[linux] 01/01: [x86] iopl/64: properly context-switch IOPL on Xen PV (CVE-2016-3157)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Mar 17 17:25:02 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 962c3c4a6f46a4d52864b603da9f656defbf8654
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Mar 17 18:20:19 2016 +0100

    [x86] iopl/64: properly context-switch IOPL on Xen PV (CVE-2016-3157)
---
 debian/changelog                                   |  7 ++
 ...64-properly-context-switch-IOPL-on-Xen-PV.patch | 83 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 91 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 796ce63..a92ba45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+linux (4.4.6-2) UNRELEASED; urgency=medium
+
+  [ Salvatore Bonaccorso ]
+  * [x86] iopl/64: properly context-switch IOPL on Xen PV (CVE-2016-3157)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 17 Mar 2016 18:19:26 +0100
+
 linux (4.4.6-1) unstable; urgency=medium
 
   [ Salvatore Bonaccorso ]
diff --git a/debian/patches/bugfix/x86/x86-iopl-64-properly-context-switch-IOPL-on-Xen-PV.patch b/debian/patches/bugfix/x86/x86-iopl-64-properly-context-switch-IOPL-on-Xen-PV.patch
new file mode 100644
index 0000000..3753e7a
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-iopl-64-properly-context-switch-IOPL-on-Xen-PV.patch
@@ -0,0 +1,83 @@
+From 91b210501e1bc7518a44d24526f223375bf3d039 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto at kernel.org>
+Date: Thu, 17 Mar 2016 17:55:31 +0100
+Origin: http://xenbits.xen.org/xsa/xsa171.patch
+Subject: x86/iopl/64: properly context-switch IOPL on Xen PV
+
+On Xen PV, regs->flags doesn't reliably reflect IOPL and the
+exit-to-userspace code doesn't change IOPL.  We need to context
+switch it manually.
+
+I'm doing this without going through paravirt because this is
+specific to Xen PV.  After the dust settles, we can merge this with
+the 32-bit code, tidy up the iopl syscall implementation, and remove
+the set_iopl pvop entirely.
+
+This is XSA-171.
+
+Signed-off-by: Andy Lutomirski <luto at kernel.org>
+Cc: stable at vger.kernel.org
+Reviewed-by: Jan Beulich <jbeulich at suse.com>
+---
+ arch/x86/include/asm/xen/hypervisor.h |  2 ++
+ arch/x86/kernel/process_64.c          | 12 ++++++++++++
+ arch/x86/xen/enlighten.c              |  2 +-
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h
+index 8b2d4be..7b87b3c 100644
+--- a/arch/x86/include/asm/xen/hypervisor.h
++++ b/arch/x86/include/asm/xen/hypervisor.h
+@@ -62,4 +62,6 @@ void xen_arch_register_cpu(int num);
+ void xen_arch_unregister_cpu(int num);
+ #endif
+ 
++void xen_set_iopl_mask(unsigned mask);
++
+ #endif /* _ASM_X86_XEN_HYPERVISOR_H */
+diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
+index e835d26..4cbb60f 100644
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -48,6 +48,7 @@
+ #include <asm/syscalls.h>
+ #include <asm/debugreg.h>
+ #include <asm/switch_to.h>
++#include <asm/xen/hypervisor.h>
+ 
+ asmlinkage extern void ret_from_fork(void);
+ 
+@@ -411,6 +412,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
+ 		     task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV))
+ 		__switch_to_xtra(prev_p, next_p, tss);
+ 
++#ifdef CONFIG_XEN
++	/*
++	 * On Xen PV, IOPL bits in pt_regs->flags have no effect, and
++	 * current_pt_regs()->flags may not match the current task's
++	 * intended IOPL.  We need to switch it manually.
++	 */
++	if (unlikely(static_cpu_has(X86_FEATURE_XENPV) &&
++		     prev->iopl != next->iopl))
++		xen_set_iopl_mask(next->iopl);
++#endif
++
+ 	if (static_cpu_has_bug(X86_BUG_SYSRET_SS_ATTRS)) {
+ 		/*
+ 		 * AMD CPUs have a misfeature: SYSRET sets the SS selector but
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index b7de78b..beab8c7 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -961,7 +961,7 @@ static void xen_load_sp0(struct tss_struct *tss,
+ 	tss->x86_tss.sp0 = thread->sp0;
+ }
+ 
+-static void xen_set_iopl_mask(unsigned mask)
++void xen_set_iopl_mask(unsigned mask)
+ {
+ 	struct physdev_set_iopl set_iopl;
+ 
+-- 
+2.8.0.rc3
+
diff --git a/debian/patches/series b/debian/patches/series
index 6f300e2..84c84a1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -138,3 +138,4 @@ debian/module-fix-abi-change-in-4.4.5.patch
 bugfix/x86/x86-efi-fix-boot-crash-by-always-mapping-boot-servic.patch
 bugfix/x86/x86-mm-pat-fix-boot-crash-when-1gb-pages-are-not-supported.patch
 bugfix/all/netfilter-x_tables-check-for-size-overflow.patch
+bugfix/x86/x86-iopl-64-properly-context-switch-IOPL-on-Xen-PV.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list