[kernel] r14551 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Wed Nov 4 21:10:35 UTC 2009


Author: dannf
Date: Wed Nov  4 21:10:34 2009
New Revision: 14551

Log:
x86: Don't leak 64-bit kernel register values to 32-bit processes
(CVE-2009-2910)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
      - copied, changed from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
      - copied, changed from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Wed Nov  4 20:49:14 2009	(r14550)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Wed Nov  4 21:10:34 2009	(r14551)
@@ -17,6 +17,8 @@
   * r8169: use hardware auto padding and balance pci_map/pci_unmap
     (CVE-2009-3613)
   * net ax25: Fix signed comparison in the sockopt handler (CVE-2009-2909)
+  * x86: Don't leak 64-bit kernel register values to 32-bit processes
+    (CVE-2009-2910)
 
  -- dann frazier <dannf at debian.org>  Tue, 27 Oct 2009 22:41:25 -0600
 

Copied and modified: dists/etch-security/linux-2.6.24/debian/patches/bugfix/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch (from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch)
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch	Wed Nov  4 16:57:25 2009	(r14544, copy source)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch	Wed Nov  4 21:10:34 2009	(r14551)
@@ -29,12 +29,12 @@
  arch/x86/ia32/ia32entry.S |   36 +++++++++++++++++++++++-------------
  1 file changed, 23 insertions(+), 13 deletions(-)
 
-Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
 
-diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.26/arch/x86/ia32/ia32entry.S
---- linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S	2009-10-15 22:15:48.000000000 -0600
-+++ linux-source-2.6.26/arch/x86/ia32/ia32entry.S	2009-10-15 23:03:06.000000000 -0600
-@@ -29,12 +29,12 @@
+diff -urpN linux-source-2.6.24.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.24/arch/x86/ia32/ia32entry.S
+--- linux-source-2.6.24.orig/arch/x86/ia32/ia32entry.S	2009-11-04 14:05:23.000000000 -0700
++++ linux-source-2.6.24/arch/x86/ia32/ia32entry.S	2009-11-04 14:06:19.000000000 -0700
+@@ -30,12 +30,12 @@
  	.endm 
  
  	/* clobbers %eax */	
@@ -52,9 +52,9 @@
  	.endm
  
  	.macro LOAD_ARGS32 offset, _r9=0
-@@ -143,6 +143,10 @@ sysenter_do_call:	
- 	movl	RIP-R11(%rsp),%edx		/* User %eip */
- 	CFI_REGISTER rip,rdx
+@@ -142,6 +142,10 @@ sysenter_do_call:	
+ 	/* clear IF, that popfq doesn't enable interrupts early */
+ 	andl  $~0x200,EFLAGS-R11(%rsp) 
  	RESTORE_ARGS 1,24,1,1,1,1
 +	xorq	%r8,%r8
 +	xorq	%r9,%r9
@@ -63,7 +63,7 @@
  	popfq
  	CFI_ADJUST_CFA_OFFSET -8
  	/*CFI_RESTORE rflags*/
-@@ -247,6 +251,9 @@ cstar_do_call:
+@@ -246,6 +250,9 @@ cstar_do_call:
  	CFI_REGISTER rip,rcx
  	movl EFLAGS-ARGOFFSET(%rsp),%r11d	
  	/*CFI_REGISTER rflags,r11*/
@@ -73,16 +73,16 @@
  	TRACE_IRQS_ON
  	movl RSP-ARGOFFSET(%rsp),%esp
  	CFI_RESTORE rsp
-@@ -257,7 +264,7 @@ cstar_tracesys:	
+@@ -256,7 +263,7 @@ cstar_tracesys:	
  	CFI_RESTORE_STATE
  	xchgl %r9d,%ebp
  	SAVE_REST
 -	CLEAR_RREGS r9
 +	CLEAR_RREGS 0, r9
- 	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
+ 	movq $-ENOSYS,RAX(%rsp)	/* really needed? */
  	movq %rsp,%rdi        /* &pt_regs -> arg1 */
  	call syscall_trace_enter
-@@ -328,6 +335,7 @@ ia32_do_call:
+@@ -325,6 +332,7 @@ ia32_do_syscall:	
  	call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
  ia32_sysret:
  	movq %rax,RAX-ARGOFFSET(%rsp)
@@ -90,7 +90,7 @@
  	jmp int_ret_from_sys_call 
  
  ia32_tracesys:			 
-@@ -345,8 +353,8 @@ END(ia32_syscall)
+@@ -340,8 +348,8 @@ END(ia32_syscall)
  
  ia32_badsys:
  	movq $0,ORIG_RAX-ARGOFFSET(%rsp)

Copied and modified: dists/etch-security/linux-2.6.24/debian/patches/bugfix/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch (from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch)
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch	Wed Nov  4 16:57:25 2009	(r14544, copy source)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch	Wed Nov  4 21:10:34 2009	(r14551)
@@ -22,16 +22,12 @@
 Cc: Chuck Ebbert <cebbert at redhat.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
 
----
- arch/x86/ia32/ia32entry.S |   26 ++++++++++----------------
- 1 file changed, 10 insertions(+), 16 deletions(-)
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
 
-Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
-
-diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.26/arch/x86/ia32/ia32entry.S
---- linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S	2009-08-18 23:15:13.000000000 -0600
-+++ linux-source-2.6.26/arch/x86/ia32/ia32entry.S	2009-10-15 22:15:48.000000000 -0600
-@@ -29,19 +29,18 @@
+diff -urpN linux-source-2.6.24.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.24/arch/x86/ia32/ia32entry.S
+--- linux-source-2.6.24.orig/arch/x86/ia32/ia32entry.S	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/arch/x86/ia32/ia32entry.S	2009-11-04 14:05:23.000000000 -0700
+@@ -30,19 +30,18 @@
  	.endm 
  
  	/* clobbers %eax */	
@@ -56,7 +52,7 @@
  	movl \offset+40(%rsp),%ecx
  	movl \offset+48(%rsp),%edx
  	movl \offset+56(%rsp),%esi
-@@ -118,7 +117,7 @@ ENTRY(ia32_sysenter_target)
+@@ -119,7 +118,7 @@ ENTRY(ia32_sysenter_target)
  	SAVE_ARGS 0,0,1
   	/* no need to do an access_ok check here because rbp has been
   	   32bit zero extended */ 
@@ -65,7 +61,7 @@
   	.section __ex_table,"a"
   	.quad 1b,ia32_badarg
   	.previous	
-@@ -130,7 +129,7 @@ ENTRY(ia32_sysenter_target)
+@@ -131,7 +130,7 @@ ENTRY(ia32_sysenter_target)
  sysenter_do_call:	
  	cmpl	$(IA32_NR_syscalls-1),%eax
  	ja	ia32_badsys
@@ -74,7 +70,7 @@
  	call	*ia32_sys_call_table(,%rax,8)
  	movq	%rax,RAX-ARGOFFSET(%rsp)
  	GET_THREAD_INFO(%r10)
-@@ -158,16 +157,13 @@ sysenter_do_call:	
+@@ -159,16 +158,13 @@ sysenter_do_call:	
  
  sysenter_tracesys:
  	CFI_RESTORE_STATE
@@ -82,16 +78,16 @@
  	SAVE_REST
  	CLEAR_RREGS
 -	movq	%r9,R9(%rsp)
- 	movq	$-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
+ 	movq	$-ENOSYS,RAX(%rsp)	/* really needed? */
  	movq	%rsp,%rdi        /* &pt_regs -> arg1 */
  	call	syscall_trace_enter
  	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
  	RESTORE_REST
 -	xchgl	%ebp,%r9d
- 	cmpl	$(IA32_NR_syscalls-1),%eax
- 	ja	int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
  	jmp	sysenter_do_call
-@@ -234,9 +230,9 @@ ENTRY(ia32_cstar_target)
+ 	CFI_ENDPROC
+ ENDPROC(ia32_sysenter_target)
+@@ -233,9 +229,9 @@ ENTRY(ia32_cstar_target)
  	testl $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP),threadinfo_flags(%r10)
  	CFI_REMEMBER_STATE
  	jnz   cstar_tracesys
@@ -102,14 +98,14 @@
  	IA32_ARG_FIXUP 1
  	call *ia32_sys_call_table(,%rax,8)
  	movq %rax,RAX-ARGOFFSET(%rsp)
-@@ -261,15 +257,13 @@ cstar_tracesys:	
+@@ -260,15 +256,13 @@ cstar_tracesys:	
  	CFI_RESTORE_STATE
  	xchgl %r9d,%ebp
  	SAVE_REST
 -	CLEAR_RREGS
 -	movq %r9,R9(%rsp)
 +	CLEAR_RREGS r9
- 	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
+ 	movq $-ENOSYS,RAX(%rsp)	/* really needed? */
  	movq %rsp,%rdi        /* &pt_regs -> arg1 */
  	call syscall_trace_enter
 -	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
@@ -117,6 +113,6 @@
  	RESTORE_REST
  	xchgl %ebp,%r9d
 -	movl RSP-ARGOFFSET(%rsp), %r8d
- 	cmpl $(IA32_NR_syscalls-1),%eax
- 	ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
  	jmp cstar_do_call
+ END(ia32_cstar_target)
+ 				

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4	Wed Nov  4 20:49:14 2009	(r14550)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4	Wed Nov  4 21:10:34 2009	(r14551)
@@ -11,3 +11,5 @@
 + bugfix/all/r8169-balance-pci_map-pci_unmap-pair.patch
 + bugfix/all/r8169-use-hardware-auto-padding.patch
 + bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
++ bugfix/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
++ bugfix/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch



More information about the Kernel-svn-changes mailing list