[kernel] r5336 - patch-tracking
Dann Frazier
dannf at costa.debian.org
Sat Jan 7 01:47:12 UTC 2006
Author: dannf
Date: Sat Jan 7 01:47:09 2006
New Revision: 5336
Added:
patch-tracking/CVE-2005-0109
- copied, changed from r5333, patch-tracking/00boilerplate
patch-tracking/CVE-2005-0109.patch
patch-tracking/CVE-2005-1761-linux24.patch
Modified:
patch-tracking/CVE-2005-1761
Log:
add 2005-0109 & update 2005-1761
Copied: patch-tracking/CVE-2005-0109 (from r5333, patch-tracking/00boilerplate)
==============================================================================
--- patch-tracking/00boilerplate (original)
+++ patch-tracking/CVE-2005-0109 Sat Jan 7 01:47:09 2006
@@ -1,7 +1,43 @@
-Candidate:
+Candidate: CVE-2005-0109
References:
+ MISC:http://www.daemonology.net/papers/htt.pdf
+ MISC:http://www.daemonology.net/hyperthreading-considered-harmful/
+ MLIST:[openbsd-misc] 20050304 Re: FreeBSD hiding security stuff
+ URL:http://marc.theaimsgroup.com/?l=openbsd-misc&m=110995101417256&w=2
+ MLIST:[freebsd-security] 20050304 [Fwd: Re: FW:FreeBSD hiding security stuff]
+ URL:http://marc.theaimsgroup.com/?l=freebsd-security&m=110994370429609&w=2
+ MLIST:[freebsd-hackers] 20050304 Re: FW:FreeBSD hiding security stuff
+ URL:http://marc.theaimsgroup.com/?l=freebsd-hackers&m=110994026421858&w=2
+ MISC:http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754
+ FREEBSD:FreeBSD-SA-05:09
+ SCO:SCOSA-2005.24
+ URL:ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.24/SCOSA-2005.24.txt
+ SUNALERT:101739
+ URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-101739-1
+ CERT-VN:VU#911878
+ URL:http://www.kb.cert.org/vuls/id/911878
+ BID:12724
+ URL:http://www.securityfocus.com/bid/12724
+ FRSIRT:ADV-2005-0540
+ URL:http://www.frsirt.com/english/advisories/2005/0540
+ FRSIRT:ADV-2005-3002
+ URL:http://www.frsirt.com/english/advisories/2005/3002
+ SECTRACK:1013967
+ URL:http://securitytracker.com/id?1013967
+ SECUNIA:15348
+ URL:http://secunia.com/advisories/15348
+ SECUNIA:18165
+ URL:http://secunia.com/advisories/18165
Description:
+ Hyper-Threading technology, as used in FreeBSD and other operating systems
+ that are run on Intel Pentium and other processors, allows local users to use
+ a malicious thread to create covert channels, monitor the execution of other
+ threads, and obtain sensitive information such as cryptographic keys, via a
+ timing attack on memory cache misses.
Notes:
+ There's no upstream patch, but Ubuntu has included a patch that disables
+ HT by default, but allows users to turn it on again by booting w/ ht=on;
+ included here in the patch-tracker.
Bugs:
upstream:
linux-2.6:
Added: patch-tracking/CVE-2005-0109.patch
==============================================================================
--- (empty file)
+++ patch-tracking/CVE-2005-0109.patch Sat Jan 7 01:47:09 2006
@@ -0,0 +1,96 @@
+diff -urN x/Documentation/kernel-parameters.txt y/Documentation/kernel-parameters.txt
+--- x/Documentation/kernel-parameters.txt 2004-08-24 17:20:00.000000000 +1000
++++ y/Documentation/kernel-parameters.txt 2005-05-19 20:25:10.000000000 +1000
+@@ -451,6 +451,10 @@
+ hisax= [HW,ISDN]
+ See Documentation/isdn/README.HiSax.
+
++ ht= [HW,IA-32,SMP]
++ ht=on: Enable Hyper Threading
++ ht=off: Disable Hyper Threading
++
+ hugepages= [HW,IA-32,IA-64] Maximal number of HugeTLB pages.
+
+ noirqbalance [IA-32,SMP,KNL] Disable kernel irq balancing
+diff -urN x/arch/i386/Kconfig y/arch/i386/Kconfig
+--- x/arch/i386/Kconfig 2005-04-06 20:07:04.000000000 +1000
++++ y/arch/i386/Kconfig 2005-05-19 20:19:55.000000000 +1000
+@@ -1326,6 +1326,11 @@
+ depends on SMP && !(X86_VISWS || X86_VOYAGER)
+ default y
+
++config X86_HT_DISABLE
++ bool
++ depends on X86_HT
++ default y
++
+ config X86_BIOS_REBOOT
+ bool
+ depends on !(X86_VISWS || X86_VOYAGER)
+diff -urN x/arch/i386/kernel/cpu/intel.c y/arch/i386/kernel/cpu/intel.c
+--- x/arch/i386/kernel/cpu/intel.c 2004-08-24 17:16:24.000000000 +1000
++++ y/arch/i386/kernel/cpu/intel.c 2005-05-19 20:19:07.000000000 +1000
+@@ -267,6 +267,7 @@
+ #ifdef CONFIG_X86_HT
+ if (cpu_has(c, X86_FEATURE_HT)) {
+ extern int phys_proc_id[NR_CPUS];
++ extern int disable_ht;
+
+ u32 eax, ebx, ecx, edx;
+ int index_lsb, index_msb, tmp;
+@@ -275,6 +276,9 @@
+ cpuid(1, &eax, &ebx, &ecx, &edx);
+ smp_num_siblings = (ebx & 0xff0000) >> 16;
+
++ if (disable_ht)
++ smp_num_siblings = 1;
++
+ if (smp_num_siblings == 1) {
+ printk(KERN_INFO "CPU: Hyper-Threading is disabled\n");
+ } else if (smp_num_siblings > 1 ) {
+diff -urN x/arch/i386/kernel/setup.c y/arch/i386/kernel/setup.c
+--- x/arch/i386/kernel/setup.c 2005-04-06 20:11:18.000000000 +1000
++++ y/arch/i386/kernel/setup.c 2005-05-19 20:18:01.000000000 +1000
+@@ -57,6 +57,13 @@
+ unsigned long init_pg_tables_end __initdata = ~0UL;
+
+ int disable_pse __initdata = 0;
++#ifdef CONFIG_X86_HT
++#ifdef CONFIG_X86_HT_DISABLE
++int disable_ht __initdata = 1;
++#else
++int disable_ht __initdata = 0;
++#endif
++#endif
+
+ /*
+ * Machine setup..
+@@ -802,6 +809,13 @@
+ #endif /* CONFIG_X86_LOCAL_APIC */
+ #endif /* CONFIG_ACPI_BOOT */
+
++#ifdef CONFIG_X86_HT
++ else if (!memcmp(from, "ht=on", 5))
++ disable_ht = 0;
++ else if (!memcmp(from, "ht=off", 6))
++ disable_ht = 1;
++#endif
++
+ /*
+ * highmem=size forces highmem to be exactly 'size' bytes.
+ * This works even on boxes that have no highmem otherwise.
+diff -urN x/arch/x86_64/Kconfig y/arch/x86_64/Kconfig
+--- x/arch/x86_64/Kconfig 2004-08-24 17:18:41.000000000 +1000
++++ y/arch/x86_64/Kconfig 2005-05-19 20:20:45.000000000 +1000
+@@ -165,6 +165,11 @@
+ bool
+ depends on SMP && !MK8
+ default y
++
++config X86_HT_DISABLE
++ bool
++ depends on X86_HT
++ default y
+
+ config MATH_EMULATION
+ bool
Modified: patch-tracking/CVE-2005-1761
==============================================================================
--- patch-tracking/CVE-2005-1761 (original)
+++ patch-tracking/CVE-2005-1761 Sat Jan 7 01:47:09 2006
@@ -8,6 +8,7 @@
restore_sigcontext function.
Notes:
jmm> This uses arch-ia64-ptrace-restore_sigcontext.dpatch, correct?
+ dannf> 2.4 patch for ia64 from SuSE in: CVE-2005-1761-linux24.patch
Bugs:
upstream: released (2.6.12.1)
linux-2.6: N/A
Added: patch-tracking/CVE-2005-1761-linux24.patch
==============================================================================
--- (empty file)
+++ patch-tracking/CVE-2005-1761-linux24.patch Sat Jan 7 01:47:09 2006
@@ -0,0 +1,68 @@
+--- linux-2.4.21/arch/ia64/kernel/ptrace.c.~1~ 2005-07-05 16:30:24.190901663 +0200
++++ linux-2.4.21/arch/ia64/kernel/ptrace.c 2005-07-05 16:32:16.211514373 +0200
+@@ -820,6 +820,13 @@ access_uarea (struct task_struct *child,
+ *data = (pt->cr_ipsr & IPSR_READ_MASK);
+ return 0;
+
++ case PT_AR_RSC:
++ if (write_access)
++ pt->ar_rsc = *data | (3 << 2); /* force PL3 */
++ else
++ *data = pt->ar_rsc;
++ return 0;
++
+ case PT_AR_RNAT:
+ urbs_end = ia64_get_user_rbs_end(child, pt, NULL);
+ rnat_addr = (long) ia64_rse_rnat_addr((long *) urbs_end);
+@@ -839,7 +846,7 @@ access_uarea (struct task_struct *child,
+ case PT_F6: case PT_F6+8: case PT_F7: case PT_F7+8:
+ case PT_F8: case PT_F8+8: case PT_F9: case PT_F9+8:
+ case PT_AR_BSPSTORE:
+- case PT_AR_RSC: case PT_AR_UNAT: case PT_AR_PFS:
++ case PT_AR_UNAT: case PT_AR_PFS:
+ case PT_AR_CCV: case PT_AR_FPSR: case PT_CR_IIP: case PT_PR:
+ /* scratch register */
+ ptr = (unsigned long *) ((long) pt + addr - PT_CR_IPSR);
+@@ -1068,13 +1075,13 @@ ptrace_setregs (struct task_struct *chil
+ /* app regs */
+
+ retval |= __get_user(pt->ar_pfs, &ppr->ar[PT_AUR_PFS]);
+- retval |= __get_user(pt->ar_rsc, &ppr->ar[PT_AUR_RSC]);
+ retval |= __get_user(pt->ar_bspstore, &ppr->ar[PT_AUR_BSPSTORE]);
+ retval |= __get_user(pt->ar_unat, &ppr->ar[PT_AUR_UNAT]);
+ retval |= __get_user(pt->ar_ccv, &ppr->ar[PT_AUR_CCV]);
+ retval |= __get_user(pt->ar_fpsr, &ppr->ar[PT_AUR_FPSR]);
+
+ retval |= access_uarea(child, PT_AR_EC, &ppr->ar[PT_AUR_EC], 1);
++ retval |= access_uarea(child, PT_AR_RSC, &ppr->ar[PT_AUR_RSC], 1);
+ retval |= access_uarea(child, PT_AR_LC, &ppr->ar[PT_AUR_LC], 1);
+ retval |= access_uarea(child, PT_AR_RNAT, &ppr->ar[PT_AUR_RNAT], 1);
+ retval |= access_uarea(child, PT_AR_BSP, &ppr->ar[PT_AUR_BSP], 1);
+--- linux-2.4.21/arch/ia64/kernel/signal.c.~1~ 2005-07-05 16:30:22.651837731 +0200
++++ linux-2.4.21/arch/ia64/kernel/signal.c 2005-07-05 16:33:52.907894962 +0200
+@@ -105,7 +105,7 @@ sys_sigaltstack (const stack_t *uss, sta
+ static long
+ restore_sigcontext (struct sigcontext *sc, struct sigscratch *scr)
+ {
+- unsigned long ip, flags, nat, um, cfm;
++ unsigned long ip, flags, nat, um, cfm, rsc;
+ long err;
+
+ /* restore scratch that always needs gets updated during signal delivery: */
+@@ -115,7 +115,7 @@ restore_sigcontext (struct sigcontext *s
+ err |= __get_user(ip, &sc->sc_ip); /* instruction pointer */
+ err |= __get_user(cfm, &sc->sc_cfm);
+ err |= __get_user(um, &sc->sc_um); /* user mask */
+- err |= __get_user(scr->pt.ar_rsc, &sc->sc_ar_rsc);
++ err |= __get_user(rsc, &sc->sc_ar_rsc);
+ err |= __get_user(scr->pt.ar_ccv, &sc->sc_ar_ccv);
+ err |= __get_user(scr->pt.ar_unat, &sc->sc_ar_unat);
+ err |= __get_user(scr->pt.ar_fpsr, &sc->sc_ar_fpsr);
+@@ -130,6 +130,7 @@ restore_sigcontext (struct sigcontext *s
+ err |= __copy_from_user(&scr->pt.r16, &sc->sc_gr[16], 16*8); /* r16-r31 */
+
+ scr->pt.cr_ifs = cfm | (1UL << 63);
++ scr->pt.ar_rsc = rsc | (3 << 2); /* force PL3 */
+
+ /* establish new instruction pointer: */
+ scr->pt.cr_iip = ip & ~0x3UL;
More information about the Kernel-svn-changes
mailing list