--- /dev/null
+From stable-bounces@linux.kernel.org Tue Apr 11 23:19:03 2006
+Date: Wed, 12 Apr 2006 08:18:46 +0200
+From: Andi Kleen <ak@suse.de>
+To: stable@kernel.org
+Message-ID: <20060412061846.GA29499@wotan.suse.de>
+Content-Disposition: inline
+Cc:
+Subject: x86_64: Clean up execve
+
+Just call IRET always, no need for any special cases.
+
+Needed for the next bug fix.
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86_64/kernel/entry.S | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+--- linux-2.6.16.4.orig/arch/x86_64/kernel/entry.S
++++ linux-2.6.16.4/arch/x86_64/kernel/entry.S
+@@ -408,25 +408,9 @@ ENTRY(stub_execve)
+ CFI_ADJUST_CFA_OFFSET -8
+ CFI_REGISTER rip, r11
+ SAVE_REST
+- movq %r11, %r15
+- CFI_REGISTER rip, r15
+ FIXUP_TOP_OF_STACK %r11
+ call sys_execve
+- GET_THREAD_INFO(%rcx)
+- bt $TIF_IA32,threadinfo_flags(%rcx)
+- CFI_REMEMBER_STATE
+- jc exec_32bit
+ RESTORE_TOP_OF_STACK %r11
+- movq %r15, %r11
+- CFI_REGISTER rip, r11
+- RESTORE_REST
+- pushq %r11
+- CFI_ADJUST_CFA_OFFSET 8
+- CFI_REL_OFFSET rip, 0
+- ret
+-
+-exec_32bit:
+- CFI_RESTORE_STATE
+ movq %rax,RAX(%rsp)
+ RESTORE_REST
+ jmp int_ret_from_sys_call
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Apr 11 23:19:40 2006
+Date: Wed, 12 Apr 2006 08:19:29 +0200
+From: Andi Kleen <ak@suse.de>
+To: stable@kernel.org
+Message-ID: <20060412061929.GA29657@wotan.suse.de>
+Content-Disposition: inline
+Cc:
+Subject: x86_64: When user could have changed RIP always force IRET (CVE-2006-0744)
+
+
+Intel EM64T CPUs handle uncanonical return addresses differently from
+AMD CPUs.
+
+The exception is reported in the SYSRET, not the next instruction.
+Thgis leads to the kernel exception handler running on the user stack
+with the wrong GS because the kernel didn't expect exceptions on this
+instruction.
+
+This version of the patch has the teething problems that plagued an
+earlier version fixed.
+
+This is CVE-2006-0744
+
+Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
+patches.
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86_64/kernel/entry.S | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- linux-2.6.16.4.orig/arch/x86_64/kernel/entry.S
++++ linux-2.6.16.4/arch/x86_64/kernel/entry.S
+@@ -180,6 +180,10 @@ rff_trace:
+ *
+ * XXX if we had a free scratch register we could save the RSP into the stack frame
+ * and report it properly in ps. Unfortunately we haven't.
++ *
++ * When user can change the frames always force IRET. That is because
++ * it deals with uncanonical addresses better. SYSRET has trouble
++ * with them due to bugs in both AMD and Intel CPUs.
+ */
+
+ ENTRY(system_call)
+@@ -254,7 +258,10 @@ sysret_signal:
+ xorl %esi,%esi # oldset -> arg2
+ call ptregscall_common
+ 1: movl $_TIF_NEED_RESCHED,%edi
+- jmp sysret_check
++ /* Use IRET because user could have changed frame. This
++ works because ptregscall_common has called FIXUP_TOP_OF_STACK. */
++ cli
++ jmp int_with_check
+
+ badsys:
+ movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
+@@ -280,7 +287,8 @@ tracesys:
+ call syscall_trace_leave
+ RESTORE_TOP_OF_STACK %rbx
+ RESTORE_REST
+- jmp ret_from_sys_call
++ /* Use IRET because user could have changed frame */
++ jmp int_ret_from_sys_call
+ CFI_ENDPROC
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
