564c16d72eaea9faeba60e14eadd0b7 (patch) | |
| tree | 7bdcfa75af80577efab5a44b84aa998c37617b90 /sys/i386/i386/ptrace_machdep.c | |
| parent | fd6f84b1df44d56e634fc5807cdb5c5a885a449f (diff) | |
| download | src-4f56cbcbd564c16d72eaea9faeba60e14eadd0b7.tar.gz src-4f56cbcbd564c16d72eaea9faeba60e14eadd0b7.zip | |
Clear high 16 bits of mxcsr register, according to Intel document, if
the high 16 bits is non-zero, fxrstor instruction will generate GP fault,
resulting kernel crash, this bug can be triggered by setcontext and
ptrace(PT_SETXMMREGS).
Notes
Notes:
svn path=/head/; revision=159000
Diffstat (limited to 'sys/i386/i386/ptrace_machdep.c')
| -rw-r--r-- | sys/i386/i386/ptrace_machdep.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/i386/i386/ptrace_machdep.c b/sys/i386/i386/ptrace_machdep.c index 32105d6a6d88..b002651bf10e 100644 --- a/sys/i386/i386/ptrace_machdep.c +++ b/sys/i386/i386/ptrace_machdep.c @@ -59,6 +59,8 @@ cpu_ptrace(struct thread *td, int req, void *addr, int data) case PT_SETXMMREGS: error = copyin(addr, &td->td_pcb->pcb_save.sv_xmm, sizeof(td->td_pcb->pcb_save.sv_xmm)); + /* clear high 16 bits of mxcsr to avoid security problem. */ + td->td_pcb->pcb_save.sv_xmm.sv_env.en_mxcsr &= 0xFFFF; break; default: |