Sat Jan 11 17:14:00 2014 UTC ()
Comment about missing stackframe member initialization (Richard Hansen)

I haven't studied the code, but I'm concerned that not initializing
sf->sf_edi could potentially leak a few bytes of information to a new
userspace process.


(christos)
diff -r1.18 -r1.19 src/sys/arch/x86/x86/vm_machdep.c
cvs diff -r1.18 -r1.19 src/sys/arch/x86/x86/vm_machdep.c (expand / switch to unified diff)

--- src/sys/arch/x86/x86/vm_machdep.c 2013/12/01 01:05:16 1.18
+++ src/sys/arch/x86/x86/vm_machdep.c 2014/01/11 17:14:00 1.19
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: vm_machdep.c,v 1.18 2013/12/01 01:05:16 christos Exp $ */ 1/* $NetBSD: vm_machdep.c,v 1.19 2014/01/11 17:14:00 christos Exp $ */
2 2
3/*- 3/*-
4 * Copyright (c) 1982, 1986 The Regents of the University of California. 4 * Copyright (c) 1982, 1986 The Regents of the University of California.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * This code is derived from software contributed to Berkeley by 7 * This code is derived from software contributed to Berkeley by
8 * the Systems Programming Group of the University of Utah Computer 8 * the Systems Programming Group of the University of Utah Computer
9 * Science Department, and William Jolitz. 9 * Science Department, and William Jolitz.
10 * 10 *
11 * Redistribution and use in source and binary forms, with or without 11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions 12 * modification, are permitted provided that the following conditions
13 * are met: 13 * are met:
14 * 1. Redistributions of source code must retain the above copyright 14 * 1. Redistributions of source code must retain the above copyright
@@ -70,27 +70,27 @@ @@ -70,27 +70,27 @@
70 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 70 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
71 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 71 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
72 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 72 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
73 * SUCH DAMAGE. 73 * SUCH DAMAGE.
74 * 74 *
75 * @(#)vm_machdep.c 7.3 (Berkeley) 5/13/91 75 * @(#)vm_machdep.c 7.3 (Berkeley) 5/13/91
76 */ 76 */
77 77
78/* 78/*
79 * Utah $Hdr: vm_machdep.c 1.16.1.1 89/06/23$ 79 * Utah $Hdr: vm_machdep.c 1.16.1.1 89/06/23$
80 */ 80 */
81 81
82#include <sys/cdefs.h> 82#include <sys/cdefs.h>
83__KERNEL_RCSID(0, "$NetBSD: vm_machdep.c,v 1.18 2013/12/01 01:05:16 christos Exp $"); 83__KERNEL_RCSID(0, "$NetBSD: vm_machdep.c,v 1.19 2014/01/11 17:14:00 christos Exp $");
84 84
85#include "opt_mtrr.h" 85#include "opt_mtrr.h"
86 86
87#include <sys/param.h> 87#include <sys/param.h>
88#include <sys/systm.h> 88#include <sys/systm.h>
89#include <sys/proc.h> 89#include <sys/proc.h>
90#include <sys/vnode.h> 90#include <sys/vnode.h>
91#include <sys/buf.h> 91#include <sys/buf.h>
92#include <sys/core.h> 92#include <sys/core.h>
93#include <sys/exec.h> 93#include <sys/exec.h>
94#include <sys/ptrace.h> 94#include <sys/ptrace.h>
95 95
96#include <uvm/uvm.h> 96#include <uvm/uvm.h>
@@ -218,26 +218,31 @@ cpu_lwp_fork(struct lwp *l1, struct lwp  @@ -218,26 +218,31 @@ cpu_lwp_fork(struct lwp *l1, struct lwp
218 218
219 l2->l_md.md_flags = l1->l_md.md_flags; 219 l2->l_md.md_flags = l1->l_md.md_flags;
220 l2->l_md.md_astpending = 0; 220 l2->l_md.md_astpending = 0;
221 221
222 sf = (struct switchframe *)tf - 1; 222 sf = (struct switchframe *)tf - 1;
223 223
224#ifdef __x86_64__ 224#ifdef __x86_64__
225 sf->sf_r12 = (uint64_t)func; 225 sf->sf_r12 = (uint64_t)func;
226 sf->sf_r13 = (uint64_t)arg; 226 sf->sf_r13 = (uint64_t)arg;
227 sf->sf_rip = (uint64_t)lwp_trampoline; 227 sf->sf_rip = (uint64_t)lwp_trampoline;
228 pcb2->pcb_rsp = (uint64_t)sf; 228 pcb2->pcb_rsp = (uint64_t)sf;
229 pcb2->pcb_rbp = (uint64_t)l2; 229 pcb2->pcb_rbp = (uint64_t)l2;
230#else 230#else
 231 /*
 232 * XXX Is there a reason sf->sf_edi isn't initialized here?
 233 * Could this leak potentially sensitive information to new
 234 * userspace processes?
 235 */
231 sf->sf_esi = (int)func; 236 sf->sf_esi = (int)func;
232 sf->sf_ebx = (int)arg; 237 sf->sf_ebx = (int)arg;
233 sf->sf_eip = (int)lwp_trampoline; 238 sf->sf_eip = (int)lwp_trampoline;
234 pcb2->pcb_esp = (int)sf; 239 pcb2->pcb_esp = (int)sf;
235 pcb2->pcb_ebp = (int)l2; 240 pcb2->pcb_ebp = (int)l2;
236#endif 241#endif
237} 242}
238 243
239/* 244/*
240 * cpu_lwp_free is called from exit() to let machine-dependent 245 * cpu_lwp_free is called from exit() to let machine-dependent
241 * code free machine-dependent resources. Note that this routine 246 * code free machine-dependent resources. Note that this routine
242 * must not block. 247 * must not block.
243 */ 248 */