Don't check %cs *after* it has being set in sigreturn. If the check

fails, applications could end up running in kernel mode (oops).

Submitted by: bde

sys/amd64/amd64/machdep.c

@@ -884,7 +884,7 @@ sigreturn(p, uap)
 	struct trapframe *regs;
 	ucontext_t *ucp;
 	struct sigframe *sfp;
-	int eflags;
+	int cs, eflags;
 
 	regs = p->p_md.md_regs;
 	ucp = uap->sigcntxp;
@@ -947,18 +947,19 @@ sigreturn(p, uap)
 	    		return(EINVAL);
 		}
 
-		*regs = ucp->uc_mcontext.mc_tf;
-
 		/*
 		 * Don't allow users to load a valid privileged %cs.  Let the
 		 * hardware check for invalid selectors, excess privilege in
 		 * other selectors, invalid %eip's and invalid %esp's.
 		 */
-		if (!CS_SECURE(regs->tf_cs)) {
-			printf("sigreturn: cs = 0x%x\n", regs->tf_cs);
+		cs = ucp->uc_mcontext.mc_tf.tf_cs;
+		if (!CS_SECURE(cs)) {
+			printf("sigreturn: cs = 0x%x\n", cs);
 			trapsignal(p, SIGBUS, T_PROTFLT);
 			return(EINVAL);
 		}
+
+		*regs = ucp->uc_mcontext.mc_tf;
 	}
 
 	p->p_sigacts->ps_sigstk = ucp->uc_stack;

sys/i386/i386/machdep.c

@@ -884,7 +884,7 @@ sigreturn(p, uap)
 	struct trapframe *regs;
 	ucontext_t *ucp;
 	struct sigframe *sfp;
-	int eflags;
+	int cs, eflags;
 
 	regs = p->p_md.md_regs;
 	ucp = uap->sigcntxp;
@@ -947,18 +947,19 @@ sigreturn(p, uap)
 	    		return(EINVAL);
 		}
 
-		*regs = ucp->uc_mcontext.mc_tf;
-
 		/*
 		 * Don't allow users to load a valid privileged %cs.  Let the
 		 * hardware check for invalid selectors, excess privilege in
 		 * other selectors, invalid %eip's and invalid %esp's.
 		 */
-		if (!CS_SECURE(regs->tf_cs)) {
-			printf("sigreturn: cs = 0x%x\n", regs->tf_cs);
+		cs = ucp->uc_mcontext.mc_tf.tf_cs;
+		if (!CS_SECURE(cs)) {
+			printf("sigreturn: cs = 0x%x\n", cs);
 			trapsignal(p, SIGBUS, T_PROTFLT);
 			return(EINVAL);
 		}
+
+		*regs = ucp->uc_mcontext.mc_tf;
 	}
 
 	p->p_sigacts->ps_sigstk = ucp->uc_stack;