[Glibc-bsd-commits] r4316 - in branches/squeeze/kfreebsd-8/debian: . patches

Steven Chamberlain stevenc-guest at alioth.debian.org
Sat Jun 16 17:24:56 UTC 2012 

Author: stevenc-guest
Date: 2012-06-16 17:24:56 +0000 (Sat, 16 Jun 2012)
New Revision: 4316

Added:
   branches/squeeze/kfreebsd-8/debian/patches/SA-12_04.sysret.patch
Modified:
   branches/squeeze/kfreebsd-8/debian/changelog
   branches/squeeze/kfreebsd-8/debian/patches/series
Log:
Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297)

Also fixed up indentation and refreshed the patch.


Modified: branches/squeeze/kfreebsd-8/debian/changelog
===================================================================
--- branches/squeeze/kfreebsd-8/debian/changelog	2012-06-16 11:47:24 UTC (rev 4315)
+++ branches/squeeze/kfreebsd-8/debian/changelog	2012-06-16 17:24:56 UTC (rev 4316)
@@ -1,3 +1,10 @@
+kfreebsd-8 (8.1+dfsg-8+squeeze3) UNRELEASED; urgency=low
+
+  [ Steven Chamberlain ]
+  * Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297)
+
+ -- GNU/kFreeBSD Maintainers <debian-bsd at lists.debian.org>  Sat, 16 Jun 2012 18:23:36 +0100
+
 kfreebsd-8 (8.1+dfsg-8+squeeze2) stable-security; urgency=low
 
   * Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff:

Added: branches/squeeze/kfreebsd-8/debian/patches/SA-12_04.sysret.patch
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/SA-12_04.sysret.patch	                        (rev 0)
+++ branches/squeeze/kfreebsd-8/debian/patches/SA-12_04.sysret.patch	2012-06-16 17:24:56 UTC (rev 4316)
@@ -0,0 +1,36 @@
+Description:
+ Correct a privilege escalation when returning from kernel if
+ running FreeBSD/amd64 on non-AMD processors. [12:04]
+Origin: vendor, http://security.freebsd.org/patches/SA-12:04/sysret.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
+Bug-Debian: http://bugs.debian.org/677297
+Applied-Upstream: http://svnweb.freebsd.org/base/releng/8.1/sys/amd64/amd64/trap.c?view=log&pathrev=236953
+
+Index: kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c
+===================================================================
+--- kfreebsd-8-8.1+dfsg.orig/sys/amd64/amd64/trap.c	2012-06-16 18:22:30.000000000 +0100
++++ kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c	2012-06-16 18:22:33.160013770 +0100
+@@ -972,6 +972,23 @@
+ 		ksi.ksi_code = TRAP_TRACE;
+ 		ksi.ksi_addr = (void *)frame->tf_rip;
+ 		trapsignal(td, &ksi);
++
++		/*
++		 * If the user-supplied value of %rip is not a canonical
++		 * address, then some CPUs will trigger a ring 0 #GP during
++		 * the sysret instruction.  However, the fault handler would
++		 * execute with the user's %gs and %rsp in ring 0 which would
++		 * not be safe.  Instead, preemptively kill the thread with a
++		 * SIGBUS.
++		 */
++		if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) {
++			ksiginfo_init_trap(&ksi);
++			ksi.ksi_signo = SIGBUS;
++			ksi.ksi_code = BUS_OBJERR;
++			ksi.ksi_trapno = T_PROTFLT;
++			ksi.ksi_addr = (void *)td->td_frame->tf_rip;
++			trapsignal(td, &ksi);
++		}
+ 	}
+ 
+ 	/*

Modified: branches/squeeze/kfreebsd-8/debian/patches/series
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/series	2012-06-16 11:47:24 UTC (rev 4315)
+++ branches/squeeze/kfreebsd-8/debian/patches/series	2012-06-16 17:24:56 UTC (rev 4316)
@@ -1,3 +1,4 @@
+SA-12_04.sysret.patch
 000_adaptive_machine_arch.diff 
 000_ata.diff
 000_coda.diff

More information about the Glibc-bsd-commits mailing list