[Glibc-bsd-commits] r4302 - in trunk/kfreebsd-8/debian: . patches

Steven Chamberlain stevenc-guest at alioth.debian.org
Wed Jun 13 20:21:44 UTC 2012 

Author: stevenc-guest
Date: 2012-06-13 20:21:43 +0000 (Wed, 13 Jun 2012)
New Revision: 4302

Added:
   trunk/kfreebsd-8/debian/patches/SA-12_04.sysret.patch
Modified:
   trunk/kfreebsd-8/debian/changelog
   trunk/kfreebsd-8/debian/patches/series
Log:
Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297)


Modified: trunk/kfreebsd-8/debian/changelog
===================================================================
--- trunk/kfreebsd-8/debian/changelog	2012-06-13 13:14:00 UTC (rev 4301)
+++ trunk/kfreebsd-8/debian/changelog	2012-06-13 20:21:43 UTC (rev 4302)
@@ -1,3 +1,10 @@
+kfreebsd-8 (8.3-4) UNRELEASED; urgency=low
+
+  [ Steven Chamberlain ]
+  * Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297)
+
+ -- GNU/kFreeBSD Maintainers <debian-bsd at lists.debian.org>  Wed, 13 Jun 2012 21:03:59 +0100
+
 kfreebsd-8 (8.3-3) unstable; urgency=high
 
   * Make kfreebsd-9 the default upgrade path for kfreebsd-image-8- at flavor@

Added: trunk/kfreebsd-8/debian/patches/SA-12_04.sysret.patch
===================================================================
--- trunk/kfreebsd-8/debian/patches/SA-12_04.sysret.patch	                        (rev 0)
+++ trunk/kfreebsd-8/debian/patches/SA-12_04.sysret.patch	2012-06-13 20:21:43 UTC (rev 4302)
@@ -0,0 +1,32 @@
+Description:
+ Correct a privilege escalation when returning from kernel if
+ running FreeBSD/amd64 on non-AMD processors. [12:04]
+Origin: vendor, http://security.freebsd.org/patches/SA-12:04/sysret.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
+Bug-Debian: http://bugs.debian.org/677297
+Applied-Upstream: http://svnweb.freebsd.org/base/stable/9/sys/amd64/amd64/trap.c?revision=236953&view=markup
+
+--- a/sys/amd64/amd64/trap.c.orig
++++ b/sys/amd64/amd64/trap.c	(working copy)
+@@ -972,4 +972,21 @@
+ 	     syscallname(td->td_proc, sa.code)));
+ 
+ 	syscallret(td, error, &sa);
++
++	/*
++	 * If the user-supplied value of %rip is not a canonical
++	 * address, then some CPUs will trigger a ring 0 #GP during
++	 * the sysret instruction.  However, the fault handler would
++	 * execute with the user's %gs and %rsp in ring 0 which would
++	 * not be safe.  Instead, preemptively kill the thread with a
++	 * SIGBUS.
++	 */
++	if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) {
++		ksiginfo_init_trap(&ksi);
++		ksi.ksi_signo = SIGBUS;
++		ksi.ksi_code = BUS_OBJERR;
++		ksi.ksi_trapno = T_PROTFLT;
++		ksi.ksi_addr = (void *)td->td_frame->tf_rip;
++		trapsignal(td, &ksi);
++	}
+ }

Modified: trunk/kfreebsd-8/debian/patches/series
===================================================================
--- trunk/kfreebsd-8/debian/patches/series	2012-06-13 13:14:00 UTC (rev 4301)
+++ trunk/kfreebsd-8/debian/patches/series	2012-06-13 20:21:43 UTC (rev 4302)
@@ -9,6 +9,7 @@
 improve_tmpfs_mem_info.diff
 remove_tmpfs_warning.diff
 amd64_increase_DFLDSIZ.diff
+SA-12_04.sysret.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff

More information about the Glibc-bsd-commits mailing list