[kernel] r13667 - in dists/lenny-security/linux-2.6/debian: . patches/features/all/xen patches/series
Dann Frazier
dannf at alioth.debian.org
Sun May 24 21:10:13 UTC 2009
Author: dannf
Date: Sun May 24 21:10:11 2009
New Revision: 13667
Log:
xen: Fix missing check of interrupted code's code selector
Added:
dists/lenny-security/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch
dists/lenny-security/linux-2.6/debian/patches/series/15lenny3-extra
Modified:
dists/lenny-security/linux-2.6/debian/changelog
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu May 21 22:14:52 2009 (r13666)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun May 24 21:10:11 2009 (r13667)
@@ -2,6 +2,8 @@
* Fix selinux panic introduced by the fix for CVE-2009-1184
(Closes: #528860)
+ * xen: Fix missing check of interrupted code's code selector
+ (CVE-2009-1758)
-- dann frazier <dannf at debian.org> Thu, 21 May 2009 09:20:47 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch Sun May 24 21:10:11 2009 (r13667)
@@ -0,0 +1,131 @@
+
+# HG changeset patch
+# User Keir Fraser <keir.fraser at citrix.com>
+# Date 1242292120 -3600
+# Node ID 9b945480054430882b60bb5e5f660822a1c07b70
+# Parent 271d9b9bee40657b1714b2bb62531e989c7b5813
+xen/i386: hypervisor_callback adjustments
+
+The missing check of the interrupted code's code selector in
+hypervisor_callback() allowed a user mode application to oops (and
+perhaps crash) the kernel.
+
+Further adjustments:
+- the 'main' critical region does not include the jmp following the
+ disabling of interrupts
+- the sysexit_[se]crit range checks got broken at some point - the
+ sysexit ciritcal region is always at higher addresses than the
+ 'main'
+ one, yielding the check pointless (but consuming execution time);
+ since the supervisor mode kernel isn't actively used afaict, I moved
+ that code into an #ifdef using a hypothetical config option
+- the use of a numeric label across more than 300 lines of code always
+ seemed pretty fragile to me, so the patch replaces this with a local
+ named label
+- streamlined the critical_region_fixup code to eliminate a branch
+
+Signed-off-by: Jan Beulich <jbeulich at novell.com>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN a/arch/x86/kernel/entry_32-xen.S b/arch/x86/kernel/entry_32-xen.S
+--- a/arch/x86/kernel/entry_32-xen.S 2009-05-22 16:30:50.000000000 -0600
++++ b/arch/x86/kernel/entry_32-xen.S 2009-05-22 16:51:18.000000000 -0600
+@@ -522,8 +522,8 @@ scrit: /**** START OF CRITICAL REGION **
+ .previous
+ 14: __DISABLE_INTERRUPTS
+ TRACE_IRQS_OFF
+- jmp 11f
+ ecrit: /**** END OF CRITICAL REGION ****/
++ jmp .Ldo_upcall
+
+ CFI_RESTORE_STATE
+ hypervisor_iret:
+@@ -795,17 +795,23 @@ ENTRY(hypervisor_callback)
+ pushl %eax
+ CFI_ADJUST_CFA_OFFSET 4
+ SAVE_ALL
++ testb $2,CS(%esp)
+ movl PT_EIP(%esp),%eax
++ jnz .Ldo_upcall
+ cmpl $scrit,%eax
+- jb 11f
++ jb 0f
+ cmpl $ecrit,%eax
+ jb critical_region_fixup
++0:
++#ifdef CONFIG_XEN_SUPERVISOR_MODE_KERNEL
+ cmpl $sysexit_scrit,%eax
+- jb 11f
++ jb .Ldo_upcall
+ cmpl $sysexit_ecrit,%eax
+- ja 11f
++ ja .Ldo_upcall
+ addl $PT_OLDESP,%esp # Remove eflags...ebx from stack frame.
+-11: push %esp
++#endif
++.Ldo_upcall:
++ push %esp
+ CFI_ADJUST_CFA_OFFSET 4
+ call evtchn_do_upcall
+ add $4,%esp
+@@ -821,40 +827,35 @@ ENTRY(hypervisor_callback)
+ # provides the number of bytes which have already been popped from the
+ # interrupted stack frame.
+ critical_region_fixup:
+- movzbl critical_fixup_table-scrit(%eax),%ecx # %eax contains num bytes popped
+- cmpb $0xff,%cl # 0xff => vcpu_info critical region
+- jne 15f
+- xorl %ecx,%ecx
+-15: leal (%esp,%ecx),%esi # %esi points at end of src region
++ movsbl critical_fixup_table-scrit(%eax),%ecx # %ecx contains num slots popped
++ testl %ecx,%ecx
++ leal (%esp,%ecx,4),%esi # %esi points at end of src region
+ leal PT_OLDESP(%esp),%edi # %edi points at end of dst region
+- shrl $2,%ecx # convert words to bytes
+- je 17f # skip loop if nothing to copy
++ jle 17f # skip loop if nothing to copy
+ 16: subl $4,%esi # pre-decrementing copy loop
+ subl $4,%edi
+ movl (%esi),%eax
+ movl %eax,(%edi)
+ loop 16b
+ 17: movl %edi,%esp # final %edi is top of merged stack
+- jmp 11b
++ jmp .Ldo_upcall
+
+ .section .rodata,"a"
+ critical_fixup_table:
+- .byte 0xff,0xff,0xff # testb $0xff,(%esi) = __TEST_PENDING
+- .byte 0xff,0xff # jnz 14f
+- .byte 0x00 # pop %ebx
+- .byte 0x04 # pop %ecx
+- .byte 0x08 # pop %edx
+- .byte 0x0c # pop %esi
+- .byte 0x10 # pop %edi
+- .byte 0x14 # pop %ebp
+- .byte 0x18 # pop %eax
+- .byte 0x1c # pop %ds
+- .byte 0x20 # pop %es
+- .byte 0x24,0x24 # pop %fs
+- .byte 0x28,0x28,0x28 # add $4,%esp
+- .byte 0x2c # iret
+- .byte 0xff,0xff,0xff,0xff # movb $1,1(%esi)
+- .byte 0x00,0x00 # jmp 11b
++ .byte -1,-1,-1 # testb $0xff,(%esi) = __TEST_PENDING
++ .byte -1,-1 # jnz 14f
++ .byte 0 # pop %ebx
++ .byte 1 # pop %ecx
++ .byte 2 # pop %edx
++ .byte 3 # pop %esi
++ .byte 4 # pop %edi
++ .byte 5 # pop %ebp
++ .byte 6 # pop %eax
++ .byte 7 # pop %ds
++ .byte 8 # pop %es
++ .byte 9,9,9 # add $4,%esp
++ .byte 10 # iret
++ .byte -1,-1,-1,-1 # movb $1,1(%esi)
+ .previous
+
+ # Hypervisor uses this for application faults while it executes.
Added: dists/lenny-security/linux-2.6/debian/patches/series/15lenny3-extra
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny3-extra Sun May 24 21:10:11 2009 (r13667)
@@ -0,0 +1 @@
++ features/all/xen/i386-hypervisor_callback-adjustments.patch featureset=xen
More information about the Kernel-svn-changes
mailing list