[Glibc-bsd-commits] r4301 - in trunk/kfreebsd-9/debian: . patches

Steven Chamberlain stevenc-guest at alioth.debian.org
Wed Jun 13 13:14:01 UTC 2012 

Author: stevenc-guest
Date: 2012-06-13 13:14:00 +0000 (Wed, 13 Jun 2012)
New Revision: 4301

Added:
   trunk/kfreebsd-9/debian/patches/SA-12_04.sysret.patch
Modified:
   trunk/kfreebsd-9/debian/changelog
   trunk/kfreebsd-9/debian/patches/series
Log:
Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677298)


Modified: trunk/kfreebsd-9/debian/changelog
===================================================================
--- trunk/kfreebsd-9/debian/changelog	2012-06-10 19:23:52 UTC (rev 4300)
+++ trunk/kfreebsd-9/debian/changelog	2012-06-13 13:14:00 UTC (rev 4301)
@@ -1,3 +1,10 @@
+kfreebsd-9 (9.0-4) UNRELEASED; urgency=low
+
+  [ Steven Chamberlain ]
+  * Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677298)
+
+ -- GNU/kFreeBSD Maintainers <debian-bsd at lists.debian.org>  Wed, 13 Jun 2012 13:42:57 +0100
+
 kfreebsd-9 (9.0-3) unstable; urgency=low
 
   * improve_tmpfs_mem_info.diff: Cherry-pick tmpfs allocation from

Added: trunk/kfreebsd-9/debian/patches/SA-12_04.sysret.patch
===================================================================
--- trunk/kfreebsd-9/debian/patches/SA-12_04.sysret.patch	                        (rev 0)
+++ trunk/kfreebsd-9/debian/patches/SA-12_04.sysret.patch	2012-06-13 13:14:00 UTC (rev 4301)
@@ -0,0 +1,32 @@
+Description:
+ Correct a privilege escalation when returning from kernel if
+ running FreeBSD/amd64 on non-AMD processors. [12:04]
+Origin: vendor, http://security.freebsd.org/patches/SA-12:04/sysret.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
+Bug-Debian: http://bugs.debian.org/677298
+Applied-Upstream: http://svnweb.freebsd.org/base/stable/9/sys/amd64/amd64/trap.c?revision=236953&view=markup
+
+--- a/sys/amd64/amd64/trap.c.orig
++++ b/sys/amd64/amd64/trap.c	(working copy)
+@@ -972,4 +972,21 @@
+ 	     syscallname(td->td_proc, sa.code)));
+ 
+ 	syscallret(td, error, &sa);
++
++	/*
++	 * If the user-supplied value of %rip is not a canonical
++	 * address, then some CPUs will trigger a ring 0 #GP during
++	 * the sysret instruction.  However, the fault handler would
++	 * execute with the user's %gs and %rsp in ring 0 which would
++	 * not be safe.  Instead, preemptively kill the thread with a
++	 * SIGBUS.
++	 */
++	if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) {
++		ksiginfo_init_trap(&ksi);
++		ksi.ksi_signo = SIGBUS;
++		ksi.ksi_code = BUS_OBJERR;
++		ksi.ksi_trapno = T_PROTFLT;
++		ksi.ksi_addr = (void *)td->td_frame->tf_rip;
++		trapsignal(td, &ksi);
++	}
+ }

Modified: trunk/kfreebsd-9/debian/patches/series
===================================================================
--- trunk/kfreebsd-9/debian/patches/series	2012-06-10 19:23:52 UTC (rev 4300)
+++ trunk/kfreebsd-9/debian/patches/series	2012-06-13 13:14:00 UTC (rev 4301)
@@ -2,6 +2,7 @@
 improve_tmpfs_mem_info.diff
 remove_tmpfs_warning.diff
 amd64_increase_DFLDSIZ.diff
+SA-12_04.sysret.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff

More information about the Glibc-bsd-commits mailing list