[kernel] r22499 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/x86 patches/series

Ben Hutchings benh at moszumanska.debian.org
Sun Apr 12 20:44:07 UTC 2015 

Author: benh
Date: Sun Apr 12 20:44:07 2015
New Revision: 22499

Log:
[amd64] asm/entry: Remove a bogus 'ret_from_fork' optimization (CVE-2015-2830)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-asm-entry-64-remove-a-bogus-ret_from_fork-optimi.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 12 19:49:30 2015	(r22498)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 12 20:44:07 2015	(r22499)
@@ -8,6 +8,8 @@
     (CVE-2014-9683)
   * HID: fix a couple of off-by-ones (CVE-2014-3184)
   * ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
+  * [amd64] asm/entry: Remove a bogus 'ret_from_fork' optimization
+    (CVE-2015-2830)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 12 Apr 2015 17:12:31 +0100
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-asm-entry-64-remove-a-bogus-ret_from_fork-optimi.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-asm-entry-64-remove-a-bogus-ret_from_fork-optimi.patch	Sun Apr 12 20:44:07 2015	(r22499)
@@ -0,0 +1,53 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Thu, 5 Mar 2015 01:09:44 +0100
+Subject: x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization
+Origin: https://git.kernel.org/linus/956421fbb74c3a6261903f3836c0740187cf038b
+
+'ret_from_fork' checks TIF_IA32 to determine whether 'pt_regs' and
+the related state make sense for 'ret_from_sys_call'.  This is
+entirely the wrong check.  TS_COMPAT would make a little more
+sense, but there's really no point in keeping this optimization
+at all.
+
+This fixes a return to the wrong user CS if we came from int
+0x80 in a 64-bit task.
+
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Cc: Borislav Petkov <bp at alien8.de>
+Cc: Denys Vlasenko <dvlasenk at redhat.com>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: <stable at vger.kernel.org>
+Link: http://lkml.kernel.org/r/4710be56d76ef994ddf59087aad98c000fbab9a4.1424989793.git.luto@amacapital.net
+[ Backported from tip:x86/asm. ]
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+---
+ arch/x86/kernel/entry_64.S | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index 10074ad..1d74d16 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -413,11 +413,14 @@ ENTRY(ret_from_fork)
+ 	testl $3, CS-ARGOFFSET(%rsp)		# from kernel_thread?
+ 	je   int_ret_from_sys_call
+ 
+-	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
+-	jnz  int_ret_from_sys_call
+-
+-	RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET
+-	jmp ret_from_sys_call			# go to the SYSRET fastpath
++	/*
++	 * By the time we get here, we have no idea whether our pt_regs,
++	 * ti flags, and ti status came from the 64-bit SYSCALL fast path,
++	 * the slow path, or one of the ia32entry paths.
++	 * Use int_ret_from_sys_call to return, since it can safely handle
++	 * all of the above.
++	 */
++	jmp  int_ret_from_sys_call
+ 
+ 	CFI_ENDPROC
+ END(ret_from_fork)

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Apr 12 19:49:30 2015	(r22498)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Apr 12 20:44:07 2015	(r22499)
@@ -4,3 +4,4 @@
 + bugfix/all/ecryptfs-remove-buggy-and-unnecessary-write-in-file-.patch
 + bugfix/all/hid-fix-a-couple-of-off-by-ones.patch
 + bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
++ bugfix/x86/x86-asm-entry-64-remove-a-bogus-ret_from_fork-optimi.patch

More information about the Kernel-svn-changes mailing list