[Glibc-bsd-commits] r4316 - in branches/squeeze/kfreebsd-8/debian: . patches
Steven Chamberlain
stevenc-guest at alioth.debian.org
Sat Jun 16 17:24:56 UTC 2012
Author: stevenc-guest
Date: 2012-06-16 17:24:56 +0000 (Sat, 16 Jun 2012)
New Revision: 4316
Added:
branches/squeeze/kfreebsd-8/debian/patches/SA-12_04.sysret.patch
Modified:
branches/squeeze/kfreebsd-8/debian/changelog
branches/squeeze/kfreebsd-8/debian/patches/series
Log:
Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297)
Also fixed up indentation and refreshed the patch.
Modified: branches/squeeze/kfreebsd-8/debian/changelog
===================================================================
--- branches/squeeze/kfreebsd-8/debian/changelog 2012-06-16 11:47:24 UTC (rev 4315)
+++ branches/squeeze/kfreebsd-8/debian/changelog 2012-06-16 17:24:56 UTC (rev 4316)
@@ -1,3 +1,10 @@
+kfreebsd-8 (8.1+dfsg-8+squeeze3) UNRELEASED; urgency=low
+
+ [ Steven Chamberlain ]
+ * Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297)
+
+ -- GNU/kFreeBSD Maintainers <debian-bsd at lists.debian.org> Sat, 16 Jun 2012 18:23:36 +0100
+
kfreebsd-8 (8.1+dfsg-8+squeeze2) stable-security; urgency=low
* Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff:
Added: branches/squeeze/kfreebsd-8/debian/patches/SA-12_04.sysret.patch
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/SA-12_04.sysret.patch (rev 0)
+++ branches/squeeze/kfreebsd-8/debian/patches/SA-12_04.sysret.patch 2012-06-16 17:24:56 UTC (rev 4316)
@@ -0,0 +1,36 @@
+Description:
+ Correct a privilege escalation when returning from kernel if
+ running FreeBSD/amd64 on non-AMD processors. [12:04]
+Origin: vendor, http://security.freebsd.org/patches/SA-12:04/sysret.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
+Bug-Debian: http://bugs.debian.org/677297
+Applied-Upstream: http://svnweb.freebsd.org/base/releng/8.1/sys/amd64/amd64/trap.c?view=log&pathrev=236953
+
+Index: kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c
+===================================================================
+--- kfreebsd-8-8.1+dfsg.orig/sys/amd64/amd64/trap.c 2012-06-16 18:22:30.000000000 +0100
++++ kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c 2012-06-16 18:22:33.160013770 +0100
+@@ -972,6 +972,23 @@
+ ksi.ksi_code = TRAP_TRACE;
+ ksi.ksi_addr = (void *)frame->tf_rip;
+ trapsignal(td, &ksi);
++
++ /*
++ * If the user-supplied value of %rip is not a canonical
++ * address, then some CPUs will trigger a ring 0 #GP during
++ * the sysret instruction. However, the fault handler would
++ * execute with the user's %gs and %rsp in ring 0 which would
++ * not be safe. Instead, preemptively kill the thread with a
++ * SIGBUS.
++ */
++ if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) {
++ ksiginfo_init_trap(&ksi);
++ ksi.ksi_signo = SIGBUS;
++ ksi.ksi_code = BUS_OBJERR;
++ ksi.ksi_trapno = T_PROTFLT;
++ ksi.ksi_addr = (void *)td->td_frame->tf_rip;
++ trapsignal(td, &ksi);
++ }
+ }
+
+ /*
Modified: branches/squeeze/kfreebsd-8/debian/patches/series
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/series 2012-06-16 11:47:24 UTC (rev 4315)
+++ branches/squeeze/kfreebsd-8/debian/patches/series 2012-06-16 17:24:56 UTC (rev 4316)
@@ -1,3 +1,4 @@
+SA-12_04.sysret.patch
000_adaptive_machine_arch.diff
000_ata.diff
000_coda.diff
More information about the Glibc-bsd-commits
mailing list