[kernel] r14551 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Nov 4 21:10:35 UTC 2009
Author: dannf
Date: Wed Nov 4 21:10:34 2009
New Revision: 14551
Log:
x86: Don't leak 64-bit kernel register values to 32-bit processes
(CVE-2009-2910)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
- copied, changed from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
dists/etch-security/linux-2.6.24/debian/patches/bugfix/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
- copied, changed from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog Wed Nov 4 20:49:14 2009 (r14550)
+++ dists/etch-security/linux-2.6.24/debian/changelog Wed Nov 4 21:10:34 2009 (r14551)
@@ -17,6 +17,8 @@
* r8169: use hardware auto padding and balance pci_map/pci_unmap
(CVE-2009-3613)
* net ax25: Fix signed comparison in the sockopt handler (CVE-2009-2909)
+ * x86: Don't leak 64-bit kernel register values to 32-bit processes
+ (CVE-2009-2910)
-- dann frazier <dannf at debian.org> Tue, 27 Oct 2009 22:41:25 -0600
Copied and modified: dists/etch-security/linux-2.6.24/debian/patches/bugfix/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch (from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch)
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch Wed Nov 4 16:57:25 2009 (r14544, copy source)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch Wed Nov 4 21:10:34 2009 (r14551)
@@ -29,12 +29,12 @@
arch/x86/ia32/ia32entry.S | 36 +++++++++++++++++++++++-------------
1 file changed, 23 insertions(+), 13 deletions(-)
-Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
-diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.26/arch/x86/ia32/ia32entry.S
---- linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S 2009-10-15 22:15:48.000000000 -0600
-+++ linux-source-2.6.26/arch/x86/ia32/ia32entry.S 2009-10-15 23:03:06.000000000 -0600
-@@ -29,12 +29,12 @@
+diff -urpN linux-source-2.6.24.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.24/arch/x86/ia32/ia32entry.S
+--- linux-source-2.6.24.orig/arch/x86/ia32/ia32entry.S 2009-11-04 14:05:23.000000000 -0700
++++ linux-source-2.6.24/arch/x86/ia32/ia32entry.S 2009-11-04 14:06:19.000000000 -0700
+@@ -30,12 +30,12 @@
.endm
/* clobbers %eax */
@@ -52,9 +52,9 @@
.endm
.macro LOAD_ARGS32 offset, _r9=0
-@@ -143,6 +143,10 @@ sysenter_do_call:
- movl RIP-R11(%rsp),%edx /* User %eip */
- CFI_REGISTER rip,rdx
+@@ -142,6 +142,10 @@ sysenter_do_call:
+ /* clear IF, that popfq doesn't enable interrupts early */
+ andl $~0x200,EFLAGS-R11(%rsp)
RESTORE_ARGS 1,24,1,1,1,1
+ xorq %r8,%r8
+ xorq %r9,%r9
@@ -63,7 +63,7 @@
popfq
CFI_ADJUST_CFA_OFFSET -8
/*CFI_RESTORE rflags*/
-@@ -247,6 +251,9 @@ cstar_do_call:
+@@ -246,6 +250,9 @@ cstar_do_call:
CFI_REGISTER rip,rcx
movl EFLAGS-ARGOFFSET(%rsp),%r11d
/*CFI_REGISTER rflags,r11*/
@@ -73,16 +73,16 @@
TRACE_IRQS_ON
movl RSP-ARGOFFSET(%rsp),%esp
CFI_RESTORE rsp
-@@ -257,7 +264,7 @@ cstar_tracesys:
+@@ -256,7 +263,7 @@ cstar_tracesys:
CFI_RESTORE_STATE
xchgl %r9d,%ebp
SAVE_REST
- CLEAR_RREGS r9
+ CLEAR_RREGS 0, r9
- movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
+ movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
-@@ -328,6 +335,7 @@ ia32_do_call:
+@@ -325,6 +332,7 @@ ia32_do_syscall:
call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
ia32_sysret:
movq %rax,RAX-ARGOFFSET(%rsp)
@@ -90,7 +90,7 @@
jmp int_ret_from_sys_call
ia32_tracesys:
-@@ -345,8 +353,8 @@ END(ia32_syscall)
+@@ -340,8 +348,8 @@ END(ia32_syscall)
ia32_badsys:
movq $0,ORIG_RAX-ARGOFFSET(%rsp)
Copied and modified: dists/etch-security/linux-2.6.24/debian/patches/bugfix/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch (from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch)
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch Wed Nov 4 16:57:25 2009 (r14544, copy source)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch Wed Nov 4 21:10:34 2009 (r14551)
@@ -22,16 +22,12 @@
Cc: Chuck Ebbert <cebbert at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
----
- arch/x86/ia32/ia32entry.S | 26 ++++++++++----------------
- 1 file changed, 10 insertions(+), 16 deletions(-)
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
-Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
-
-diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.26/arch/x86/ia32/ia32entry.S
---- linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S 2009-08-18 23:15:13.000000000 -0600
-+++ linux-source-2.6.26/arch/x86/ia32/ia32entry.S 2009-10-15 22:15:48.000000000 -0600
-@@ -29,19 +29,18 @@
+diff -urpN linux-source-2.6.24.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.24/arch/x86/ia32/ia32entry.S
+--- linux-source-2.6.24.orig/arch/x86/ia32/ia32entry.S 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/arch/x86/ia32/ia32entry.S 2009-11-04 14:05:23.000000000 -0700
+@@ -30,19 +30,18 @@
.endm
/* clobbers %eax */
@@ -56,7 +52,7 @@
movl \offset+40(%rsp),%ecx
movl \offset+48(%rsp),%edx
movl \offset+56(%rsp),%esi
-@@ -118,7 +117,7 @@ ENTRY(ia32_sysenter_target)
+@@ -119,7 +118,7 @@ ENTRY(ia32_sysenter_target)
SAVE_ARGS 0,0,1
/* no need to do an access_ok check here because rbp has been
32bit zero extended */
@@ -65,7 +61,7 @@
.section __ex_table,"a"
.quad 1b,ia32_badarg
.previous
-@@ -130,7 +129,7 @@ ENTRY(ia32_sysenter_target)
+@@ -131,7 +130,7 @@ ENTRY(ia32_sysenter_target)
sysenter_do_call:
cmpl $(IA32_NR_syscalls-1),%eax
ja ia32_badsys
@@ -74,7 +70,7 @@
call *ia32_sys_call_table(,%rax,8)
movq %rax,RAX-ARGOFFSET(%rsp)
GET_THREAD_INFO(%r10)
-@@ -158,16 +157,13 @@ sysenter_do_call:
+@@ -159,16 +158,13 @@ sysenter_do_call:
sysenter_tracesys:
CFI_RESTORE_STATE
@@ -82,16 +78,16 @@
SAVE_REST
CLEAR_RREGS
- movq %r9,R9(%rsp)
- movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
+ movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
- xchgl %ebp,%r9d
- cmpl $(IA32_NR_syscalls-1),%eax
- ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
jmp sysenter_do_call
-@@ -234,9 +230,9 @@ ENTRY(ia32_cstar_target)
+ CFI_ENDPROC
+ ENDPROC(ia32_sysenter_target)
+@@ -233,9 +229,9 @@ ENTRY(ia32_cstar_target)
testl $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP),threadinfo_flags(%r10)
CFI_REMEMBER_STATE
jnz cstar_tracesys
@@ -102,14 +98,14 @@
IA32_ARG_FIXUP 1
call *ia32_sys_call_table(,%rax,8)
movq %rax,RAX-ARGOFFSET(%rsp)
-@@ -261,15 +257,13 @@ cstar_tracesys:
+@@ -260,15 +256,13 @@ cstar_tracesys:
CFI_RESTORE_STATE
xchgl %r9d,%ebp
SAVE_REST
- CLEAR_RREGS
- movq %r9,R9(%rsp)
+ CLEAR_RREGS r9
- movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
+ movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
@@ -117,6 +113,6 @@
RESTORE_REST
xchgl %ebp,%r9d
- movl RSP-ARGOFFSET(%rsp), %r8d
- cmpl $(IA32_NR_syscalls-1),%eax
- ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
jmp cstar_do_call
+ END(ia32_cstar_target)
+
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4 Wed Nov 4 20:49:14 2009 (r14550)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4 Wed Nov 4 21:10:34 2009 (r14551)
@@ -11,3 +11,5 @@
+ bugfix/all/r8169-balance-pci_map-pci_unmap-pair.patch
+ bugfix/all/r8169-use-hardware-auto-padding.patch
+ bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
++ bugfix/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
++ bugfix/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
More information about the Kernel-svn-changes
mailing list