FreeBSD: VID-d1ac6a6a-bea8-11eb-b87a-901b0ef719ab (CVE-2021-29628): FreeBSD-kernel -- SMAP bypass

Problem Description: The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses. Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode. Impact: This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit.