[kernel] r22298 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/bugfix/x86 patches/series

Wed Jan 28 23:57:13 UTC 2015

Author: benh
Date: Wed Jan 28 23:57:12 2015
New Revision: 22298

Log:
Add fixes for CVE-2013-6885, CVE-2014-8133, CVE-2014-8134, CVE-2014-8160

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-cpu-amd-add-workaround-for-family-16h-erratum-79.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-tls-validate-tls-entries-to-protect-espfix.patch
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Wed Jan 28 22:43:46 2015	(r22297)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed Jan 28 23:57:12 2015	(r22298)
@@ -1,6 +1,11 @@
 linux-2.6 (2.6.32-48squeeze11) UNRELEASED; urgency=medium
 
-  * 
+  * [x86] cpu, amd: Add workaround for family 16h, erratum 793 (CVE-2013-6885)
+  * [x86] tls: Validate TLS entries to protect espfix (CVE-2014-8133)
+  * [x86] kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+    (CVE-2014-8134)
+  * netfilter: conntrack: disable generic tracking for known protocols
+    (CVE-2014-8160)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 28 Jan 2015 22:33:05 +0000
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch	Wed Jan 28 23:57:12 2015	(r22298)
@@ -0,0 +1,88 @@
+From: Florian Westphal <fw at strlen.de>
+Date: Fri, 26 Sep 2014 11:35:42 +0200
+Subject: netfilter: conntrack: disable generic tracking for known protocols
+Origin: https://git.kernel.org/linus/db29a9508a9246e77087c5531e45b2c88ec6988b
+
+Given following iptables ruleset:
+
+-P FORWARD DROP
+-A FORWARD -m sctp --dport 9 -j ACCEPT
+-A FORWARD -p tcp --dport 80 -j ACCEPT
+-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
+
+One would assume that this allows SCTP on port 9 and TCP on port 80.
+Unfortunately, if the SCTP conntrack module is not loaded, this allows
+*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
+which we think is a security issue.
+
+This is because on the first SCTP packet on port 9, we create a dummy
+"generic l4" conntrack entry without any port information (since
+conntrack doesn't know how to extract this information).
+
+All subsequent packets that are unknown will then be in established
+state since they will fallback to proto_generic and will match the
+'generic' entry.
+
+Our originally proposed version [1] completely disabled generic protocol
+tracking, but Jozsef suggests to not track protocols for which a more
+suitable helper is available, hence we now mitigate the issue for in
+tree known ct protocol helpers only, so that at least NAT and direction
+information will still be preserved for others.
+
+ [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
+
+Joint work with Daniel Borkmann.
+
+Signed-off-by: Florian Westphal <fw at strlen.de>
+Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
+Acked-by: Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+[bwh: Backported to 2.6.32: adjust context]
+---
+ net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
+index d25f293..957c1db 100644
+--- a/net/netfilter/nf_conntrack_proto_generic.c
++++ b/net/netfilter/nf_conntrack_proto_generic.c
+@@ -14,6 +14,30 @@
+ 
+ static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+ 
++static bool nf_generic_should_process(u8 proto)
++{
++	switch (proto) {
++#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
++	case IPPROTO_SCTP:
++		return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
++	case IPPROTO_DCCP:
++		return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
++	case IPPROTO_GRE:
++		return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
++	case IPPROTO_UDPLITE:
++		return false;
++#endif
++	default:
++		return true;
++	}
++}
++
+ static bool generic_pkt_to_tuple(const struct sk_buff *skb,
+ 				 unsigned int dataoff,
+ 				 struct nf_conntrack_tuple *tuple)
+@@ -56,7 +80,7 @@ static int generic_packet(struct nf_conn *ct,
+ static bool new(struct nf_conn *ct, const struct sk_buff *skb,
+ 		unsigned int dataoff)
+ {
+-	return true;
++	return nf_generic_should_process(nf_ct_protonum(ct));
+ }
+ 
+ #ifdef CONFIG_SYSCTL

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-cpu-amd-add-workaround-for-family-16h-erratum-79.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-cpu-amd-add-workaround-for-family-16h-erratum-79.patch	Wed Jan 28 23:57:12 2015	(r22298)
@@ -0,0 +1,82 @@
+From: Borislav Petkov <bp at suse.de>
+Date: Wed, 15 Jan 2014 00:07:11 +0100
+Subject: x86, cpu, amd: Add workaround for family 16h, erratum 793
+Origin: https://git.kernel.org/linus/3b56496865f9f7d9bcb2f93b44c63f274f08e3b6
+
+This adds the workaround for erratum 793 as a precaution in case not
+every BIOS implements it.  This addresses CVE-2013-6885.
+
+Erratum text:
+
+[Revision Guide for AMD Family 16h Models 00h-0Fh Processors,
+document 51810 Rev. 3.04 November 2013]
+
+793 Specific Combination of Writes to Write Combined Memory Types and
+Locked Instructions May Cause Core Hang
+
+Description
+
+Under a highly specific and detailed set of internal timing
+conditions, a locked instruction may trigger a timing sequence whereby
+the write to a write combined memory type is not flushed, causing the
+locked instruction to stall indefinitely.
+
+Potential Effect on System
+
+Processor core hang.
+
+Suggested Workaround
+
+BIOS should set MSR
+C001_1020[15] = 1b.
+
+Fix Planned
+
+No fix planned
+
+[ hpa: updated description, fixed typo in MSR name ]
+
+Signed-off-by: Borislav Petkov <bp at suse.de>
+Link: http://lkml.kernel.org/r/20140114230711.GS29865@pd.tnic
+Tested-by: Aravind Gopalakrishnan <aravind.gopalakrishnan at amd.com>
+Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+[bwh: Backported to 3.2:
+ - Adjust filename
+ - Venkatesh Srinivas pointed out we should use {rd,wr}msrl_safe() to
+   avoid crashing on KVM.  This was fixed upstream by commit 8f86a7373a1c
+   ("x86, AMD: Convert to the new bit access MSR accessors") but that's too
+   much trouble to backport.  Here we must use {rd,wr}msrl_amd_safe().]
+---
+ arch/x86/include/asm/msr-index.h |  1 +
+ arch/x86/kernel/cpu/amd.c             | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -110,6 +110,7 @@
+ #define MSR_AMD64_PATCH_LOADER		0xc0010020
+ #define MSR_AMD64_OSVW_ID_LENGTH	0xc0010140
+ #define MSR_AMD64_OSVW_STATUS		0xc0010141
++#define MSR_AMD64_LS_CFG		0xc0011020
+ #define MSR_AMD64_DC_CFG		0xc0011022
+ #define MSR_AMD64_IBSFETCHCTL		0xc0011030
+ #define MSR_AMD64_IBSFETCHLINAD		0xc0011031
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -413,6 +413,16 @@ static void __cpuinit early_init_amd(str
+ 			set_cpu_cap(c, X86_FEATURE_EXTD_APICID);
+ 	}
+ #endif
++
++	/* F16h erratum 793, CVE-2013-6885 */
++	if (c->x86 == 0x16 && c->x86_model <= 0xf) {
++		u64 val;
++
++		if (!rdmsrl_amd_safe(MSR_AMD64_LS_CFG, &val) &&
++		    !(val & BIT(15)))
++			wrmsrl_amd_safe(MSR_AMD64_LS_CFG, val | BIT(15));
++	}
++
+ }
+ 
+ static void __cpuinit init_amd(struct cpuinfo_x86 *c)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch	Wed Jan 28 23:57:12 2015	(r22298)
@@ -0,0 +1,64 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Fri, 5 Dec 2014 19:03:28 -0800
+Subject: x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+Origin: https://git.kernel.org/linus/29fa6825463c97e5157284db80107d1bfac5d77b
+
+paravirt_enabled has the following effects:
+
+ - Disables the F00F bug workaround warning.  There is no F00F bug
+   workaround any more because Linux's standard IDT handling already
+   works around the F00F bug, but the warning still exists.  This
+   is only cosmetic, and, in any event, there is no such thing as
+   KVM on a CPU with the F00F bug.
+
+ - Disables 32-bit APM BIOS detection.  On a KVM paravirt system,
+   there should be no APM BIOS anyway.
+
+ - Disables tboot.  I think that the tboot code should check the
+   CPUID hypervisor bit directly if it matters.
+
+ - paravirt_enabled disables espfix32.  espfix32 should *not* be
+   disabled under KVM paravirt.
+
+The last point is the purpose of this patch.  It fixes a leak of the
+high 16 bits of the kernel stack address on 32-bit KVM paravirt
+guests.  Fixes CVE-2014-8134.
+
+Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+[bwh: Backported to 2.6.32: adjust indentation, context]
+---
+ arch/x86/kernel/kvm.c      | 9 ++++++++-
+ arch/x86/kernel/kvmclock.c | 1 -
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -198,7 +198,14 @@ static void kvm_leave_lazy_mmu(void)
+ static void __init paravirt_ops_setup(void)
+ {
+ 	pv_info.name = "KVM";
+-	pv_info.paravirt_enabled = 1;
++
++	/*
++	 * KVM isn't paravirt in the sense of paravirt_enabled.  A KVM
++	 * guest kernel works like a bare metal kernel with additional
++	 * features, and paravirt_enabled is about features that are
++	 * missing.
++	 */
++	pv_info.paravirt_enabled = 0;
+ 
+ 	if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY))
+ 		pv_cpu_ops.io_delay = kvm_io_delay;
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -201,7 +201,6 @@ void __init kvmclock_init(void)
+ #endif
+ 		kvm_get_preset_lpj();
+ 		clocksource_register(&kvm_clock);
+-		pv_info.paravirt_enabled = 1;
+ 		pv_info.name = "KVM";
+ 	}
+ }

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-tls-validate-tls-entries-to-protect-espfix.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-tls-validate-tls-entries-to-protect-espfix.patch	Wed Jan 28 23:57:12 2015	(r22298)
@@ -0,0 +1,73 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Thu, 4 Dec 2014 16:48:16 -0800
+Subject: x86/tls: Validate TLS entries to protect espfix
+Origin: https://git.kernel.org/linus/41bdc78544b8a93a9c6814b8bbbfef966272abbe
+
+Installing a 16-bit RW data segment into the GDT defeats espfix.
+AFAICT this will not affect glibc, Wine, or dosemu at all.
+
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Acked-by: H. Peter Anvin <hpa at zytor.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: security at kernel.org <security at kernel.org>
+Cc: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/arch/x86/kernel/tls.c
++++ b/arch/x86/kernel/tls.c
+@@ -28,6 +28,21 @@ static int get_free_idx(void)
+ 	return -ESRCH;
+ }
+ 
++static bool tls_desc_okay(const struct user_desc *info)
++{
++	if (LDT_empty(info))
++		return true;
++
++	/*
++	 * espfix is required for 16-bit data segments, but espfix
++	 * only works for LDT segments.
++	 */
++	if (!info->seg_32bit)
++		return false;
++
++	return true;
++}
++
+ static void set_tls_desc(struct task_struct *p, int idx,
+ 			 const struct user_desc *info, int n)
+ {
+@@ -67,6 +82,9 @@ int do_set_thread_area(struct task_struc
+ 	if (copy_from_user(&info, u_info, sizeof(info)))
+ 		return -EFAULT;
+ 
++	if (!tls_desc_okay(&info))
++		return -EINVAL;
++
+ 	if (idx == -1)
+ 		idx = info.entry_number;
+ 
+@@ -197,6 +215,7 @@ int regset_tls_set(struct task_struct *t
+ {
+ 	struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
+ 	const struct user_desc *info;
++	int i;
+ 
+ 	if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
+ 	    (pos % sizeof(struct user_desc)) != 0 ||
+@@ -210,6 +229,10 @@ int regset_tls_set(struct task_struct *t
+ 	else
+ 		info = infobuf;
+ 
++	for (i = 0; i < count / sizeof(struct user_desc); i++)
++		if (!tls_desc_okay(info + i))
++			return -EINVAL;
++
+ 	set_tls_desc(target,
+ 		     GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
+ 		     info, count / sizeof(struct user_desc));

Added: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze11	Wed Jan 28 23:57:12 2015	(r22298)
@@ -0,0 +1,4 @@
++ bugfix/x86/x86-cpu-amd-add-workaround-for-family-16h-erratum-79.patch
++ bugfix/x86/x86-tls-validate-tls-entries-to-protect-espfix.patch
++ bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
++ bugfix/all/netfilter-conntrack-disable-generic-tracking-for-kno.patch

