x86 restore_ucontext(): Protect against invalid pointer to extended frame

Francesco Lavra · Francesco Lavra · commit 3f4aa1c64795 · 2026-03-07T08:33:00.000+01:00
A signal handler can modify the pointer to the floating-point register
frame in the thread context. If a modified pointer is invalid, the kernel
crashes; if a modified pointer points to kernel memory, kernel info is
leaked to the user program.
To prevent these issues, avoid copying from non-legitimate addresses when
restoring the thread context after a signal handler.
diff --git a/src/x86_64/unix_machine.c b/src/x86_64/unix_machine.c
@@ -202,8 +202,13 @@ void restore_ucontext(struct ucontext * uctx, thread t)
     else
         f[FRAME_CS] &= ~1;
     t->signal_mask = normalize_signal_mask(mcontext->oldmask);
-    if (mcontext->fpstate)
+    if (validate_user_memory(mcontext->fpstate, extended_frame_size, false)) {
+        context ctx = get_current_context(current_cpu());
+        if (context_set_err(ctx))
+            return;
         runtime_memcpy(frame_extended(t->context.frame), mcontext->fpstate, extended_frame_size);
+        context_clear_err(ctx);
+    }
 }
 
 void reg_copy_out(struct core_regs *r, thread t)
