[kernel] r6598 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Thu May 18 21:29:26 UTC 2006
Author: dannf
Date: Thu May 18 21:29:25 2006
New Revision: 6598
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/em64t-uncanonical-return-addr.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
Log:
* em64t-uncanonical-return-addr.dpatch
[SECURITY][amd64] Fix local DoS vulnerability on em64t systems that arises
when returning program control using SYSRET
See CVE-2006-0744
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Thu May 18 21:29:25 2006
@@ -32,8 +32,12 @@
[SECURITY][amd64] Fix potential local DoS vulnerability in the binfmt_elf
code on em64t processors
See CVE-2006-0741
+ * em64t-uncanonical-return-addr.dpatch
+ [SECURITY][amd64] Fix local DoS vulnerability on em64t systems that arises
+ when returning program control using SYSRET
+ See CVE-2006-0744
- -- dann frazier <dannf at debian.org> Thu, 18 May 2006 15:55:02 -0500
+ -- dann frazier <dannf at debian.org> Thu, 18 May 2006 16:28:52 -0500
kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/em64t-uncanonical-return-addr.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/em64t-uncanonical-return-addr.dpatch Thu May 18 21:29:25 2006
@@ -0,0 +1,64 @@
+Author: Andi Kleen <ak at suse.de>
+Date: Fri Apr 7 19:50:00 2006 +0200
+
+ [PATCH] x86_64: When user could have changed RIP always force IRET
+
+ Intel EM64T CPUs handle uncanonical return addresses differently
+ from AMD CPUs.
+
+ The exception is reported in the SYSRET, not the next instruction.
+ This leads to the kernel exception handler running on the user stack
+ with the wrong GS because the kernel didn't expect exceptions
+ on this instruction.
+
+ This version of the patch has the teething problems that plagued an earlier
+ version fixed.
+
+ This is CVE-2006-0744
+
+ Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
+ patches.
+
+ Signed-off-by: Andi Kleen <ak at suse.de>
+ Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+
+ Signed-off-by: Troy Heber <troyh at debian.org>
+
+
+diff -urN kernel-source-2.6.8.orig/arch/x86_64/kernel/entry.S 2.6/arch/x86_64/kernel/entry.S
+--- kernel-source-2.6.8.orig/arch/x86_64/kernel/entry.S 2004-08-13 23:36:46.000000000 -0600
++++ 2.6/arch/x86_64/kernel/entry.S 2006-05-17 00:17:26.000000000 -0600
+@@ -173,6 +173,10 @@
+ *
+ * XXX if we had a free scratch register we could save the RSP into the stack frame
+ * and report it properly in ps. Unfortunately we haven't.
++ *
++ * When user can change the frames always force IRET. That is because
++ * it deals with uncanonical addresses better. SYSRET has trouble
++ * with them due to bugs in both AMD and Intel CPUs.
+ */
+
+ ENTRY(system_call)
+@@ -236,7 +240,10 @@
+ xorl %esi,%esi # oldset -> arg2
+ call ptregscall_common
+ 1: movl $_TIF_NEED_RESCHED,%edi
+- jmp sysret_check
++ /* Use IRET because user could have changed frame. This
++ works because ptregscall_common has called FIXUP_TOP_OF_STACK. */
++ cli
++ jmp int_with_check
+
+ /* Do syscall tracing */
+ tracesys:
+@@ -257,7 +264,9 @@
+ call syscall_trace_leave
+ RESTORE_TOP_OF_STACK %rbx
+ RESTORE_REST
+- jmp ret_from_sys_call
++ /* Use IRET because user could have changed frame */
++ jmp int_ret_from_sys_call
++
+
+ badsys:
+ movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 Thu May 18 21:29:25 2006
@@ -7,3 +7,4 @@
+ ia64-die_if_kernel-returns.dpatch
+ cifs-chroot-escape.dpatch
+ binfmt-bad-elf-entry-address.dpatch
++ em64t-uncanonical-return-addr.dpatch
More information about the Kernel-svn-changes
mailing list