Project

General

Profile

Bug #2873

sysretq doesn't properly handle non-canonical addresses

Added by Robert Mustacchi over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Immediate
Category:
kernel
Start date:
2012-06-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Hard
Tags:

Description

The syscall and sysret instruction expect to be given a canonical x86 address when called. On Intel processors it is the expectation of the operating system to verify that the address being is in fact canonical. If we find that the address is not canonical, instead of taking the normal fast path which would have us execute a sysret, we should instead go through the longer syscall path which we normally enter when we have to handle things like signals. This causes us to instead exit with an iretq which can handle the non-canonical address.


Related issues

Has duplicate illumos gate - Bug #2890: SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardwareClosed2012-06-17

Actions

History

#1

Updated by Rich Lowe over 7 years ago

  • Status changed from New to Resolved
  • % Done changed from 90 to 100

Resolved in r13724 commit:7740792727e0

Also available in: Atom PDF