[kernel] r13689 - dists/lenny-security/linux-2.6/debian/patches/features/all/xen

Ian Campbell ijc-guest at alioth.debian.org
Thu May 28 06:50:21 UTC 2009 

Author: ijc-guest
Date: Thu May 28 06:50:19 2009
New Revision: 13689

Log:
Reduce patch for Xen CVE-2009-1758, primarily excludes the cleanup to
critical_region_fixup.

Modified:
   dists/lenny-security/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch

Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch	Wed May 27 17:09:30 2009	(r13688)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/xen/i386-hypervisor_callback-adjustments.patch	Thu May 28 06:50:19 2009	(r13689)
@@ -12,7 +12,7 @@
 
 Further adjustments:
 - the 'main' critical region does not include the jmp following the
-  disabling of interrupts
+  disabling of interrupts [ijc: removed from backport]
 - the sysexit_[se]crit range checks got broken at some point - the
   sysexit ciritcal region is always at higher addresses than the
   'main'
@@ -23,25 +23,25 @@
   seemed pretty fragile to me, so the patch replaces this with a local
   named label
 - streamlined the critical_region_fixup code to eliminate a branch
+  [ijc: removed from backport]
 
 Signed-off-by: Jan Beulich <jbeulich at novell.com>
 
-Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+Backported to Debian's 2.6.26 and reduced to minimal fix by
+dann frazier <dannf at debian.org> and Ian Campbell <ijc at hellion.org.uk>
 
-diff -urpN a/arch/x86/kernel/entry_32-xen.S b/arch/x86/kernel/entry_32-xen.S
---- a/arch/x86/kernel/entry_32-xen.S	2009-05-22 16:30:50.000000000 -0600
-+++ b/arch/x86/kernel/entry_32-xen.S	2009-05-22 16:51:18.000000000 -0600
-@@ -522,8 +522,8 @@ scrit:	/**** START OF CRITICAL REGION **
+--- a/arch/x86/kernel/entry_32-xen.S	Thu May 14 10:08:10 2009 +0100
++++ b/arch/x86/kernel/entry_32-xen.S	Thu May 14 10:08:40 2009 +0100
+@@ -522,7 +522,7 @@
  .previous
  14:	__DISABLE_INTERRUPTS
  	TRACE_IRQS_OFF
 -	jmp  11f
- ecrit:  /**** END OF CRITICAL REGION ****/
 +	jmp  .Ldo_upcall
+ ecrit:  /**** END OF CRITICAL REGION ****/
  
  	CFI_RESTORE_STATE
- hypervisor_iret:
-@@ -795,17 +795,23 @@ ENTRY(hypervisor_callback)
+@@ -795,17 +795,23 @@
  	pushl %eax
  	CFI_ADJUST_CFA_OFFSET 4
  	SAVE_ALL
@@ -69,25 +69,7 @@
  	CFI_ADJUST_CFA_OFFSET 4
  	call evtchn_do_upcall
  	add  $4,%esp
-@@ -821,40 +827,35 @@ ENTRY(hypervisor_callback)
- # provides the number of bytes which have already been popped from the
- # interrupted stack frame.
- critical_region_fixup:
--	movzbl critical_fixup_table-scrit(%eax),%ecx # %eax contains num bytes popped
--	cmpb $0xff,%cl                  # 0xff => vcpu_info critical region
--	jne  15f
--	xorl %ecx,%ecx
--15:	leal (%esp,%ecx),%esi		# %esi points at end of src region
-+	movsbl critical_fixup_table-scrit(%eax),%ecx # %ecx contains num slots popped
-+	testl %ecx,%ecx
-+	leal (%esp,%ecx,4),%esi		# %esi points at end of src region
- 	leal PT_OLDESP(%esp),%edi	# %edi points at end of dst region
--	shrl $2,%ecx			# convert words to bytes
--	je   17f			# skip loop if nothing to copy
-+	jle   17f			# skip loop if nothing to copy
- 16:	subl $4,%esi			# pre-decrementing copy loop
- 	subl $4,%edi
- 	movl (%esi),%eax
+@@ -835,7 +841,7 @@
  	movl %eax,(%edi)
  	loop 16b
  17:	movl %edi,%esp			# final %edi is top of merged stack
@@ -96,36 +78,12 @@
  
  .section .rodata,"a"
  critical_fixup_table:
--	.byte 0xff,0xff,0xff		# testb $0xff,(%esi) = __TEST_PENDING
--	.byte 0xff,0xff			# jnz  14f
--	.byte 0x00			# pop  %ebx
--	.byte 0x04			# pop  %ecx
--	.byte 0x08			# pop  %edx
--	.byte 0x0c			# pop  %esi
--	.byte 0x10			# pop  %edi
--	.byte 0x14			# pop  %ebp
--	.byte 0x18			# pop  %eax
--	.byte 0x1c			# pop  %ds
--	.byte 0x20			# pop  %es
--	.byte 0x24,0x24			# pop  %fs
--	.byte 0x28,0x28,0x28		# add  $4,%esp
--	.byte 0x2c			# iret
--	.byte 0xff,0xff,0xff,0xff	# movb $1,1(%esi)
+@@ -854,7 +860,7 @@
+ 	.byte 0x28,0x28,0x28		# add  $4,%esp
+ 	.byte 0x2c			# iret
+ 	.byte 0xff,0xff,0xff,0xff	# movb $1,1(%esi)
 -	.byte 0x00,0x00			# jmp  11b
-+	.byte -1,-1,-1			# testb $0xff,(%esi) = __TEST_PENDING
-+	.byte -1,-1			# jnz  14f
-+	.byte 0				# pop  %ebx
-+	.byte 1				# pop  %ecx
-+	.byte 2				# pop  %edx
-+	.byte 3				# pop  %esi
-+	.byte 4				# pop  %edi
-+	.byte 5				# pop  %ebp
-+	.byte 6				# pop  %eax
-+	.byte 7				# pop  %ds
-+	.byte 8				# pop  %es
-+	.byte 9,9,9			# add  $4,%esp
-+	.byte 10			# iret
-+	.byte -1,-1,-1,-1		# movb $1,1(%esi)
++	.byte 0x00,0x00			# jmp  .Ldo_upcall
  .previous
  
  # Hypervisor uses this for application faults while it executes.

More information about the Kernel-svn-changes mailing list