summaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorRoger Pau Monne <roger.pau@citrix.com>2013-01-16 18:01:06 +0100
committerWilliam Pitcock <nenolod@dereferenced.org>2013-01-17 05:47:24 -0600
commit4bd17e745b7eff551af9b206254d93c998432d2a (patch)
treee74e6bb2b690d645555ab56ad5f510f492c6bdd3 /main/linux-grsec
parent7bad3c33e39f342fbd280b56a4102689f1305f38 (diff)
downloadaports-4bd17e745b7eff551af9b206254d93c998432d2a.tar.bz2
aports-4bd17e745b7eff551af9b206254d93c998432d2a.tar.xz
linux-grsec: XSA-40
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/APKBUILD4
-rw-r--r--main/linux-grsec/xsa40.patch56
2 files changed, 59 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 6d100bd9d..b860ce45f 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.6.11
_kernver=3.6
-pkgrel=2
+pkgrel=3
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -18,6 +18,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
0004-arp-flush-arp-cache-on-device-change.patch
r8169-num-rx-desc.patch
+ xsa40.patch
kernelconfig.x86
kernelconfig.x86_64
@@ -144,5 +145,6 @@ bd4bba74093405887d521309a74c19e9 patch-3.6.11.xz
dce5c43ac3b5d8e35e245b35e90e1837 grsecurity-2.9.1-3.6.11-unofficial-1.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
daf2cbb558588c49c138fe9ca2482b64 r8169-num-rx-desc.patch
+d9de28f8a74fe0347866705b4bd6db85 xsa40.patch
373db5888708938c6b1baed6da781fcb kernelconfig.x86
190788fb10e79abce9d570d5e87ec3b4 kernelconfig.x86_64"
diff --git a/main/linux-grsec/xsa40.patch b/main/linux-grsec/xsa40.patch
new file mode 100644
index 000000000..29db917cb
--- /dev/null
+++ b/main/linux-grsec/xsa40.patch
@@ -0,0 +1,56 @@
+Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
+
+This fixes CVE-2013-0190 / XSA-40
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path. This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+ popl %eax # Error code from hypervisor
+ jz 5f
+ addl $16,%esp
+ jmp iret_exc # Hypervisor said iret fault
+5: addl $16,%esp
+ # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+ popl_cfi %eax # Error from the hypervisor
+ lea 16(%esp),%esp # Add $16 before choosing fault path
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+ addl $16,%esp # Incorrectly adjust %esp again
+ jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present. At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
+index ff84d54..6ed91d9 100644
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
+ lea 16(%esp),%esp
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+- addl $16,%esp
+ jmp iret_exc
+ 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */
+ SAVE_ALL
+