[kernel] r19748 - in dists/sid/linux/debian: . patches patches/bugfix/x86

Ben Hutchings benh at alioth.debian.org
Sat Jan 19 18:33:54 UTC 2013 

Author: benh
Date: Sat Jan 19 18:33:53 2013
New Revision: 19748

Log:
[i386] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. (CVE-2013-0190)

Added:
   dists/sid/linux/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Sat Jan 19 18:11:12 2013	(r19747)
+++ dists/sid/linux/debian/changelog	Sat Jan 19 18:33:53 2013	(r19748)
@@ -71,6 +71,8 @@
     most non-PowerMac systems
   * fs: cachefiles: add support for large files in filesystem caching
     (Closes: #698376)
+  * [i386] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS
+    guests. (CVE-2013-0190)
 
   [ Aurelien Jarno ]
   * [armhf/vexpress] Add kernel udebs.

Added: dists/sid/linux/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch	Sat Jan 19 18:33:53 2013	(r19748)
@@ -0,0 +1,64 @@
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Date: Wed, 16 Jan 2013 12:00:55 +0000
+Subject: xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS
+ guests.
+
+commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream.
+
+This fixes CVE-2013-0190 / XSA-40
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path.  This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+        popl %eax      # Error code from hypervisor
+        jz 5f
+        addl $16,%esp
+        jmp iret_exc   # Hypervisor said iret fault
+5:      addl $16,%esp
+                       # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+        popl_cfi %eax         # Error from the hypervisor
+        lea 16(%esp),%esp     # Add $16 before choosing fault path
+        CFI_ADJUST_CFA_OFFSET -16
+        jz 5f
+        addl $16,%esp         # Incorrectly adjust %esp again
+        jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present.  At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio at citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+---
+ arch/x86/kernel/entry_32.S |    1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
+index 88b725a..cf8639b 100644
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1084,7 +1084,6 @@ ENTRY(xen_failsafe_callback)
+ 	lea 16(%esp),%esp
+ 	CFI_ADJUST_CFA_OFFSET -16
+ 	jz 5f
+-	addl $16,%esp
+ 	jmp iret_exc
+ 5:	pushl_cfi $-1 /* orig_ax = -1 => not a system call */
+ 	SAVE_ALL

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Sat Jan 19 18:11:12 2013	(r19747)
+++ dists/sid/linux/debian/patches/series	Sat Jan 19 18:33:53 2013	(r19748)
@@ -465,3 +465,4 @@
 features/all/rt2800-add-chipset-revision-RT5390R-support.patch
 bugfix/all/vt6656-Fix-inconsistent-structure-packing.patch
 bugfix/all/fs-cachefiles-add-support-for-large-files-in-filesys.patch
+bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch

More information about the Kernel-svn-changes mailing list