Google Git
Sign in
fuchsia / fuchsia / 0054a8a1162c2ea857fb02553835b804ead7b124
commit0054a8a1162c2ea857fb02553835b804ead7b124[log] [tgz]
authorMarco Vanotti <mvanotti@google.com>Tue May 05 05:50:45 2020 +0000
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Tue May 05 05:50:45 2020 +0000
tree201ed9cfb555980935b33ef520fdf4df4a57d4dc
parentc6f44c876bc00affb968f4f712d912e8673ccbf4 [diff]
[zircon][debugger] Disallow setting non-canonical rip addresses.

This CL modifies the `arch_set_general_regs` function by always checking
the `rip` for non-canonical addresses.

Without this change, callers of `zx_thread_write_state` could set the
`rip` to a non-canonical address on a suspended thread, causing the
`iretq` instruction to trigger a general protection fault.

Given that the `iretq` instruction would fail after executing the
`swapgs` instruction, the #GP exception would be handled with the `gs`
register from userspace. However, given that there was no change of
privileges, the handler will not issue another `swapgs`: causing the
handler to use the `gs` register from userspace.

Note that before, top-bit set addresses (kernel addresses) were
also disallowed. This change uses `x86_is_vaddr_canonical` instead (the
same mechanism used elsewhere in the kernel) and disallows kernel
addresses with `is_kernel_address`.

I also updated the `NoncanonicalRipAddressSyscall` test to use a real
kernel address (it was using a high address, but that was out of the
kernel address space).

I added a unit test in to test this behavior: writing a non-canonical
return address to the rip results in an invalid argument. Without
this fix, resuming that thread would crash the system.

To run the test:

```
$ fx set bringup.x64 \
    --with-base //garnet/packages/tests:zircon \
    --with-base //bundles/bringup:tests
```

And run it with `runtests -t threads-test`

BUG=50633
This vulnerability was reported by: Quarkslab

Change-Id: I09eaf28c48c4dfbb308cfa82617d6b682df31412
Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/383356
Commit-Queue: Marco Vanotti <mvanotti@google.com>
Reviewed-by: Mark Seaborn <mseaborn@google.com>
Reviewed-by: Travis Geiselbrecht <travisg@google.com>
Reviewed-by: Nick Maniscalco <maniscalco@google.com>
Reviewed-by: Venkatesh Srinivas <venkateshs@google.com>
Reviewed-by: Kostya Kortchinsky <kostyak@google.com>
Testability-Review: Nick Maniscalco <maniscalco@google.com>
4 files changed
tree: 201ed9cfb555980935b33ef520fdf4df4a57d4dc
  1. boards/
  2. build/
  3. bundles/
  4. docs/
  5. examples/
  6. garnet/
  7. products/
  8. scripts/
  9. sdk/
  10. src/
  11. third_party/
  12. tools/
  13. zircon/
  14. .clang-format
  15. .clang-tidy
  16. .dir-locals.el
  17. .gitattributes
  18. .gitignore
  19. .gn
  20. .style.yapf
  21. AUTHORS
  22. BUILD.gn
  23. CODE_OF_CONDUCT.md
  24. CONTRIBUTING.md
  25. LICENSE
  26. OWNERS
  27. PATENTS
  28. README.md
  29. rustfmt.toml
README.md

Fuchsia

Pink + Purple == Fuchsia (a new operating system)

What is Fuchsia?

Fuchsia is a modular, capability-based operating system. Fuchsia runs on modern 64-bit Intel and ARM processors.

Fuchsia is an open source project with a code of conduct that we expect everyone who interacts with the project to respect.

How can I build and run Fuchsia?

See Getting Started.

Where can I learn more about Fuchsia?

See fuchsia.dev.