NetBSD Problem Report #59084
From riastradh@netbsd.org Tue Feb 18 16:45:12 2025
Return-Path: <riastradh@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 1D1541A923E
for <gnats-bugs@gnats.NetBSD.org>; Tue, 18 Feb 2025 16:45:12 +0000 (UTC)
Message-Id: <20250218164511.04E581A923F@mollari.NetBSD.org>
Date: Tue, 18 Feb 2025 16:45:10 +0000 (UTC)
From: riastradh@NetBSD.org
Reply-To: riastradh@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: exec/spawn leaks register content
X-Send-Pr-Version: 3.95
>Number: 59084
>Category: kern
>Synopsis: exec/spawn leaks register content
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: needs-pullups
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Feb 18 16:50:00 +0000 2025
>Closed-Date:
>Last-Modified: Sun Apr 27 14:35:02 +0000 2025
>Originator: riastradh@NetBSD.org
>Release: current, 10, 9, ...
>Organization:
The NetBZeroD Foundation
>Environment:
>Description:
On some architectures, the execve(2) and posix_spawn(2) system
calls leak some of the caller's registers into the new
process.
[ ] aarch64
[ ] aarch64 compat32
[ ] alpha
[ ] arm32
[tested/pass] hppa
[tested/pass] i386
[ ] ia64
[ ] m68k
[ ] mips o32
[ ] mips64 n32
[ ] mips64 n64
[ ] mips64 compat o32
[ ] powerpc
[ ] powerpc64
[ ] powerpc64 compat32
[ ] riscv32
[ ] riscv64
[ ] riscv64 compat32
[ ] sh3
[ ] sparc
[ ] sparc64
[ ] sparc64 compat32
[tested/pass] vax
[tested/pass] x86_64
[tested/pass] x86_64 compat32
>How-To-Repeat:
1. call execve(2) or posix_spawn(2)
2. examine registers in the child that should be zeroed
Example: r8-r15 on x86 (rcx also leaks through the libc stub;
r11 might not leak but it's not zero, not sure what it is).
>Fix:
memset(tf, 0, sizeof(*tf)) in every port's setregs function
>Release-Note:
>Audit-Trail:
From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/59084: exec/spawn leaks register content
Date: Tue, 18 Feb 2025 16:57:22 +0000
The attached patch implements a test for this.
The fix is just to memset systematically in setregs, but I'd like to
make sure we test it on various architectures (if not all of them).
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src
Date: Thu, 27 Feb 2025 00:55:33 +0000
Module Name: src
Committed By: riastradh
Date: Thu Feb 27 00:55:32 UTC 2025
Modified Files:
src/distrib/sets/lists/debug: mi
src/distrib/sets/lists/tests: mi
src/tests/kernel: Makefile
Added Files:
src/tests/kernel: h_execregs_unimpl.c t_execregs.c
src/tests/kernel/arch/aarch64: execregs.c execregs.h h_execregs.S
src/tests/kernel/arch/hppa: execregs.c execregs.h h_execregs.S
src/tests/kernel/arch/i386: execregs.c execregs.h h_execregs.S
src/tests/kernel/arch/vax: execregs.c execregs.h h_execregs.S
src/tests/kernel/arch/x86_64: execregs.c execregs.h h_execregs.S
Log Message:
Test whether exec/spawn will zero registers.
Currently implemented only for a handful of architectures; should
extend this to all the others, and extend as appropriate if we find
more register content is worth testing (like maybe vector registers,
but they are managed differently anyway and less likely to leak).
VAX test contributed (and tested) by Kalvis Duckmanton, with some
tweaks by me; the others written and tested by me. IA64 skipped,
even though I suspect it _would_ leak if the kernel code ran as is,
because I have no way to test it.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.465 -r1.466 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.1358 -r1.1359 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.84 -r1.85 src/tests/kernel/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/kernel/h_execregs_unimpl.c \
src/tests/kernel/t_execregs.c
cvs rdiff -u -r0 -r1.1 src/tests/kernel/arch/aarch64/execregs.c \
src/tests/kernel/arch/aarch64/execregs.h \
src/tests/kernel/arch/aarch64/h_execregs.S
cvs rdiff -u -r0 -r1.1 src/tests/kernel/arch/hppa/execregs.c \
src/tests/kernel/arch/hppa/execregs.h \
src/tests/kernel/arch/hppa/h_execregs.S
cvs rdiff -u -r0 -r1.1 src/tests/kernel/arch/i386/execregs.c \
src/tests/kernel/arch/i386/execregs.h \
src/tests/kernel/arch/i386/h_execregs.S
cvs rdiff -u -r0 -r1.1 src/tests/kernel/arch/vax/execregs.c \
src/tests/kernel/arch/vax/execregs.h \
src/tests/kernel/arch/vax/h_execregs.S
cvs rdiff -u -r0 -r1.1 src/tests/kernel/arch/x86_64/execregs.c \
src/tests/kernel/arch/x86_64/execregs.h \
src/tests/kernel/arch/x86_64/h_execregs.S
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/tests/kernel
Date: Fri, 28 Feb 2025 16:08:19 +0000
Module Name: src
Committed By: riastradh
Date: Fri Feb 28 16:08:19 UTC 2025
Modified Files:
src/tests/kernel: Makefile t_execregs.c
src/tests/kernel/arch/hppa: execregs.c execregs.h h_execregs.S
Log Message:
t_execregs: Test some more registers on hppa.
Looks like we're missing zeroing of floating-point registers too, as
well as the carry/borrow and divide step correction bits in the
semi-secret PSW register.
Unfortunately, while investigating this, I discovered that qemu's
hppa implementation doesn't implement fpu traps even if the fpu is
disabled (relevant bits of CR 10 `CCR', Coprocessor Control Register,
are cleared), which breaks fpu switching on NetBSD. So I can't test
properly this myself. We should maybe just change NetBSD from lazy
fpu switching to eager fpu switching anyway to thwart Spectre-class
attacks if there's any hppa hardware out there that does speculative
execution.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.85 -r1.86 src/tests/kernel/Makefile
cvs rdiff -u -r1.1 -r1.2 src/tests/kernel/t_execregs.c
cvs rdiff -u -r1.1 -r1.2 src/tests/kernel/arch/hppa/execregs.c \
src/tests/kernel/arch/hppa/execregs.h \
src/tests/kernel/arch/hppa/h_execregs.S
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/tests/kernel
Date: Fri, 28 Feb 2025 16:08:42 +0000
Module Name: src
Committed By: riastradh
Date: Fri Feb 28 16:08:42 UTC 2025
Modified Files:
src/tests/kernel: t_execregs.c
Log Message:
t_execregs: Make read failure nonfatal.
This way, the test will report when the helper program h_execregs has
crashed, which happens often during development because it's an
assembly routine with the barest possible runtime support in order to
get at registers immediately on startup before anything like libc
constructors have clobbered them.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/tests/kernel/t_execregs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src
Date: Sun, 16 Mar 2025 15:35:00 +0000
Module Name: src
Committed By: riastradh
Date: Sun Mar 16 15:35:00 UTC 2025
Modified Files:
src/sys/arch/alpha/alpha: machdep.c
src/sys/arch/amd64/amd64: machdep.c
src/sys/arch/hppa/hppa: machdep.c
src/sys/arch/i386/i386: machdep.c
src/sys/arch/ia64/ia64: machdep.c
src/sys/arch/m68k/m68k: m68k_machdep.c
src/sys/arch/mips/mips: mips_machdep.c
src/sys/arch/sh3/sh3: sh3_machdep.c
src/sys/arch/vax/vax: trap.c
src/tests/kernel: t_execregs.c
Log Message:
Clear trapframe on exec.
Do this for all architectures, even if the trapframe is fully
initialized -- makes it easier to audit and be confident it's
correct, and most likely (with the exception of sh3 which has an
intermediate call to ufetch_int in the middle) the compiler can
eliminate redundant stores in these routines.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.379 -r1.380 src/sys/arch/alpha/alpha/machdep.c
cvs rdiff -u -r1.371 -r1.372 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.21 -r1.22 src/sys/arch/hppa/hppa/machdep.c
cvs rdiff -u -r1.843 -r1.844 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.45 -r1.46 src/sys/arch/ia64/ia64/machdep.c
cvs rdiff -u -r1.11 -r1.12 src/sys/arch/m68k/m68k/m68k_machdep.c
cvs rdiff -u -r1.306 -r1.307 src/sys/arch/mips/mips/mips_machdep.c
cvs rdiff -u -r1.113 -r1.114 src/sys/arch/sh3/sh3/sh3_machdep.c
cvs rdiff -u -r1.138 -r1.139 src/sys/arch/vax/vax/trap.c
cvs rdiff -u -r1.3 -r1.4 src/tests/kernel/t_execregs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/sys/arch
Date: Mon, 17 Mar 2025 11:39:02 +0000
Module Name: src
Committed By: riastradh
Date: Mon Mar 17 11:39:02 UTC 2025
Modified Files:
src/sys/arch/amd64/amd64: machdep.c
src/sys/arch/i386/i386: machdep.c
Log Message:
x86: Set tf_trapno = T_ASTFLT on exec.
In most cases, the caller will already have tf_trapno=T_ASTFLT and
tf_err=2 -- the latter being the size of the SYSCALL instruction for
ERESTART handling. ERESTART handling is not relevant after exec, but
checking for AST on userret may be.
Hoping this will fix the i386 test bed! Aside from padding fields,
these (tf_trapno and tf_err) are the only two members of trapframe
that were newly zeroed on i386. The corresponding amd64 changes --
which zeroed many other registers -- worked in my testing, but
evidently that wasn't enough testing.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.372 -r1.373 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.844 -r1.845 src/sys/arch/i386/i386/machdep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/sys/arch/vax/vax
Date: Sat, 22 Mar 2025 13:28:35 +0000
Module Name: src
Committed By: riastradh
Date: Sat Mar 22 13:28:35 UTC 2025
Modified Files:
src/sys/arch/vax/vax: trap.c
Log Message:
vax: Set tf_psl to PSL_U|PSL_PREVU on exec.
This was previously inherited from the caller, which was not clear
from context, and the trapframe is now zeroed which broke exec on
vax.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.140 -r1.141 src/sys/arch/vax/vax/trap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Tue, 25 Mar 2025 20:39:38 +0000
State-Changed-Why:
fixed in HEAD, needs pullup-9 and pullup-10
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/sys/arch/vax/vax
Date: Sat, 29 Mar 2025 00:16:30 +0000
Module Name: src
Committed By: riastradh
Date: Sat Mar 29 00:16:30 UTC 2025
Modified Files:
src/sys/arch/vax/vax: trap.c
Log Message:
vax/trap.c: Back out revisions 1.139 and 1.141 for now.
These changes served to zero registers on exec in order to avoid
leaking secret register content to the replacement process image.
Unfortunately, I did not adequately test these changes, and the vax
testbed has been unhappy since they went in. It's possible they're
not the culprit -- it's possible that 1.141 (setting PSL_U|PSL_PREVU)
was enough to fix the bug introduced by 1.139 -- but let's just try
backing both out so we can let the releng testbed figure out for me
whether to go chasing other parts of the trapframe to set up
(tf_trap=T_SYSCALL? tf_code=???) or this is a wild goose chase and
it's actually something else broken.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.141 -r1.142 src/sys/arch/vax/vax/trap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/tests/kernel
Date: Sun, 20 Apr 2025 21:03:32 +0000
Module Name: src
Committed By: riastradh
Date: Sun Apr 20 21:03:32 UTC 2025
Modified Files:
src/tests/kernel: Makefile
Log Message:
h_execregs: Properly request to statically link this.
Adding -static to LDFLAGS doesn't work because we end up passing
various other flags that cause it to come out as a dynamic executable
anyway, which would crash on SIGSEGV early at startup -- except that
the entry point exits before calling the normal start routine, so by
accident it works.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.86 -r1.87 src/tests/kernel/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/tests/kernel/arch/aarch64
Date: Fri, 25 Apr 2025 12:58:41 +0000
Module Name: src
Committed By: riastradh
Date: Fri Apr 25 12:58:41 UTC 2025
Modified Files:
src/tests/kernel/arch/aarch64: h_execregs.S
Log Message:
t_execregs: On aarch64, make sure to align stack to 16 bytes.
Should avoid SIGBUS with strict alignment (SCTLR_EL0.A bit).
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/tests/kernel/arch/aarch64/h_execregs.S
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/tests/kernel
Date: Fri, 25 Apr 2025 12:58:51 +0000
Module Name: src
Committed By: riastradh
Date: Fri Apr 25 12:58:51 UTC 2025
Modified Files:
src/tests/kernel: t_execregs.c
Log Message:
t_execregs: Make failure of child a little more obvious.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/tests/kernel/t_execregs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/tests/kernel
Date: Sat, 26 Apr 2025 03:03:35 +0000
Module Name: src
Committed By: riastradh
Date: Sat Apr 26 03:03:35 UTC 2025
Modified Files:
src/tests/kernel: Makefile
Log Message:
tests/kernel/Makefile: Add DPSRCS for t_execregs.c parts.
We build it with -DHAVE_EXECREGS_TEST if arch/.../execregs.h exists;
this way if you add it for a new architecture and do an update build,
t_execregs.c will be recompiled with the macro defined so it will
pick up the new stuff automatically.
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.91 -r1.92 src/tests/kernel/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/tests/kernel
Date: Sat, 26 Apr 2025 12:20:33 +0000
Module Name: src
Committed By: riastradh
Date: Sat Apr 26 12:20:33 UTC 2025
Modified Files:
src/tests/kernel: t_execregs.c
Log Message:
tests/kernel/Makefile: Back out DPSRCS for t_execregs arch helpers.
Doesn't work the way I'd hoped for update builds -- I had tested it
only with a .h file, not with the .S files:
# create kernel//work/src/tests/kernel/arch/arm/execsp.d
CC=/work/tools/bin/arm--netbsdelf-eabi-gcc /work/tools/bin/nbmkdep -f /work/src/tests/kernel/arch/arm/execsp.d.tmp -- --sysroot=/branches/hosts-current/evbearmv5 -D_KERNTYPES -I/work/src/tests/kernel/.. -x assembler-with-cpp /work/src/tests/kernel/arch/arm/execsp.S && mv -f /work/src/tests/kernel/arch/arm/execsp.d.tmp /work/src/tests/kernel/arch/arm/execsp.d
nbmkdep: unable to write to file /work/src/tests/kernel/arch/arm/execsp.d.tmp: Permission denied
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/tests/kernel/t_execregs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/tests/kernel
Date: Sun, 27 Apr 2025 14:30:03 +0000
Module Name: src
Committed By: riastradh
Date: Sun Apr 27 14:30:03 UTC 2025
Modified Files:
src/tests/kernel: t_execregs.c
Log Message:
t_execregs: Redo better diagnostics for child.
Accidentally backed out the wrong commit here:
https://mail-index.netbsd.org/source-changes/2025/04/26/msg156620.html
Meant to back out this one:
https://mail-index.netbsd.org/source-changes/2025/04/26/msg156607.html
Instead backed out this one (which I am now restoring):
https://mail-index.netbsd.org/source-changes/2025/04/25/msg156596.html
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/tests/kernel/t_execregs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59084 CVS commit: src/tests/kernel
Date: Sun, 27 Apr 2025 14:30:28 +0000
Module Name: src
Committed By: riastradh
Date: Sun Apr 27 14:30:28 UTC 2025
Modified Files:
src/tests/kernel: Makefile
Log Message:
tests/kernel/Makefile: Back out DPSRCS for t_execregs arch helpers.
This time for real -- accidentally backed out the wrong commit last
time:
https://mail-index.netbsd.org/source-changes/2025/04/26/msg156620.html
Doesn't work the way I'd hoped for update builds -- I had tested it
only with a .h file, not with the .S files:
# create kernel//work/src/tests/kernel/arch/arm/execsp.d
CC=/work/tools/bin/arm--netbsdelf-eabi-gcc /work/tools/bin/nbmkdep -f /work/src/tests/kernel/arch/arm/execsp.d.tmp -- --sysroot=/branches/hosts-current/evbearmv5 -D_KERNTYPES -I/work/src/tests/kernel/.. -x assembler-with-cpp /work/src/tests/kernel/arch/arm/execsp.S && mv -f /work/src/tests/kernel/arch/arm/execsp.d.tmp /work/src/tests/kernel/arch/arm/execsp.d
nbmkdep: unable to write to file /work/src/tests/kernel/arch/arm/execsp.d.tmp: Permission denied
PR kern/59084: exec/spawn leaks register content
To generate a diff of this commit:
cvs rdiff -u -r1.93 -r1.94 src/tests/kernel/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home