diff options
author | Roger Pau Monne <roger.pau@citrix.com> | 2013-01-16 18:30:08 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-01-17 10:38:58 +0000 |
commit | 1a626cd87f60875d152f6becf44043bee9d82ccb (patch) | |
tree | cc9d6dfe2cd75074ec92a55e1246d2515452b8b8 | |
parent | da9d37b6a115d9da04fa1b91c7effda5e6e454fe (diff) | |
download | aports-1a626cd87f60875d152f6becf44043bee9d82ccb.tar.bz2 aports-1a626cd87f60875d152f6becf44043bee9d82ccb.tar.xz |
linux-grsec: XSA-40
-rw-r--r-- | main/linux-grsec/APKBUILD | 4 | ||||
-rw-r--r-- | main/linux-grsec/xsa40.patch | 56 |
2 files changed, 59 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 68db9fbb23..f796f5fa81 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=3.4.24 _kernver=3.4 -pkgrel=2 +pkgrel=3 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz 0001-r8169-avoid-NAPI-scheduling-delay.patch r8169-num-rx-desc.patch + xsa40.patch kernelconfig.x86 kernelconfig.x86_64 @@ -151,5 +152,6 @@ cb6fcd6e966e73c87a839c4c0183f81f 0001-Revert-ipv4-Don-t-use-the-cached-pmtu-inf d2f7ba780ff7567c21381428264d7fdd intel_idle.patch 8e5611c6bf3dfb0008d4e58051a8b0ff 0001-r8169-avoid-NAPI-scheduling-delay.patch daf2cbb558588c49c138fe9ca2482b64 r8169-num-rx-desc.patch +d9de28f8a74fe0347866705b4bd6db85 xsa40.patch 50a13359236dbd676fa355f0b4fd27ff kernelconfig.x86 c402f52babc729d1280c1677075aa0d7 kernelconfig.x86_64" diff --git a/main/linux-grsec/xsa40.patch b/main/linux-grsec/xsa40.patch new file mode 100644 index 0000000000..29db917cbb --- /dev/null +++ b/main/linux-grsec/xsa40.patch @@ -0,0 +1,56 @@ +Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. + +This fixes CVE-2013-0190 / XSA-40 + +There has been an error on the xen_failsafe_callback path for failed +iret, which causes the stack pointer to be wrong when entering the +iret_exc error path. This can result in the kernel crashing. + +In the classic kernel case, the relevant code looked a little like: + + popl %eax # Error code from hypervisor + jz 5f + addl $16,%esp + jmp iret_exc # Hypervisor said iret fault +5: addl $16,%esp + # Hypervisor said segment selector fault + +Here, there are two identical addls on either option of a branch which +appears to have been optimised by hoisting it above the jz, and +converting it to an lea, which leaves the flags register unaffected. + +In the PVOPS case, the code looks like: + + popl_cfi %eax # Error from the hypervisor + lea 16(%esp),%esp # Add $16 before choosing fault path + CFI_ADJUST_CFA_OFFSET -16 + jz 5f + addl $16,%esp # Incorrectly adjust %esp again + jmp iret_exc + +It is possible unprivileged userspace applications to cause this +behaviour, for example by loading an LDT code selector, then changing +the code selector to be not-present. At this point, there is a race +condition where it is possible for the hypervisor to return back to +userspace from an interrupt, fault on its own iret, and inject a +failsafe_callback into the kernel. + +This bug has been present since the introduction of Xen PVOPS support +in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23. + +Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com> +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> + +diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S +index ff84d54..6ed91d9 100644 +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback) + lea 16(%esp),%esp + CFI_ADJUST_CFA_OFFSET -16 + jz 5f +- addl $16,%esp + jmp iret_exc + 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */ + SAVE_ALL + |