Remove the osyscall call gate on i386, and emulate it. There is a one-

instruction race in it that could panic the kernel.
2017-07-01 10:44:42 +00:00 · 2017-07-01 10:44:42 +00:00 · 0d77f0b10f
parent 75d298ab97
commit 0d77f0b10f
4 changed files with 29 additions and 41 deletions
--- a/sys/arch/amd64/amd64/locore.S
+++ b/sys/arch/amd64/amd64/locore.S
@ -1,4 +1,4 @@
-/*	$NetBSD: locore.S,v 1.123 2017/03/25 15:07:21 maxv Exp $	*/
+/*	$NetBSD: locore.S,v 1.124 2017/07/01 10:44:42 maxv Exp $	*/

 /*
 * Copyright-o-rama!
@ -1409,7 +1409,6 @@ IDTVEC(osyscall)
 	addq $0x10,%rsp
 #endif
 	pushq	$2		/* size of instruction for restart */
-osyscall1:
 	pushq	$T_ASTFLT	/* trap # for doing ASTs */
 	INTRENTRY
 	STI(si)
--- a/sys/arch/i386/i386/locore.S
+++ b/sys/arch/i386/i386/locore.S
@ -1,4 +1,4 @@
-/*	$NetBSD: locore.S,v 1.145 2017/02/02 19:12:09 maxv Exp $	*/
+/*	$NetBSD: locore.S,v 1.146 2017/07/01 10:44:42 maxv Exp $	*/

 /*
 * Copyright-o-rama!
@ -128,7 +128,7 @@
 */

 #include <machine/asm.h>
-__KERNEL_RCSID(0, "$NetBSD: locore.S,v 1.145 2017/02/02 19:12:09 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: locore.S,v 1.146 2017/07/01 10:44:42 maxv Exp $");

 #include "opt_compat_oldboot.h"
 #include "opt_copy_symtab.h"
@ -1238,23 +1238,6 @@ ENTRY(savectx)
 	ret
 END(savectx)

-/*
- * osyscall()
- *
- * Old call gate entry for syscall
- */
-IDTVEC(osyscall)
-#ifndef XEN
-	/* XXX we are in trouble! interrupts be off here. */
-	cli			/* must be first instruction */
-#endif
-	pushfl			/* set eflags in trap frame */
-	popl	8(%esp)
-	orl	$PSL_I,8(%esp)	/* re-enable ints on return to user */
-	pushl	$7		/* size of instruction for restart */
-	jmp	syscall1
-IDTVEC_END(osyscall)
-
 /*
 * syscall()
 *
@ -1262,7 +1245,6 @@ IDTVEC_END(osyscall)
 */
 IDTVEC(syscall)
 	pushl	$2		/* size of instruction for restart */
-syscall1:
 	pushl	$T_ASTFLT	/* trap # for doing ASTs */
 	INTRENTRY
 	STI(%eax)
--- a/sys/arch/i386/i386/machdep.c
+++ b/sys/arch/i386/i386/machdep.c
@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.782 2017/03/24 17:09:36 maxv Exp $	*/
+/*	$NetBSD: machdep.c,v 1.783 2017/07/01 10:44:42 maxv Exp $	*/

 /*-
 * Copyright (c) 1996, 1997, 1998, 2000, 2004, 2006, 2008, 2009
@ -67,7 +67,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.782 2017/03/24 17:09:36 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.783 2017/07/01 10:44:42 maxv Exp $");

 #include "opt_beep.h"
 #include "opt_compat_ibcs2.h"
@ -933,7 +933,6 @@ setsegment(struct segment_descriptor *sd, const void *base, size_t limit,
 #define	IDTVEC(name)	__CONCAT(X, name)
 typedef void (vector)(void);
 extern vector IDTVEC(syscall);
-extern vector IDTVEC(osyscall);
 extern vector *IDTVEC(exceptions)[];
 extern vector IDTVEC(svr4_fasttrap);
 void (*svr4_fasttrap_vec)(void) = (void (*)(void))nullop;
@ -1290,14 +1289,9 @@ init386(paddr_t first_avail)
 #endif /* XEN */

 	/* make ldt gates and memory segments */
-	setgate(&ldtstore[LSYS5CALLS_SEL].gd, &IDTVEC(osyscall), 1,
-	    SDT_SYS386CGT, SEL_UPL, GSEL(GCODE_SEL, SEL_KPL));
-
 	ldtstore[LUCODE_SEL] = gdtstore[GUCODE_SEL];
 	ldtstore[LUCODEBIG_SEL] = gdtstore[GUCODEBIG_SEL];
 	ldtstore[LUDATA_SEL] = gdtstore[GUDATA_SEL];
-	ldtstore[LSOL26CALLS_SEL] = ldtstore[LBSDICALLS_SEL] =
-	    ldtstore[LSYS5CALLS_SEL];

 #ifndef XEN
 	/* exceptions */
--- a/sys/arch/i386/i386/trap.c
+++ b/sys/arch/i386/i386/trap.c
@ -1,5 +1,5 @@

-/*	$NetBSD: trap.c,v 1.287 2017/03/18 13:39:23 maxv Exp $	*/
+/*	$NetBSD: trap.c,v 1.288 2017/07/01 10:44:42 maxv Exp $	*/

 /*-
 * Copyright (c) 1998, 2000, 2005, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@ -69,7 +69,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.287 2017/03/18 13:39:23 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.288 2017/07/01 10:44:42 maxv Exp $");

 #include "opt_ddb.h"
 #include "opt_kgdb.h"
@ -78,6 +78,7 @@ __KERNEL_RCSID(0, "$NetBSD: trap.c,v 1.287 2017/03/18 13:39:23 maxv Exp $");
 #include "opt_vm86.h"
 #include "opt_xen.h"
 #include "opt_dtrace.h"
+#include "opt_compat_netbsd.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -250,8 +251,7 @@ trap(struct trapframe *frame)
 	struct lwp *l = curlwp;
 	struct proc *p;
 	struct pcb *pcb;
-	extern char fusubail[], kcopy_fault[], return_address_fault[],
-	    IDTVEC(osyscall)[];
+	extern char fusubail[], kcopy_fault[], return_address_fault[];
 	struct trapframe *vframe;
 	ksiginfo_t ksi;
 	void *onfault;
@ -418,6 +418,26 @@ kernelfault:
 		/* NOTREACHED */

 	case T_PROTFLT|T_USER:		/* protection fault */
+#if defined(COMPAT_10)
+	{
+		static const char lcall[7] = { 0x9a, 0, 0, 0, 0, 7, 0 };
+		const size_t sz = sizeof(lcall);
+		char tmp[sz];
+
+		/* Check for the osyscall lcall instruction. */
+		if (frame->tf_eip < VM_MAXUSER_ADDRESS - sz &&
+		    copyin((void *)frame->tf_eip, tmp, sz) == 0 &&
+		    memcmp(tmp, lcall, sz) == 0) {
+
+			/* Advance past the lcall. */
+			frame->tf_eip += sz;
+
+			/* Do the syscall. */
+			p->p_md.md_syscall(frame);
+			goto out;
+		}
+	}
+#endif
 	case T_TSSFLT|T_USER:
 	case T_SEGNPFLT|T_USER:
 	case T_STKFLT|T_USER:
@ -710,13 +730,6 @@ faultcommon:
 		if (x86_dbregs_user_trap())
 			break;

-		/* Check whether they single-stepped into a lcall. */
-		if (frame->tf_eip == (int)IDTVEC(osyscall))
-			return;
-		if (frame->tf_eip == (int)IDTVEC(osyscall) + 1) {
-			frame->tf_eflags &= ~PSL_T;
-			return;
-		}
 		goto we_re_toast;

 	case T_BPTFLT|T_USER:		/* bpt instruction fault */