[kernel] r5336 - patch-tracking

Sat Jan 7 01:47:12 UTC 2006

Author: dannf
Date: Sat Jan  7 01:47:09 2006
New Revision: 5336

Added:
   patch-tracking/CVE-2005-0109
      - copied, changed from r5333, patch-tracking/00boilerplate
   patch-tracking/CVE-2005-0109.patch
   patch-tracking/CVE-2005-1761-linux24.patch
Modified:
   patch-tracking/CVE-2005-1761
Log:
add 2005-0109 & update 2005-1761


Copied: patch-tracking/CVE-2005-0109 (from r5333, patch-tracking/00boilerplate)
==============================================================================

--- patch-tracking/00boilerplate	(original)
+++ patch-tracking/CVE-2005-0109	Sat Jan  7 01:47:09 2006
@@ -1,7 +1,43 @@
-Candidate: 
+Candidate: CVE-2005-0109
 References: 
+ MISC:http://www.daemonology.net/papers/htt.pdf
+ MISC:http://www.daemonology.net/hyperthreading-considered-harmful/
+ MLIST:[openbsd-misc] 20050304 Re: FreeBSD hiding security stuff
+ URL:http://marc.theaimsgroup.com/?l=openbsd-misc&m=110995101417256&w=2
+ MLIST:[freebsd-security] 20050304 [Fwd: Re: FW:FreeBSD hiding security stuff]
+ URL:http://marc.theaimsgroup.com/?l=freebsd-security&m=110994370429609&w=2
+ MLIST:[freebsd-hackers] 20050304 Re: FW:FreeBSD hiding security stuff
+ URL:http://marc.theaimsgroup.com/?l=freebsd-hackers&m=110994026421858&w=2
+ MISC:http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754
+ FREEBSD:FreeBSD-SA-05:09
+ SCO:SCOSA-2005.24
+ URL:ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.24/SCOSA-2005.24.txt
+ SUNALERT:101739
+ URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-101739-1
+ CERT-VN:VU#911878
+ URL:http://www.kb.cert.org/vuls/id/911878
+ BID:12724
+ URL:http://www.securityfocus.com/bid/12724
+ FRSIRT:ADV-2005-0540
+ URL:http://www.frsirt.com/english/advisories/2005/0540
+ FRSIRT:ADV-2005-3002
+ URL:http://www.frsirt.com/english/advisories/2005/3002
+ SECTRACK:1013967
+ URL:http://securitytracker.com/id?1013967
+ SECUNIA:15348
+ URL:http://secunia.com/advisories/15348
+ SECUNIA:18165
+ URL:http://secunia.com/advisories/18165 
 Description: 
+ Hyper-Threading technology, as used in FreeBSD and other operating systems
+ that are run on Intel Pentium and other processors, allows local users to use
+ a malicious thread to create covert channels, monitor the execution of other
+ threads, and obtain sensitive information such as cryptographic keys, via a
+ timing attack on memory cache misses.
 Notes: 
+ There's no upstream patch, but Ubuntu has included a patch that disables
+ HT by default, but allows users to turn it on again by booting w/ ht=on;
+ included here in the patch-tracker.
 Bugs: 
 upstream: 
 linux-2.6:

Added: patch-tracking/CVE-2005-0109.patch
==============================================================================
--- (empty file)
+++ patch-tracking/CVE-2005-0109.patch	Sat Jan  7 01:47:09 2006
@@ -0,0 +1,96 @@
+diff -urN x/Documentation/kernel-parameters.txt y/Documentation/kernel-parameters.txt
+--- x/Documentation/kernel-parameters.txt	2004-08-24 17:20:00.000000000 +1000
++++ y/Documentation/kernel-parameters.txt	2005-05-19 20:25:10.000000000 +1000
+@@ -451,6 +451,10 @@
+ 	hisax=		[HW,ISDN]
+ 			See Documentation/isdn/README.HiSax.
+ 
++	ht=		[HW,IA-32,SMP]
++			ht=on: Enable Hyper Threading
++			ht=off: Disable Hyper Threading
++
+ 	hugepages=	[HW,IA-32,IA-64] Maximal number of HugeTLB pages.
+ 
+ 	noirqbalance	[IA-32,SMP,KNL] Disable kernel irq balancing
+diff -urN x/arch/i386/Kconfig y/arch/i386/Kconfig
+--- x/arch/i386/Kconfig	2005-04-06 20:07:04.000000000 +1000
++++ y/arch/i386/Kconfig	2005-05-19 20:19:55.000000000 +1000
+@@ -1326,6 +1326,11 @@
+ 	depends on SMP && !(X86_VISWS || X86_VOYAGER)
+ 	default y
+ 
++config X86_HT_DISABLE
++	bool
++	depends on X86_HT
++	default y
++
+ config X86_BIOS_REBOOT
+ 	bool
+ 	depends on !(X86_VISWS || X86_VOYAGER)
+diff -urN x/arch/i386/kernel/cpu/intel.c y/arch/i386/kernel/cpu/intel.c
+--- x/arch/i386/kernel/cpu/intel.c	2004-08-24 17:16:24.000000000 +1000
++++ y/arch/i386/kernel/cpu/intel.c	2005-05-19 20:19:07.000000000 +1000
+@@ -267,6 +267,7 @@
+ #ifdef CONFIG_X86_HT
+ 	if (cpu_has(c, X86_FEATURE_HT)) {
+ 		extern	int phys_proc_id[NR_CPUS];
++		extern	int disable_ht;
+ 		
+ 		u32 	eax, ebx, ecx, edx;
+ 		int 	index_lsb, index_msb, tmp;
+@@ -275,6 +276,9 @@
+ 		cpuid(1, &eax, &ebx, &ecx, &edx);
+ 		smp_num_siblings = (ebx & 0xff0000) >> 16;
+ 
++		if (disable_ht)
++			smp_num_siblings = 1;
++
+ 		if (smp_num_siblings == 1) {
+ 			printk(KERN_INFO  "CPU: Hyper-Threading is disabled\n");
+ 		} else if (smp_num_siblings > 1 ) {
+diff -urN x/arch/i386/kernel/setup.c y/arch/i386/kernel/setup.c
+--- x/arch/i386/kernel/setup.c	2005-04-06 20:11:18.000000000 +1000
++++ y/arch/i386/kernel/setup.c	2005-05-19 20:18:01.000000000 +1000
+@@ -57,6 +57,13 @@
+ unsigned long init_pg_tables_end __initdata = ~0UL;
+ 
+ int disable_pse __initdata = 0;
++#ifdef CONFIG_X86_HT
++#ifdef CONFIG_X86_HT_DISABLE
++int disable_ht __initdata = 1;
++#else
++int disable_ht __initdata = 0;
++#endif
++#endif
+ 
+ /*
+  * Machine setup..
+@@ -802,6 +809,13 @@
+ #endif /* CONFIG_X86_LOCAL_APIC */
+ #endif /* CONFIG_ACPI_BOOT */
+ 
++#ifdef CONFIG_X86_HT
++		else if (!memcmp(from, "ht=on", 5))
++			disable_ht = 0;
++		else if (!memcmp(from, "ht=off", 6))
++			disable_ht = 1;
++#endif
++
+ 		/*
+ 		 * highmem=size forces highmem to be exactly 'size' bytes.
+ 		 * This works even on boxes that have no highmem otherwise.
+diff -urN x/arch/x86_64/Kconfig y/arch/x86_64/Kconfig
+--- x/arch/x86_64/Kconfig	2004-08-24 17:18:41.000000000 +1000
++++ y/arch/x86_64/Kconfig	2005-05-19 20:20:45.000000000 +1000
+@@ -165,6 +165,11 @@
+ 	bool
+ 	depends on SMP && !MK8
+ 	default y
++
++config X86_HT_DISABLE
++	bool
++	depends on X86_HT
++	default y
+        
+ config MATH_EMULATION
+ 	bool

Modified: patch-tracking/CVE-2005-1761
==============================================================================
--- patch-tracking/CVE-2005-1761	(original)
+++ patch-tracking/CVE-2005-1761	Sat Jan  7 01:47:09 2006
@@ -8,6 +8,7 @@
  restore_sigcontext function.
 Notes: 
  jmm> This uses arch-ia64-ptrace-restore_sigcontext.dpatch, correct?
+ dannf> 2.4 patch for ia64 from SuSE in: CVE-2005-1761-linux24.patch
 Bugs: 
 upstream: released (2.6.12.1)
 linux-2.6: N/A

Added: patch-tracking/CVE-2005-1761-linux24.patch
==============================================================================
--- (empty file)
+++ patch-tracking/CVE-2005-1761-linux24.patch	Sat Jan  7 01:47:09 2006
@@ -0,0 +1,68 @@
+--- linux-2.4.21/arch/ia64/kernel/ptrace.c.~1~	2005-07-05 16:30:24.190901663 +0200
++++ linux-2.4.21/arch/ia64/kernel/ptrace.c	2005-07-05 16:32:16.211514373 +0200
+@@ -820,6 +820,13 @@ access_uarea (struct task_struct *child,
+ 				*data = (pt->cr_ipsr & IPSR_READ_MASK);
+ 			return 0;
+ 
++		      case PT_AR_RSC:
++			if (write_access)
++				pt->ar_rsc = *data | (3 << 2); /* force PL3 */
++			else
++				*data = pt->ar_rsc;
++			return 0;
++
+ 		      case PT_AR_RNAT:
+ 			urbs_end = ia64_get_user_rbs_end(child, pt, NULL);
+ 			rnat_addr = (long) ia64_rse_rnat_addr((long *) urbs_end);
+@@ -839,7 +846,7 @@ access_uarea (struct task_struct *child,
+ 		      case PT_F6:  case PT_F6+8: case PT_F7: case PT_F7+8:
+ 		      case PT_F8:  case PT_F8+8: case PT_F9: case PT_F9+8:
+ 		      case PT_AR_BSPSTORE:
+-		      case PT_AR_RSC: case PT_AR_UNAT: case PT_AR_PFS:
++		      case PT_AR_UNAT: case PT_AR_PFS:
+ 		      case PT_AR_CCV: case PT_AR_FPSR: case PT_CR_IIP: case PT_PR:
+ 			/* scratch register */
+ 			ptr = (unsigned long *) ((long) pt + addr - PT_CR_IPSR);
+@@ -1068,13 +1075,13 @@ ptrace_setregs (struct task_struct *chil
+ 	/* app regs */
+ 
+ 	retval |= __get_user(pt->ar_pfs, &ppr->ar[PT_AUR_PFS]);
+-	retval |= __get_user(pt->ar_rsc, &ppr->ar[PT_AUR_RSC]);
+ 	retval |= __get_user(pt->ar_bspstore, &ppr->ar[PT_AUR_BSPSTORE]);
+ 	retval |= __get_user(pt->ar_unat, &ppr->ar[PT_AUR_UNAT]);
+ 	retval |= __get_user(pt->ar_ccv, &ppr->ar[PT_AUR_CCV]);
+ 	retval |= __get_user(pt->ar_fpsr, &ppr->ar[PT_AUR_FPSR]);
+ 
+ 	retval |= access_uarea(child, PT_AR_EC, &ppr->ar[PT_AUR_EC], 1);
++	retval |= access_uarea(child, PT_AR_RSC, &ppr->ar[PT_AUR_RSC], 1);
+ 	retval |= access_uarea(child, PT_AR_LC, &ppr->ar[PT_AUR_LC], 1);
+ 	retval |= access_uarea(child, PT_AR_RNAT, &ppr->ar[PT_AUR_RNAT], 1);
+ 	retval |= access_uarea(child, PT_AR_BSP, &ppr->ar[PT_AUR_BSP], 1);
+--- linux-2.4.21/arch/ia64/kernel/signal.c.~1~	2005-07-05 16:30:22.651837731 +0200
++++ linux-2.4.21/arch/ia64/kernel/signal.c	2005-07-05 16:33:52.907894962 +0200
+@@ -105,7 +105,7 @@ sys_sigaltstack (const stack_t *uss, sta
+ static long
+ restore_sigcontext (struct sigcontext *sc, struct sigscratch *scr)
+ {
+-	unsigned long ip, flags, nat, um, cfm;
++	unsigned long ip, flags, nat, um, cfm, rsc;
+ 	long err;
+ 
+ 	/* restore scratch that always needs gets updated during signal delivery: */
+@@ -115,7 +115,7 @@ restore_sigcontext (struct sigcontext *s
+ 	err |= __get_user(ip, &sc->sc_ip);			/* instruction pointer */
+ 	err |= __get_user(cfm, &sc->sc_cfm);
+ 	err |= __get_user(um, &sc->sc_um);			/* user mask */
+-	err |= __get_user(scr->pt.ar_rsc, &sc->sc_ar_rsc);
++	err |= __get_user(rsc, &sc->sc_ar_rsc);
+ 	err |= __get_user(scr->pt.ar_ccv, &sc->sc_ar_ccv);
+ 	err |= __get_user(scr->pt.ar_unat, &sc->sc_ar_unat);
+ 	err |= __get_user(scr->pt.ar_fpsr, &sc->sc_ar_fpsr);
+@@ -130,6 +130,7 @@ restore_sigcontext (struct sigcontext *s
+ 	err |= __copy_from_user(&scr->pt.r16, &sc->sc_gr[16], 16*8);	/* r16-r31 */
+ 
+ 	scr->pt.cr_ifs = cfm | (1UL << 63);
++	scr->pt.ar_rsc = rsc | (3 << 2); /* force PL3 */
+ 
+ 	/* establish new instruction pointer: */
+ 	scr->pt.cr_iip = ip & ~0x3UL;

