[kernel] r15626 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/sparc patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 5 21:39:51 UTC 2010


Author: dannf
Date: Wed May  5 21:39:49 2010
New Revision: 15626

Log:
sparc64: Fix sun4u execute bit check in TSB I-TLB load (CVE-2010-1451)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/21lenny5

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed May  5 21:31:37 2010	(r15625)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed May  5 21:39:49 2010	(r15626)
@@ -12,6 +12,7 @@
   * tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
   * sctp: Fix skb_over_panic resulting from multiple invalid parameter
     errors (CVE-2010-1173)
+  * sparc64: Fix sun4u execute bit check in TSB I-TLB load (CVE-2010-1451)
 
   [ Ben Hutchings ]
   * [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch	Wed May  5 21:39:49 2010	(r15626)
@@ -0,0 +1,54 @@
+commit f5ef7eaab6daa9eea6c2f611af743544cb0b905d
+Author: David S. Miller <davem at davemloft.net>
+Date:   Fri Feb 19 15:19:52 2010 -0800
+
+    sparc64: Fix sun4u execute bit check in TSB I-TLB load.
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    Thanks to testcase and report from Brad Spengler:
+    
+    --------------------
+    
+    typedef int (* _wee)(void);
+    
+    int main(void)
+    {
+            char buf[8] = { '\x81', '\xc7', '\xe0', '\x08', '\x81', '\xe8',
+                            '\x00', '\x00' };
+            _wee wee;
+            printf("%p\n", &buf);
+            wee = (_wee)&buf;
+            wee();
+    
+            return 0;
+    }
+    --------------------
+    
+    TSB I-tlb load code tries to use andcc to check the _PAGE_EXEC_4U bit,
+    but that's bit 12 so it gets sign extended all the way up to bit 63
+    and the test nearly always passes as a result.
+    
+    Use sethi to fix the bug.
+    
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/arch/sparc64/kernel/tsb.S b/arch/sparc64/kernel/tsb.S
+index c499214..a237e29 100644
+--- a/arch/sparc64/kernel/tsb.S
++++ b/arch/sparc64/kernel/tsb.S
+@@ -191,10 +191,12 @@ tsb_dtlb_load:
+ 
+ tsb_itlb_load:
+ 	/* Executable bit must be set.  */
+-661:	andcc		%g5, _PAGE_EXEC_4U, %g0
+-	.section	.sun4v_1insn_patch, "ax"
++661:	sethi		%hi(_PAGE_EXEC_4U), %g4
++	andcc		%g5, %g4, %g0
++	.section	.sun4v_2insn_patch, "ax"
+ 	.word		661b
+ 	andcc		%g5, _PAGE_EXEC_4V, %g0
++	nop
+ 	.previous
+ 
+ 	be,pn		%xcc, tsb_do_fault

Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny5	Wed May  5 21:31:37 2010	(r15625)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny5	Wed May  5 21:39:49 2010	(r15626)
@@ -11,3 +11,4 @@
 + bugfix/all/tty-release_one_tty-forgets-to-put-pids.patch
 + bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
 + bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch
++ bugfix/sparc/fix-sun4u-execute-bit-check-in-TSB-I-ITLB-load.patch



More information about the Kernel-svn-changes mailing list