Problem Description:
The FreeBSD kernel enables SMAP during boot when the CPU reports that
the SMAP capability is present. Subroutines such as copyin() and
copyout() are responsible for disabling SMAP around the sections of code
that perform user memory accesses.
Such subroutines must handle page faults triggered when user memory is
not mapped. The kernel's page fault handler checks the validity of the
fault, and if it is indeed valid it will map a page and resume copying.
If the fault is invalid, the fault handler returns control to a
trampoline which aborts the operation and causes an error to be
returned. In this second scenario, a bug in the implementation of SMAP
support meant that SMAP would remain disabled until the thread returns
to user mode.
Impact:
This bug may be used to bypass the protections provided by SMAP for the
duration of a system call. It could thus be combined with other kernel
bugs to craft an exploit.