[kernel] r15626 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/sparc patches/series
Dann Frazier
dannf at alioth.debian.org
Wed May 5 21:39:51 UTC 2010
Author: dannf
Date: Wed May 5 21:39:49 2010
New Revision: 15626
Log:
sparc64: Fix sun4u execute bit check in TSB I-TLB load (CVE-2010-1451)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Wed May 5 21:31:37 2010 (r15625)
+++ dists/lenny-security/linux-2.6/debian/changelog Wed May 5 21:39:49 2010 (r15626)
@@ -12,6 +12,7 @@
* tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
* sctp: Fix skb_over_panic resulting from multiple invalid parameter
errors (CVE-2010-1173)
+ * sparc64: Fix sun4u execute bit check in TSB I-TLB load (CVE-2010-1451)
[ Ben Hutchings ]
* [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch Wed May 5 21:39:49 2010 (r15626)
@@ -0,0 +1,54 @@
+commit f5ef7eaab6daa9eea6c2f611af743544cb0b905d
+Author: David S. Miller <davem at davemloft.net>
+Date: Fri Feb 19 15:19:52 2010 -0800
+
+ sparc64: Fix sun4u execute bit check in TSB I-TLB load.
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ Thanks to testcase and report from Brad Spengler:
+
+ --------------------
+
+ typedef int (* _wee)(void);
+
+ int main(void)
+ {
+ char buf[8] = { '\x81', '\xc7', '\xe0', '\x08', '\x81', '\xe8',
+ '\x00', '\x00' };
+ _wee wee;
+ printf("%p\n", &buf);
+ wee = (_wee)&buf;
+ wee();
+
+ return 0;
+ }
+ --------------------
+
+ TSB I-tlb load code tries to use andcc to check the _PAGE_EXEC_4U bit,
+ but that's bit 12 so it gets sign extended all the way up to bit 63
+ and the test nearly always passes as a result.
+
+ Use sethi to fix the bug.
+
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/arch/sparc64/kernel/tsb.S b/arch/sparc64/kernel/tsb.S
+index c499214..a237e29 100644
+--- a/arch/sparc64/kernel/tsb.S
++++ b/arch/sparc64/kernel/tsb.S
+@@ -191,10 +191,12 @@ tsb_dtlb_load:
+
+ tsb_itlb_load:
+ /* Executable bit must be set. */
+-661: andcc %g5, _PAGE_EXEC_4U, %g0
+- .section .sun4v_1insn_patch, "ax"
++661: sethi %hi(_PAGE_EXEC_4U), %g4
++ andcc %g5, %g4, %g0
++ .section .sun4v_2insn_patch, "ax"
+ .word 661b
+ andcc %g5, _PAGE_EXEC_4V, %g0
++ nop
+ .previous
+
+ be,pn %xcc, tsb_do_fault
Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny5 Wed May 5 21:31:37 2010 (r15625)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny5 Wed May 5 21:39:49 2010 (r15626)
@@ -11,3 +11,4 @@
+ bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch
+ bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
+ bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch
++ bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch
More information about the Kernel-svn-changes
mailing list