[kernel] r19745 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/x86 patches/series
Ben Hutchings
benh at alioth.debian.org
Sat Jan 19 04:59:50 UTC 2013
Author: benh
Date: Sat Jan 19 04:59:48 2013
New Revision: 19745
Log:
[x86] xen: Two critical fixes for PV guests
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch
Modified:
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/47
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Sat Jan 19 03:19:24 2013 (r19744)
+++ dists/squeeze/linux-2.6/debian/changelog Sat Jan 19 04:59:48 2013 (r19745)
@@ -86,6 +86,9 @@
(Closes: #698474)
* staging: Fix various log messages that were broken on 64-bit architectures
(Closes: #698475)
+ * [x86] xen/x86: don't corrupt %eip when returning from a signal handler
+ * [i386] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS
+ guests. (CVE-2013-0190)
[ Jonathan Nieder ]
* megaraid_sas: Backport changes up to Linux 3.0.56 (Closes: #666108)
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch Sat Jan 19 04:59:48 2013 (r19745)
@@ -0,0 +1,59 @@
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Date: Wed, 16 Jan 2013 12:00:55 +0000
+Subject: xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS
+ guests.
+
+commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream.
+
+This fixes CVE-2013-0190 / XSA-40
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path. This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+ popl %eax # Error code from hypervisor
+ jz 5f
+ addl $16,%esp
+ jmp iret_exc # Hypervisor said iret fault
+5: addl $16,%esp
+ # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+ popl_cfi %eax # Error from the hypervisor
+ lea 16(%esp),%esp # Add $16 before choosing fault path
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+ addl $16,%esp # Incorrectly adjust %esp again
+ jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present. At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio at citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+---
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1059,7 +1059,6 @@ ENTRY(xen_failsafe_callback)
+ lea 16(%esp),%esp
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+- addl $16,%esp
+ jmp iret_exc
+ 5: pushl $-1 /* orig_ax = -1 => not a system call */
+ CFI_ADJUST_CFA_OFFSET 4
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch Sat Jan 19 04:59:48 2013 (r19745)
@@ -0,0 +1,90 @@
+From: David Vrabel <david.vrabel at citrix.com>
+Date: Fri, 19 Oct 2012 17:29:07 +0100
+Subject: xen/x86: don't corrupt %eip when returning from a signal handler
+
+commit a349e23d1cf746f8bdc603dcc61fae9ee4a695f6 upstream.
+
+In 32 bit guests, if a userspace process has %eax == -ERESTARTSYS
+(-512) or -ERESTARTNOINTR (-513) when it is interrupted by an event
+/and/ the process has a pending signal then %eip (and %eax) are
+corrupted when returning to the main process after handling the
+signal. The application may then crash with SIGSEGV or a SIGILL or it
+may have subtly incorrect behaviour (depending on what instruction it
+returned to).
+
+The occurs because handle_signal() is incorrectly thinking that there
+is a system call that needs to restarted so it adjusts %eip and %eax
+to re-execute the system call instruction (even though user space had
+not done a system call).
+
+If %eax == -514 (-ERESTARTNOHAND (-514) or -ERESTART_RESTARTBLOCK
+(-516) then handle_signal() only corrupted %eax (by setting it to
+-EINTR). This may cause the application to crash or have incorrect
+behaviour.
+
+handle_signal() assumes that regs->orig_ax >= 0 means a system call so
+any kernel entry point that is not for a system call must push a
+negative value for orig_ax. For example, for physical interrupts on
+bare metal the inverse of the vector is pushed and page_fault() sets
+regs->orig_ax to -1, overwriting the hardware provided error code.
+
+xen_hypervisor_callback() was incorrectly pushing 0 for orig_ax
+instead of -1.
+
+Classic Xen kernels pushed %eax which works as %eax cannot be both
+non-negative and -RESTARTSYS (etc.), but using -1 is consistent with
+other non-system call entry points and avoids some of the tests in
+handle_signal().
+
+There were similar bugs in xen_failsafe_callback() of both 32 and
+64-bit guests. If the fault was corrected and the normal return path
+was used then 0 was incorrectly pushed as the value for orig_ax.
+
+Signed-off-by: David Vrabel <david.vrabel at citrix.com>
+Acked-by: Jan Beulich <JBeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+[bwh: Backported to 2.6.32: adjust context; no pushl_cfi]
+---
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1007,7 +1007,7 @@ ENTRY(xen_sysenter_target)
+
+ ENTRY(xen_hypervisor_callback)
+ CFI_STARTPROC
+- pushl $0
++ pushl $-1 /* orig_ax = -1 => not a system call */
+ CFI_ADJUST_CFA_OFFSET 4
+ SAVE_ALL
+ TRACE_IRQS_OFF
+@@ -1051,15 +1051,17 @@ ENTRY(xen_failsafe_callback)
+ 2: mov 8(%esp),%es
+ 3: mov 12(%esp),%fs
+ 4: mov 16(%esp),%gs
++ /* EAX == 0 => Category 1 (Bad segment)
++ EAX != 0 => Category 2 (Bad IRET) */
+ testl %eax,%eax
+ popl %eax
+ CFI_ADJUST_CFA_OFFSET -4
+ lea 16(%esp),%esp
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+ addl $16,%esp
+- jmp iret_exc # EAX != 0 => Category 2 (Bad IRET)
+-5: pushl $0 # EAX == 0 => Category 1 (Bad segment)
++ jmp iret_exc
++5: pushl $-1 /* orig_ax = -1 => not a system call */
+ CFI_ADJUST_CFA_OFFSET 4
+ SAVE_ALL
+ jmp ret_from_exception
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1358,7 +1358,7 @@ ENTRY(xen_failsafe_callback)
+ CFI_RESTORE r11
+ addq $0x30,%rsp
+ CFI_ADJUST_CFA_OFFSET -0x30
+- pushq_cfi $0
++ pushq_cfi $-1 /* orig_ax = -1 => not a system call */
+ SAVE_ALL
+ jmp error_exit
+ CFI_ENDPROC
Modified: dists/squeeze/linux-2.6/debian/patches/series/47
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/47 Sat Jan 19 03:19:24 2013 (r19744)
+++ dists/squeeze/linux-2.6/debian/patches/series/47 Sat Jan 19 04:59:48 2013 (r19745)
@@ -201,3 +201,5 @@
+ bugfix/all/staging-usbip-changed-function-return-type-to-void.patch
+ bugfix/all/staging-speakup-fix-printk-format-warning.patch
+ bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch
++ bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch
++ bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
More information about the Kernel-svn-changes
mailing list