Clear DF flag after kcopy faulted.

A memory corruption in the kernel happend that was caused by memset
in the wrong direction.  After that DF bit was set in ddb rflags.

Only kcopy and memmove use std to set DF bit.  kcopy has the special
property that it can fault.  In this case DF is set in the trap
frame.  kpageflttrap() changes the return address to copy_fault via
pcb_onfault.  When alltraps_kern returns, it restores the rflags
with DF set and jumps into copy_fault.  From there a function return
goes back into regular kernel execution.  Now DF is set, but kernel
memset and memcpy expect that it is cleared.

After copy fault, also reset the DF bit with cld in copy_fault.
The crash happend on OpenBSD 7.4 amd64.  As i386 code looks similar,
also insert cld there.

OK guenther@ miod@

1 files changed, 2 insertions, 1 deletions

diff --git a/sys/arch/i386/i386/locore.s b/sys/arch/i386/i386/locore.s
index b25acfaab5c..feb8fa4edae 100644
--- a/sys/arch/i386/i386/locore.s
+++ b/sys/arch/i386/i386/locore.s
@@ -1,4 +1,4 @@
-/*	$OpenBSD: locore.s,v 1.204 2023/12/12 07:37:20 deraadt Exp $	*/
+/*	$OpenBSD: locore.s,v 1.205 2024/06/06 00:36:46 bluhm Exp $	*/
 /*	$NetBSD: locore.s,v 1.145 1996/05/03 19:41:19 christos Exp $	*/
 
 /*-
@@ -555,6 +555,7 @@ ENTRY(_copyin)
 	ret
 
 ENTRY(copy_fault)
+	cld
 	SMAP_CLAC
 	GET_CURPCB(%edx)
 	popl	PCB_ONFAULT(%edx)