[kernel] r14394 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Oct 16 22:09:41 UTC 2009
Author: dannf
Date: Fri Oct 16 22:09:39 2009
New Revision: 14394
Log:
x86: Don't leak 64-bit kernel register values to 32-bit processes
(CVE-2009-2910)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Wed Oct 14 21:51:05 2009 (r14393)
+++ dists/lenny-security/linux-2.6/debian/changelog Fri Oct 16 22:09:39 2009 (r14394)
@@ -12,6 +12,8 @@
* eCryptfs: Prevent lower dentry from going negative during unlink
(CVE-2009-2908)
* net ax25: Fix signed comparison in the sockopt handler (CVE-2009-2909)
+ * x86: Don't leak 64-bit kernel register values to 32-bit processes
+ (CVE-2009-2910)
-- dann frazier <dannf at debian.org> Tue, 15 Sep 2009 22:54:06 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch Fri Oct 16 22:09:39 2009 (r14394)
@@ -0,0 +1,103 @@
+From cebbert at redhat.com Fri Oct 9 15:37:09 2009
+From: Jan Beulich <JBeulich at novell.com>
+Date: Wed, 7 Oct 2009 17:34:09 -0400
+Subject: x86: Don't leak 64-bit kernel register values to 32-bit processes
+To: stable at kernel.org
+Cc: Jan Beulich <jbeulich at novell.com>
+Message-ID: <20091007173409.2d4978d9 at katamari.usersys.redhat.com>
+
+From: Jan Beulich <JBeulich at novell.com>
+
+commit 24e35800cdc4350fc34e2bed37b608a9e13ab3b6 upstream
+
+x86: Don't leak 64-bit kernel register values to 32-bit processes
+
+While 32-bit processes can't directly access R8...R15, they can
+gain access to these registers by temporarily switching themselves
+into 64-bit mode.
+
+Therefore, registers not preserved anyway by called C functions
+(i.e. R8...R11) must be cleared prior to returning to user mode.
+
+Signed-off-by: Jan Beulich <jbeulich at novell.com>
+LKML-Reference: <4AC34D73020000780001744A at vpn.id2.novell.com>
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+Cc: Chuck Ebbert <cebbert at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/x86/ia32/ia32entry.S | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.26/arch/x86/ia32/ia32entry.S
+--- linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S 2009-10-15 22:15:48.000000000 -0600
++++ linux-source-2.6.26/arch/x86/ia32/ia32entry.S 2009-10-15 23:03:06.000000000 -0600
+@@ -29,12 +29,12 @@
+ .endm
+
+ /* clobbers %eax */
+- .macro CLEAR_RREGS _r9=rax
++ .macro CLEAR_RREGS offset=0, _r9=rax
+ xorl %eax,%eax
+- movq %rax,R11(%rsp)
+- movq %rax,R10(%rsp)
+- movq %\_r9,R9(%rsp)
+- movq %rax,R8(%rsp)
++ movq %rax,\offset+R11(%rsp)
++ movq %rax,\offset+R10(%rsp)
++ movq %\_r9,\offset+R9(%rsp)
++ movq %rax,\offset+R8(%rsp)
+ .endm
+
+ .macro LOAD_ARGS32 offset, _r9=0
+@@ -143,6 +143,10 @@ sysenter_do_call:
+ movl RIP-R11(%rsp),%edx /* User %eip */
+ CFI_REGISTER rip,rdx
+ RESTORE_ARGS 1,24,1,1,1,1
++ xorq %r8,%r8
++ xorq %r9,%r9
++ xorq %r10,%r10
++ xorq %r11,%r11
+ popfq
+ CFI_ADJUST_CFA_OFFSET -8
+ /*CFI_RESTORE rflags*/
+@@ -247,6 +251,9 @@ cstar_do_call:
+ CFI_REGISTER rip,rcx
+ movl EFLAGS-ARGOFFSET(%rsp),%r11d
+ /*CFI_REGISTER rflags,r11*/
++ xorq %r10,%r10
++ xorq %r9,%r9
++ xorq %r8,%r8
+ TRACE_IRQS_ON
+ movl RSP-ARGOFFSET(%rsp),%esp
+ CFI_RESTORE rsp
+@@ -257,7 +264,7 @@ cstar_tracesys:
+ CFI_RESTORE_STATE
+ xchgl %r9d,%ebp
+ SAVE_REST
+- CLEAR_RREGS r9
++ CLEAR_RREGS 0, r9
+ movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+@@ -328,6 +335,7 @@ ia32_do_call:
+ call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
+ ia32_sysret:
+ movq %rax,RAX-ARGOFFSET(%rsp)
++ CLEAR_RREGS -ARGOFFSET
+ jmp int_ret_from_sys_call
+
+ ia32_tracesys:
+@@ -345,8 +353,8 @@ END(ia32_syscall)
+
+ ia32_badsys:
+ movq $0,ORIG_RAX-ARGOFFSET(%rsp)
+- movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
+- jmp int_ret_from_sys_call
++ movq $-ENOSYS,%rax
++ jmp ia32_sysret
+
+ quiet_ni_syscall:
+ movq $-ENOSYS,%rax
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch Fri Oct 16 22:09:39 2009 (r14394)
@@ -0,0 +1,122 @@
+From cebbert at redhat.com Fri Oct 9 15:36:28 2009
+From: Jan Beulich <jbeulich at novell.com>
+Date: Wed, 7 Oct 2009 17:33:08 -0400
+Subject: x86-64: slightly stream-line 32-bit syscall entry code
+To: stable at kernel.org
+Cc: Jan Beulich <jbeulich at novell.com>
+Message-ID: <20091007173308.1e56746f at katamari.usersys.redhat.com>
+
+From: Jan Beulich <jbeulich at novell.com>
+
+commit 295286a89107c353b9677bc604361c537fd6a1c0 upstream
+
+x86-64: slightly stream-line 32-bit syscall entry code
+
+[ required for following patch to apply properly ]
+
+Avoid updating registers or memory twice as well as needlessly loading
+or copying registers.
+
+Signed-off-by: Jan Beulich <jbeulich at novell.com>
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+Cc: Chuck Ebbert <cebbert at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ arch/x86/ia32/ia32entry.S | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S linux-source-2.6.26/arch/x86/ia32/ia32entry.S
+--- linux-source-2.6.26.orig/arch/x86/ia32/ia32entry.S 2009-08-18 23:15:13.000000000 -0600
++++ linux-source-2.6.26/arch/x86/ia32/ia32entry.S 2009-10-15 22:15:48.000000000 -0600
+@@ -29,19 +29,18 @@
+ .endm
+
+ /* clobbers %eax */
+- .macro CLEAR_RREGS
++ .macro CLEAR_RREGS _r9=rax
+ xorl %eax,%eax
+ movq %rax,R11(%rsp)
+ movq %rax,R10(%rsp)
+- movq %rax,R9(%rsp)
++ movq %\_r9,R9(%rsp)
+ movq %rax,R8(%rsp)
+ .endm
+
+- .macro LOAD_ARGS32 offset
+- movl \offset(%rsp),%r11d
+- movl \offset+8(%rsp),%r10d
++ .macro LOAD_ARGS32 offset, _r9=0
++ .if \_r9
+ movl \offset+16(%rsp),%r9d
+- movl \offset+24(%rsp),%r8d
++ .endif
+ movl \offset+40(%rsp),%ecx
+ movl \offset+48(%rsp),%edx
+ movl \offset+56(%rsp),%esi
+@@ -118,7 +117,7 @@ ENTRY(ia32_sysenter_target)
+ SAVE_ARGS 0,0,1
+ /* no need to do an access_ok check here because rbp has been
+ 32bit zero extended */
+-1: movl (%rbp),%r9d
++1: movl (%rbp),%ebp
+ .section __ex_table,"a"
+ .quad 1b,ia32_badarg
+ .previous
+@@ -130,7 +129,7 @@ ENTRY(ia32_sysenter_target)
+ sysenter_do_call:
+ cmpl $(IA32_NR_syscalls-1),%eax
+ ja ia32_badsys
+- IA32_ARG_FIXUP 1
++ IA32_ARG_FIXUP
+ call *ia32_sys_call_table(,%rax,8)
+ movq %rax,RAX-ARGOFFSET(%rsp)
+ GET_THREAD_INFO(%r10)
+@@ -158,16 +157,13 @@ sysenter_do_call:
+
+ sysenter_tracesys:
+ CFI_RESTORE_STATE
+- xchgl %r9d,%ebp
+ SAVE_REST
+ CLEAR_RREGS
+- movq %r9,R9(%rsp)
+ movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
+ RESTORE_REST
+- xchgl %ebp,%r9d
+ cmpl $(IA32_NR_syscalls-1),%eax
+ ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
+ jmp sysenter_do_call
+@@ -234,9 +230,9 @@ ENTRY(ia32_cstar_target)
+ testl $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP),threadinfo_flags(%r10)
+ CFI_REMEMBER_STATE
+ jnz cstar_tracesys
+-cstar_do_call:
+ cmpl $IA32_NR_syscalls-1,%eax
+ ja ia32_badsys
++cstar_do_call:
+ IA32_ARG_FIXUP 1
+ call *ia32_sys_call_table(,%rax,8)
+ movq %rax,RAX-ARGOFFSET(%rsp)
+@@ -261,15 +257,13 @@ cstar_tracesys:
+ CFI_RESTORE_STATE
+ xchgl %r9d,%ebp
+ SAVE_REST
+- CLEAR_RREGS
+- movq %r9,R9(%rsp)
++ CLEAR_RREGS r9
+ movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
+ movq %rsp,%rdi /* &pt_regs -> arg1 */
+ call syscall_trace_enter
+- LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
++ LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
+ RESTORE_REST
+ xchgl %ebp,%r9d
+- movl RSP-ARGOFFSET(%rsp), %r8d
+ cmpl $(IA32_NR_syscalls-1),%eax
+ ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
+ jmp cstar_do_call
Modified: dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/19lenny1 Wed Oct 14 21:51:05 2009 (r14393)
+++ dists/lenny-security/linux-2.6/debian/patches/series/19lenny1 Fri Oct 16 22:09:39 2009 (r14394)
@@ -14,3 +14,5 @@
+ bugfix/all/netrom-fix-nr_getname-leak.patch
+ bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
+ bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
++ bugfix/x86/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch
++ bugfix/x86/don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch
More information about the Kernel-svn-changes
mailing list