Bug #2873

sysretq doesn't properly handle non-canonical addresses

Added by Robert Mustacchi almost 3 years ago. Updated almost 3 years ago.

Status:Resolved Start date:2012-06-14
Priority:Immediate Due date:
Assignee:Robert Mustacchi % Done:

100%

Category:kernel
Target version:-
Difficulty:Hard Tags:

Description

The syscall and sysret instruction expect to be given a canonical x86 address when called. On Intel processors it is the expectation of the operating system to verify that the address being is in fact canonical. If we find that the address is not canonical, instead of taking the normal fast path which would have us execute a sysret, we should instead go through the longer syscall path which we normally enter when we have to handle things like signals. This causes us to instead exit with an iretq which can handle the non-canonical address.


Related issues

duplicated by illumos gate - Bug #2890: SYSRET 64-bit operating system privilege escalation vulne... Closed 2012-06-17

History

Updated by Rich Lowe almost 3 years ago

  • Status changed from New to Resolved
  • % Done changed from 90 to 100

Resolved in r13724 commit:7740792727e0

Also available in: Atom PDF