Bug #2873

sysretq doesn't properly handle non-canonical addresses

Added by Robert Mustacchi over 6 years ago. Updated over 6 years ago.

Status:ResolvedStart date:2012-06-14
Priority:ImmediateDue date:
Assignee:Robert Mustacchi% Done:


Target version:-
Difficulty:Hard Tags:


The syscall and sysret instruction expect to be given a canonical x86 address when called. On Intel processors it is the expectation of the operating system to verify that the address being is in fact canonical. If we find that the address is not canonical, instead of taking the normal fast path which would have us execute a sysret, we should instead go through the longer syscall path which we normally enter when we have to handle things like signals. This causes us to instead exit with an iretq which can handle the non-canonical address.

Related issues

Duplicated by illumos gate - Bug #2890: SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware Closed 2012-06-17


#1 Updated by Rich Lowe over 6 years ago

  • Status changed from New to Resolved
  • % Done changed from 90 to 100

Resolved in r13724 commit:7740792727e0

Also available in: Atom