[kernel] r22298 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/bugfix/x86 patches/series
Ben Hutchings
benh at moszumanska.debian.org
Wed Jan 28 23:57:13 UTC 2015
Author: benh
Date: Wed Jan 28 23:57:12 2015
New Revision: 22298
Log:
Add fixes for CVE-2013-6885, CVE-2014-8133, CVE-2014-8134, CVE-2014-8160
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-cpu-amd-add-workaround-for-family-16h-erratum-79.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-tls-validate-tls-entries-to-protect-espfix.patch
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed Jan 28 22:43:46 2015 (r22297)
+++ dists/squeeze-security/linux-2.6/debian/changelog Wed Jan 28 23:57:12 2015 (r22298)
@@ -1,6 +1,11 @@
linux-2.6 (2.6.32-48squeeze11) UNRELEASED; urgency=medium
- *
+ * [x86] cpu, amd: Add workaround for family 16h, erratum 793 (CVE-2013-6885)
+ * [x86] tls: Validate TLS entries to protect espfix (CVE-2014-8133)
+ * [x86] kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+ (CVE-2014-8134)
+ * netfilter: conntrack: disable generic tracking for known protocols
+ (CVE-2014-8160)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 28 Jan 2015 22:33:05 +0000
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch Wed Jan 28 23:57:12 2015 (r22298)
@@ -0,0 +1,88 @@
+From: Florian Westphal <fw at strlen.de>
+Date: Fri, 26 Sep 2014 11:35:42 +0200
+Subject: netfilter: conntrack: disable generic tracking for known protocols
+Origin: https://git.kernel.org/linus/db29a9508a9246e77087c5531e45b2c88ec6988b
+
+Given following iptables ruleset:
+
+-P FORWARD DROP
+-A FORWARD -m sctp --dport 9 -j ACCEPT
+-A FORWARD -p tcp --dport 80 -j ACCEPT
+-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
+
+One would assume that this allows SCTP on port 9 and TCP on port 80.
+Unfortunately, if the SCTP conntrack module is not loaded, this allows
+*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
+which we think is a security issue.
+
+This is because on the first SCTP packet on port 9, we create a dummy
+"generic l4" conntrack entry without any port information (since
+conntrack doesn't know how to extract this information).
+
+All subsequent packets that are unknown will then be in established
+state since they will fallback to proto_generic and will match the
+'generic' entry.
+
+Our originally proposed version [1] completely disabled generic protocol
+tracking, but Jozsef suggests to not track protocols for which a more
+suitable helper is available, hence we now mitigate the issue for in
+tree known ct protocol helpers only, so that at least NAT and direction
+information will still be preserved for others.
+
+ [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
+
+Joint work with Daniel Borkmann.
+
+Signed-off-by: Florian Westphal <fw at strlen.de>
+Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
+Acked-by: Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+[bwh: Backported to 2.6.32: adjust context]
+---
+ net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
+index d25f293..957c1db 100644
+--- a/net/netfilter/nf_conntrack_proto_generic.c
++++ b/net/netfilter/nf_conntrack_proto_generic.c
+@@ -14,6 +14,30 @@
+
+ static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+
++static bool nf_generic_should_process(u8 proto)
++{
++ switch (proto) {
++#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
++ case IPPROTO_SCTP:
++ return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
++ case IPPROTO_DCCP:
++ return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
++ case IPPROTO_GRE:
++ return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
++ case IPPROTO_UDPLITE:
++ return false;
++#endif
++ default:
++ return true;
++ }
++}
++
+ static bool generic_pkt_to_tuple(const struct sk_buff *skb,
+ unsigned int dataoff,
+ struct nf_conntrack_tuple *tuple)
+@@ -56,7 +80,7 @@ static int generic_packet(struct nf_conn *ct,
+ static bool new(struct nf_conn *ct, const struct sk_buff *skb,
+ unsigned int dataoff)
+ {
+- return true;
++ return nf_generic_should_process(nf_ct_protonum(ct));
+ }
+
+ #ifdef CONFIG_SYSCTL
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-cpu-amd-add-workaround-for-family-16h-erratum-79.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-cpu-amd-add-workaround-for-family-16h-erratum-79.patch Wed Jan 28 23:57:12 2015 (r22298)
@@ -0,0 +1,82 @@
+From: Borislav Petkov <bp at suse.de>
+Date: Wed, 15 Jan 2014 00:07:11 +0100
+Subject: x86, cpu, amd: Add workaround for family 16h, erratum 793
+Origin: https://git.kernel.org/linus/3b56496865f9f7d9bcb2f93b44c63f274f08e3b6
+
+This adds the workaround for erratum 793 as a precaution in case not
+every BIOS implements it. This addresses CVE-2013-6885.
+
+Erratum text:
+
+[Revision Guide for AMD Family 16h Models 00h-0Fh Processors,
+document 51810 Rev. 3.04 November 2013]
+
+793 Specific Combination of Writes to Write Combined Memory Types and
+Locked Instructions May Cause Core Hang
+
+Description
+
+Under a highly specific and detailed set of internal timing
+conditions, a locked instruction may trigger a timing sequence whereby
+the write to a write combined memory type is not flushed, causing the
+locked instruction to stall indefinitely.
+
+Potential Effect on System
+
+Processor core hang.
+
+Suggested Workaround
+
+BIOS should set MSR
+C001_1020[15] = 1b.
+
+Fix Planned
+
+No fix planned
+
+[ hpa: updated description, fixed typo in MSR name ]
+
+Signed-off-by: Borislav Petkov <bp at suse.de>
+Link: http://lkml.kernel.org/r/20140114230711.GS29865@pd.tnic
+Tested-by: Aravind Gopalakrishnan <aravind.gopalakrishnan at amd.com>
+Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+[bwh: Backported to 3.2:
+ - Adjust filename
+ - Venkatesh Srinivas pointed out we should use {rd,wr}msrl_safe() to
+ avoid crashing on KVM. This was fixed upstream by commit 8f86a7373a1c
+ ("x86, AMD: Convert to the new bit access MSR accessors") but that's too
+ much trouble to backport. Here we must use {rd,wr}msrl_amd_safe().]
+---
+ arch/x86/include/asm/msr-index.h | 1 +
+ arch/x86/kernel/cpu/amd.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -110,6 +110,7 @@
+ #define MSR_AMD64_PATCH_LOADER 0xc0010020
+ #define MSR_AMD64_OSVW_ID_LENGTH 0xc0010140
+ #define MSR_AMD64_OSVW_STATUS 0xc0010141
++#define MSR_AMD64_LS_CFG 0xc0011020
+ #define MSR_AMD64_DC_CFG 0xc0011022
+ #define MSR_AMD64_IBSFETCHCTL 0xc0011030
+ #define MSR_AMD64_IBSFETCHLINAD 0xc0011031
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -413,6 +413,16 @@ static void __cpuinit early_init_amd(str
+ set_cpu_cap(c, X86_FEATURE_EXTD_APICID);
+ }
+ #endif
++
++ /* F16h erratum 793, CVE-2013-6885 */
++ if (c->x86 == 0x16 && c->x86_model <= 0xf) {
++ u64 val;
++
++ if (!rdmsrl_amd_safe(MSR_AMD64_LS_CFG, &val) &&
++ !(val & BIT(15)))
++ wrmsrl_amd_safe(MSR_AMD64_LS_CFG, val | BIT(15));
++ }
++
+ }
+
+ static void __cpuinit init_amd(struct cpuinfo_x86 *c)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch Wed Jan 28 23:57:12 2015 (r22298)
@@ -0,0 +1,64 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Fri, 5 Dec 2014 19:03:28 -0800
+Subject: x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+Origin: https://git.kernel.org/linus/29fa6825463c97e5157284db80107d1bfac5d77b
+
+paravirt_enabled has the following effects:
+
+ - Disables the F00F bug workaround warning. There is no F00F bug
+ workaround any more because Linux's standard IDT handling already
+ works around the F00F bug, but the warning still exists. This
+ is only cosmetic, and, in any event, there is no such thing as
+ KVM on a CPU with the F00F bug.
+
+ - Disables 32-bit APM BIOS detection. On a KVM paravirt system,
+ there should be no APM BIOS anyway.
+
+ - Disables tboot. I think that the tboot code should check the
+ CPUID hypervisor bit directly if it matters.
+
+ - paravirt_enabled disables espfix32. espfix32 should *not* be
+ disabled under KVM paravirt.
+
+The last point is the purpose of this patch. It fixes a leak of the
+high 16 bits of the kernel stack address on 32-bit KVM paravirt
+guests. Fixes CVE-2014-8134.
+
+Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+[bwh: Backported to 2.6.32: adjust indentation, context]
+---
+ arch/x86/kernel/kvm.c | 9 ++++++++-
+ arch/x86/kernel/kvmclock.c | 1 -
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -198,7 +198,14 @@ static void kvm_leave_lazy_mmu(void)
+ static void __init paravirt_ops_setup(void)
+ {
+ pv_info.name = "KVM";
+- pv_info.paravirt_enabled = 1;
++
++ /*
++ * KVM isn't paravirt in the sense of paravirt_enabled. A KVM
++ * guest kernel works like a bare metal kernel with additional
++ * features, and paravirt_enabled is about features that are
++ * missing.
++ */
++ pv_info.paravirt_enabled = 0;
+
+ if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY))
+ pv_cpu_ops.io_delay = kvm_io_delay;
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -201,7 +201,6 @@ void __init kvmclock_init(void)
+ #endif
+ kvm_get_preset_lpj();
+ clocksource_register(&kvm_clock);
+- pv_info.paravirt_enabled = 1;
+ pv_info.name = "KVM";
+ }
+ }
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-tls-validate-tls-entries-to-protect-espfix.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-tls-validate-tls-entries-to-protect-espfix.patch Wed Jan 28 23:57:12 2015 (r22298)
@@ -0,0 +1,73 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Thu, 4 Dec 2014 16:48:16 -0800
+Subject: x86/tls: Validate TLS entries to protect espfix
+Origin: https://git.kernel.org/linus/41bdc78544b8a93a9c6814b8bbbfef966272abbe
+
+Installing a 16-bit RW data segment into the GDT defeats espfix.
+AFAICT this will not affect glibc, Wine, or dosemu at all.
+
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Acked-by: H. Peter Anvin <hpa at zytor.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: security at kernel.org <security at kernel.org>
+Cc: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/arch/x86/kernel/tls.c
++++ b/arch/x86/kernel/tls.c
+@@ -28,6 +28,21 @@ static int get_free_idx(void)
+ return -ESRCH;
+ }
+
++static bool tls_desc_okay(const struct user_desc *info)
++{
++ if (LDT_empty(info))
++ return true;
++
++ /*
++ * espfix is required for 16-bit data segments, but espfix
++ * only works for LDT segments.
++ */
++ if (!info->seg_32bit)
++ return false;
++
++ return true;
++}
++
+ static void set_tls_desc(struct task_struct *p, int idx,
+ const struct user_desc *info, int n)
+ {
+@@ -67,6 +82,9 @@ int do_set_thread_area(struct task_struc
+ if (copy_from_user(&info, u_info, sizeof(info)))
+ return -EFAULT;
+
++ if (!tls_desc_okay(&info))
++ return -EINVAL;
++
+ if (idx == -1)
+ idx = info.entry_number;
+
+@@ -197,6 +215,7 @@ int regset_tls_set(struct task_struct *t
+ {
+ struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
+ const struct user_desc *info;
++ int i;
+
+ if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
+ (pos % sizeof(struct user_desc)) != 0 ||
+@@ -210,6 +229,10 @@ int regset_tls_set(struct task_struct *t
+ else
+ info = infobuf;
+
++ for (i = 0; i < count / sizeof(struct user_desc); i++)
++ if (!tls_desc_okay(info + i))
++ return -EINVAL;
++
+ set_tls_desc(target,
+ GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
+ info, count / sizeof(struct user_desc));
Added: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11 Wed Jan 28 23:57:12 2015 (r22298)
@@ -0,0 +1,4 @@
++ bugfix/x86/x86-cpu-amd-add-workaround-for-family-16h-erratum-79.patch
++ bugfix/x86/x86-tls-validate-tls-entries-to-protect-espfix.patch
++ bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
++ bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch
More information about the Kernel-svn-changes
mailing list