[kernel] r6598 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Thu May 18 21:29:26 UTC 2006 

Author: dannf
Date: Thu May 18 21:29:25 2006
New Revision: 6598

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/em64t-uncanonical-return-addr.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3

Log:
* em64t-uncanonical-return-addr.dpatch
  [SECURITY][amd64] Fix local DoS vulnerability on em64t systems that arises
  when returning program control using SYSRET
  See CVE-2006-0744

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Thu May 18 21:29:25 2006
@@ -32,8 +32,12 @@
     [SECURITY][amd64] Fix potential local DoS vulnerability in the binfmt_elf
     code on em64t processors
     See CVE-2006-0741
+  * em64t-uncanonical-return-addr.dpatch
+    [SECURITY][amd64] Fix local DoS vulnerability on em64t systems that arises
+    when returning program control using SYSRET
+    See CVE-2006-0744
 
- -- dann frazier <dannf at debian.org>  Thu, 18 May 2006 15:55:02 -0500
+ -- dann frazier <dannf at debian.org>  Thu, 18 May 2006 16:28:52 -0500
 
 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/em64t-uncanonical-return-addr.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/em64t-uncanonical-return-addr.dpatch	Thu May 18 21:29:25 2006
@@ -0,0 +1,64 @@
+Author: Andi Kleen <ak at suse.de>
+Date:   Fri Apr 7 19:50:00 2006 +0200
+
+    [PATCH] x86_64: When user could have changed RIP always force IRET
+    
+    Intel EM64T CPUs handle uncanonical return addresses differently
+    from AMD CPUs.
+    
+    The exception is reported in the SYSRET, not the next instruction.
+    This leads to the kernel exception handler running on the user stack
+    with the wrong GS because the kernel didn't expect exceptions
+    on this instruction.
+    
+    This version of the patch has the teething problems that plagued an earlier
+    version fixed.
+    
+    This is CVE-2006-0744
+    
+    Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
+    patches.
+    
+    Signed-off-by: Andi Kleen <ak at suse.de>
+    Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+
+    Signed-off-by: Troy Heber <troyh at debian.org>
+
+
+diff -urN kernel-source-2.6.8.orig/arch/x86_64/kernel/entry.S 2.6/arch/x86_64/kernel/entry.S
+--- kernel-source-2.6.8.orig/arch/x86_64/kernel/entry.S	2004-08-13 23:36:46.000000000 -0600
++++ 2.6/arch/x86_64/kernel/entry.S	2006-05-17 00:17:26.000000000 -0600
+@@ -173,6 +173,10 @@
+  *
+  * XXX	if we had a free scratch register we could save the RSP into the stack frame
+  *      and report it properly in ps. Unfortunately we haven't.
++ *
++ * When user can change the frames always force IRET. That is because
++ * it deals with uncanonical addresses better. SYSRET has trouble
++ * with them due to bugs in both AMD and Intel CPUs.
+  */ 			 		
+ 
+ ENTRY(system_call)
+@@ -236,7 +240,10 @@
+ 	xorl %esi,%esi # oldset -> arg2
+ 	call ptregscall_common
+ 1:	movl $_TIF_NEED_RESCHED,%edi
+-	jmp sysret_check
++	/* Use IRET because user could have changed frame. This
++	   works because ptregscall_common has called FIXUP_TOP_OF_STACK. */
++	cli
++	jmp int_with_check
+ 	
+ 	/* Do syscall tracing */
+ tracesys:			 
+@@ -257,7 +264,9 @@
+ 	call syscall_trace_leave
+ 	RESTORE_TOP_OF_STACK %rbx
+ 	RESTORE_REST
+-	jmp ret_from_sys_call
++	/* Use IRET because user could have changed frame */
++	jmp int_ret_from_sys_call
++
+ 		
+ badsys:
+ 	movq $-ENOSYS,RAX-ARGOFFSET(%rsp)	

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	Thu May 18 21:29:25 2006
@@ -7,3 +7,4 @@
 + ia64-die_if_kernel-returns.dpatch
 + cifs-chroot-escape.dpatch
 + binfmt-bad-elf-entry-address.dpatch
++ em64t-uncanonical-return-addr.dpatch

More information about the Kernel-svn-changes mailing list