From: Greg Kroah-Hartman Date: Wed, 12 Apr 2006 20:30:29 +0000 (-0700) Subject: 2.6.16.5 release X-Git-Tag: v2.6.16.5^0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a09d8cfda4537b07aeb2cb8718cb5f189757fee3;p=thirdparty%2Fkernel%2Fstable-queue.git 2.6.16.5 release --- diff --git a/2.6.16.5/series b/2.6.16.5/series new file mode 100644 index 00000000000..b13c107bf83 --- /dev/null +++ b/2.6.16.5/series @@ -0,0 +1,2 @@ +x86_64-clean-up-execve.patch +x86_64-when-user-could-have-changed-rip-always-force-iret.patch diff --git a/2.6.16.5/x86_64-clean-up-execve.patch b/2.6.16.5/x86_64-clean-up-execve.patch new file mode 100644 index 00000000000..519c65b6861 --- /dev/null +++ b/2.6.16.5/x86_64-clean-up-execve.patch @@ -0,0 +1,48 @@ +From stable-bounces@linux.kernel.org Tue Apr 11 23:19:03 2006 +Date: Wed, 12 Apr 2006 08:18:46 +0200 +From: Andi Kleen +To: stable@kernel.org +Message-ID: <20060412061846.GA29499@wotan.suse.de> +Content-Disposition: inline +Cc: +Subject: x86_64: Clean up execve + +Just call IRET always, no need for any special cases. + +Needed for the next bug fix. + +Signed-off-by: Andi Kleen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86_64/kernel/entry.S | 16 ---------------- + 1 file changed, 16 deletions(-) + +--- linux-2.6.16.4.orig/arch/x86_64/kernel/entry.S ++++ linux-2.6.16.4/arch/x86_64/kernel/entry.S +@@ -408,25 +408,9 @@ ENTRY(stub_execve) + CFI_ADJUST_CFA_OFFSET -8 + CFI_REGISTER rip, r11 + SAVE_REST +- movq %r11, %r15 +- CFI_REGISTER rip, r15 + FIXUP_TOP_OF_STACK %r11 + call sys_execve +- GET_THREAD_INFO(%rcx) +- bt $TIF_IA32,threadinfo_flags(%rcx) +- CFI_REMEMBER_STATE +- jc exec_32bit + RESTORE_TOP_OF_STACK %r11 +- movq %r15, %r11 +- CFI_REGISTER rip, r11 +- RESTORE_REST +- pushq %r11 +- CFI_ADJUST_CFA_OFFSET 8 +- CFI_REL_OFFSET rip, 0 +- ret +- +-exec_32bit: +- CFI_RESTORE_STATE + movq %rax,RAX(%rsp) + RESTORE_REST + jmp int_ret_from_sys_call diff --git a/2.6.16.5/x86_64-when-user-could-have-changed-rip-always-force-iret.patch b/2.6.16.5/x86_64-when-user-could-have-changed-rip-always-force-iret.patch new file mode 100644 index 00000000000..e907e2cb72b --- /dev/null +++ b/2.6.16.5/x86_64-when-user-could-have-changed-rip-always-force-iret.patch @@ -0,0 +1,68 @@ +From stable-bounces@linux.kernel.org Tue Apr 11 23:19:40 2006 +Date: Wed, 12 Apr 2006 08:19:29 +0200 +From: Andi Kleen +To: stable@kernel.org +Message-ID: <20060412061929.GA29657@wotan.suse.de> +Content-Disposition: inline +Cc: +Subject: x86_64: When user could have changed RIP always force IRET (CVE-2006-0744) + + +Intel EM64T CPUs handle uncanonical return addresses differently from +AMD CPUs. + +The exception is reported in the SYSRET, not the next instruction. +Thgis leads to the kernel exception handler running on the user stack +with the wrong GS because the kernel didn't expect exceptions on this +instruction. + +This version of the patch has the teething problems that plagued an +earlier version fixed. + +This is CVE-2006-0744 + +Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial +patches. + +Signed-off-by: Andi Kleen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86_64/kernel/entry.S | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- linux-2.6.16.4.orig/arch/x86_64/kernel/entry.S ++++ linux-2.6.16.4/arch/x86_64/kernel/entry.S +@@ -180,6 +180,10 @@ rff_trace: + * + * XXX if we had a free scratch register we could save the RSP into the stack frame + * and report it properly in ps. Unfortunately we haven't. ++ * ++ * When user can change the frames always force IRET. That is because ++ * it deals with uncanonical addresses better. SYSRET has trouble ++ * with them due to bugs in both AMD and Intel CPUs. + */ + + ENTRY(system_call) +@@ -254,7 +258,10 @@ sysret_signal: + xorl %esi,%esi # oldset -> arg2 + call ptregscall_common + 1: movl $_TIF_NEED_RESCHED,%edi +- jmp sysret_check ++ /* Use IRET because user could have changed frame. This ++ works because ptregscall_common has called FIXUP_TOP_OF_STACK. */ ++ cli ++ jmp int_with_check + + badsys: + movq $-ENOSYS,RAX-ARGOFFSET(%rsp) +@@ -280,7 +287,8 @@ tracesys: + call syscall_trace_leave + RESTORE_TOP_OF_STACK %rbx + RESTORE_REST +- jmp ret_from_sys_call ++ /* Use IRET because user could have changed frame */ ++ jmp int_ret_from_sys_call + CFI_ENDPROC + + /*