diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-01-23 14:33:08 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-01-23 15:58:53 +0000 |
| commit | 7b8a15821e9bdeb2af123d62bff8148f7b003923 (patch) | |
| tree | 1488d1d0e19c9c3ff1d1fc8c54a63a6d9503cbf2 /main/linux-grsec/xsa40.patch | |
| parent | 46eeabf331194791a12f24f1f2ce9bd806df3150 (diff) | |
| download | aports-7b8a15821e9bdeb2af123d62bff8148f7b003923.tar.bz2 aports-7b8a15821e9bdeb2af123d62bff8148f7b003923.tar.xz | |
main/linux-grsec: merge in stable fixes
Diffstat (limited to 'main/linux-grsec/xsa40.patch')
| -rw-r--r-- | main/linux-grsec/xsa40.patch | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/main/linux-grsec/xsa40.patch b/main/linux-grsec/xsa40.patch deleted file mode 100644 index 29db917cbb..0000000000 --- a/main/linux-grsec/xsa40.patch +++ /dev/null @@ -1,56 +0,0 @@ -Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. - -This fixes CVE-2013-0190 / XSA-40 - -There has been an error on the xen_failsafe_callback path for failed -iret, which causes the stack pointer to be wrong when entering the -iret_exc error path. This can result in the kernel crashing. - -In the classic kernel case, the relevant code looked a little like: - - popl %eax # Error code from hypervisor - jz 5f - addl $16,%esp - jmp iret_exc # Hypervisor said iret fault -5: addl $16,%esp - # Hypervisor said segment selector fault - -Here, there are two identical addls on either option of a branch which -appears to have been optimised by hoisting it above the jz, and -converting it to an lea, which leaves the flags register unaffected. - -In the PVOPS case, the code looks like: - - popl_cfi %eax # Error from the hypervisor - lea 16(%esp),%esp # Add $16 before choosing fault path - CFI_ADJUST_CFA_OFFSET -16 - jz 5f - addl $16,%esp # Incorrectly adjust %esp again - jmp iret_exc - -It is possible unprivileged userspace applications to cause this -behaviour, for example by loading an LDT code selector, then changing -the code selector to be not-present. At this point, there is a race -condition where it is possible for the hypervisor to return back to -userspace from an interrupt, fault on its own iret, and inject a -failsafe_callback into the kernel. - -This bug has been present since the introduction of Xen PVOPS support -in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23. - -Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> - -diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index ff84d54..6ed91d9 100644 ---- a/arch/x86/kernel/entry_32.S -+++ b/arch/x86/kernel/entry_32.S -@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback) - lea 16(%esp),%esp - CFI_ADJUST_CFA_OFFSET -16 - jz 5f -- addl $16,%esp - jmp iret_exc - 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */ - SAVE_ALL - |