diff options
author | Roger Pau Monne <roger.pau@citrix.com> | 2013-01-16 18:30:08 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-01-17 10:38:58 +0000 |
commit | 1a626cd87f60875d152f6becf44043bee9d82ccb (patch) | |
tree | cc9d6dfe2cd75074ec92a55e1246d2515452b8b8 | |
parent | da9d37b6a115d9da04fa1b91c7effda5e6e454fe (diff) | |
download | alpine_aports-1a626cd87f60875d152f6becf44043bee9d82ccb.tar.bz2 alpine_aports-1a626cd87f60875d152f6becf44043bee9d82ccb.tar.xz alpine_aports-1a626cd87f60875d152f6becf44043bee9d82ccb.zip |
linux-grsec: XSA-40
-rw-r--r-- | main/linux-grsec/APKBUILD | 4 | ||||
-rw-r--r-- | main/linux-grsec/xsa40.patch | 56 |
2 files changed, 59 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 68db9fbb23..f796f5fa81 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD | |||
@@ -4,7 +4,7 @@ _flavor=grsec | |||
4 | pkgname=linux-${_flavor} | 4 | pkgname=linux-${_flavor} |
5 | pkgver=3.4.24 | 5 | pkgver=3.4.24 |
6 | _kernver=3.4 | 6 | _kernver=3.4 |
7 | pkgrel=2 | 7 | pkgrel=3 |
8 | pkgdesc="Linux kernel with grsecurity" | 8 | pkgdesc="Linux kernel with grsecurity" |
9 | url=http://grsecurity.net | 9 | url=http://grsecurity.net |
10 | depends="mkinitfs linux-firmware" | 10 | depends="mkinitfs linux-firmware" |
@@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz | |||
22 | 22 | ||
23 | 0001-r8169-avoid-NAPI-scheduling-delay.patch | 23 | 0001-r8169-avoid-NAPI-scheduling-delay.patch |
24 | r8169-num-rx-desc.patch | 24 | r8169-num-rx-desc.patch |
25 | xsa40.patch | ||
25 | 26 | ||
26 | kernelconfig.x86 | 27 | kernelconfig.x86 |
27 | kernelconfig.x86_64 | 28 | kernelconfig.x86_64 |
@@ -151,5 +152,6 @@ cb6fcd6e966e73c87a839c4c0183f81f 0001-Revert-ipv4-Don-t-use-the-cached-pmtu-inf | |||
151 | d2f7ba780ff7567c21381428264d7fdd intel_idle.patch | 152 | d2f7ba780ff7567c21381428264d7fdd intel_idle.patch |
152 | 8e5611c6bf3dfb0008d4e58051a8b0ff 0001-r8169-avoid-NAPI-scheduling-delay.patch | 153 | 8e5611c6bf3dfb0008d4e58051a8b0ff 0001-r8169-avoid-NAPI-scheduling-delay.patch |
153 | daf2cbb558588c49c138fe9ca2482b64 r8169-num-rx-desc.patch | 154 | daf2cbb558588c49c138fe9ca2482b64 r8169-num-rx-desc.patch |
155 | d9de28f8a74fe0347866705b4bd6db85 xsa40.patch | ||
154 | 50a13359236dbd676fa355f0b4fd27ff kernelconfig.x86 | 156 | 50a13359236dbd676fa355f0b4fd27ff kernelconfig.x86 |
155 | c402f52babc729d1280c1677075aa0d7 kernelconfig.x86_64" | 157 | c402f52babc729d1280c1677075aa0d7 kernelconfig.x86_64" |
diff --git a/main/linux-grsec/xsa40.patch b/main/linux-grsec/xsa40.patch new file mode 100644 index 0000000000..29db917cbb --- /dev/null +++ b/main/linux-grsec/xsa40.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. | ||
2 | |||
3 | This fixes CVE-2013-0190 / XSA-40 | ||
4 | |||
5 | There has been an error on the xen_failsafe_callback path for failed | ||
6 | iret, which causes the stack pointer to be wrong when entering the | ||
7 | iret_exc error path. This can result in the kernel crashing. | ||
8 | |||
9 | In the classic kernel case, the relevant code looked a little like: | ||
10 | |||
11 | popl %eax # Error code from hypervisor | ||
12 | jz 5f | ||
13 | addl $16,%esp | ||
14 | jmp iret_exc # Hypervisor said iret fault | ||
15 | 5: addl $16,%esp | ||
16 | # Hypervisor said segment selector fault | ||
17 | |||
18 | Here, there are two identical addls on either option of a branch which | ||
19 | appears to have been optimised by hoisting it above the jz, and | ||
20 | converting it to an lea, which leaves the flags register unaffected. | ||
21 | |||
22 | In the PVOPS case, the code looks like: | ||
23 | |||
24 | popl_cfi %eax # Error from the hypervisor | ||
25 | lea 16(%esp),%esp # Add $16 before choosing fault path | ||
26 | CFI_ADJUST_CFA_OFFSET -16 | ||
27 | jz 5f | ||
28 | addl $16,%esp # Incorrectly adjust %esp again | ||
29 | jmp iret_exc | ||
30 | |||
31 | It is possible unprivileged userspace applications to cause this | ||
32 | behaviour, for example by loading an LDT code selector, then changing | ||
33 | the code selector to be not-present. At this point, there is a race | ||
34 | condition where it is possible for the hypervisor to return back to | ||
35 | userspace from an interrupt, fault on its own iret, and inject a | ||
36 | failsafe_callback into the kernel. | ||
37 | |||
38 | This bug has been present since the introduction of Xen PVOPS support | ||
39 | in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23. | ||
40 | |||
41 | Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com> | ||
42 | Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
43 | |||
44 | diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S | ||
45 | index ff84d54..6ed91d9 100644 | ||
46 | --- a/arch/x86/kernel/entry_32.S | ||
47 | +++ b/arch/x86/kernel/entry_32.S | ||
48 | @@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback) | ||
49 | lea 16(%esp),%esp | ||
50 | CFI_ADJUST_CFA_OFFSET -16 | ||
51 | jz 5f | ||
52 | - addl $16,%esp | ||
53 | jmp iret_exc | ||
54 | 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */ | ||
55 | SAVE_ALL | ||
56 | |||