From: Greg Kroah-Hartman Date: Fri, 9 Oct 2009 22:45:51 +0000 (-0700) Subject: start .27 queue X-Git-Tag: v2.6.27.37~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b28d27d8f922aff37f360190cfdfb4987bf457fa;p=thirdparty%2Fkernel%2Fstable-queue.git start .27 queue --- diff --git a/queue-2.6.27/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch b/queue-2.6.27/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch new file mode 100644 index 00000000000..f0a73fb1848 --- /dev/null +++ b/queue-2.6.27/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch @@ -0,0 +1,61 @@ +From cebbert@redhat.com Fri Oct 9 15:38:12 2009 +From: Chuck Ebbert +Date: Wed, 7 Oct 2009 17:35:46 -0400 +Subject: eCryptfs: Prevent lower dentry from going negative during unlink (CVE-2009-2908) +To: stable@kernel.org +Message-ID: <20091007173546.68f05507@katamari.usersys.redhat.com> + + +From: Tyler Hicks + +commit 9c2d2056647790c5034d722bd24e9d913ebca73c upstream. + +When calling vfs_unlink() on the lower dentry, d_delete() turns the +dentry into a negative dentry when the d_count is 1. This eventually +caused a NULL pointer deref when a read() or write() was done and the +negative dentry's d_inode was dereferenced in +ecryptfs_read_update_atime() or ecryptfs_getxattr(). + +Placing mutt's tmpdir in an eCryptfs mount is what initially triggered +the oops and I was able to reproduce it with the following sequence: + +open("/tmp/upper/foo", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600) = 3 +link("/tmp/upper/foo", "/tmp/upper/bar") = 0 +unlink("/tmp/upper/foo") = 0 +open("/tmp/upper/bar", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 4 +unlink("/tmp/upper/bar") = 0 +write(4, "eCryptfs test\n"..., 14 ++++ killed by SIGKILL +++ + +https://bugs.launchpad.net/ecryptfs/+bug/387073 + +Reported-by: Loïc Minier +Cc: Serge Hallyn +Cc: Dave Kleikamp +Cc: ecryptfs-devel@lists.launchpad.net +Signed-off-by: Tyler Hicks +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -443,6 +443,7 @@ static int ecryptfs_unlink(struct inode + struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir); + struct dentry *lower_dir_dentry; + ++ dget(lower_dentry); + lower_dir_dentry = lock_parent(lower_dentry); + rc = vfs_unlink(lower_dir_inode, lower_dentry); + if (rc) { +@@ -456,6 +457,7 @@ static int ecryptfs_unlink(struct inode + d_drop(dentry); + out_unlock: + unlock_dir(lower_dir_dentry); ++ dput(lower_dentry); + return rc; + } + diff --git a/queue-2.6.27/hpwdt.c-add-new-hp-bmc-controller.patch b/queue-2.6.27/hpwdt.c-add-new-hp-bmc-controller.patch new file mode 100644 index 00000000000..84e9cc6bb2c --- /dev/null +++ b/queue-2.6.27/hpwdt.c-add-new-hp-bmc-controller.patch @@ -0,0 +1,66 @@ +From d8100c3abfd32986a8820ce4e614b0223a2d22a9 Mon Sep 17 00:00:00 2001 +From: Thomas Mingarelli +Date: Tue, 3 Mar 2009 00:17:16 +0000 +Subject: [WATCHDOG] hpwdt.c: Add new HP BMC controller. + +From: Thomas Mingarelli + +commit d8100c3abfd32986a8820ce4e614b0223a2d22a9 upstream. + +Add the PCI-ID for the upcoming new BMC controller for HP hardware. + +Signed-off-by: Thomas Mingarelli +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/watchdog/hpwdt.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/watchdog/hpwdt.c ++++ b/drivers/watchdog/hpwdt.c +@@ -47,6 +47,7 @@ + #define PCI_BIOS32_PARAGRAPH_LEN 16 + #define PCI_ROM_BASE1 0x000F0000 + #define ROM_SIZE 0x10000 ++#define HPWDT_VERSION "1.01" + + struct bios32_service_dir { + u32 signature; +@@ -130,12 +131,8 @@ static void *cru_rom_addr; + static struct cmn_registers cmn_regs; + + static struct pci_device_id hpwdt_devices[] = { +- { +- .vendor = PCI_VENDOR_ID_COMPAQ, +- .device = 0xB203, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- }, ++ { PCI_DEVICE(PCI_VENDOR_ID_COMPAQ, 0xB203) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_HP, 0x3306) }, + {0}, /* terminate list */ + }; + MODULE_DEVICE_TABLE(pci, hpwdt_devices); +@@ -704,10 +701,11 @@ static int __devinit hpwdt_init_one(stru + } + + printk(KERN_INFO +- "hp Watchdog Timer Driver: 1.00" ++ "hp Watchdog Timer Driver: %s" + ", timer margin: %d seconds (nowayout=%d)" + ", allow kernel dump: %s (default = 0/OFF).\n", +- soft_margin, nowayout, (allow_kdump == 0) ? "OFF" : "ON"); ++ HPWDT_VERSION, soft_margin, nowayout, ++ (allow_kdump == 0) ? "OFF" : "ON"); + + return 0; + +@@ -757,6 +755,7 @@ static int __init hpwdt_init(void) + MODULE_AUTHOR("Tom Mingarelli"); + MODULE_DESCRIPTION("hp watchdog driver"); + MODULE_LICENSE("GPL"); ++MODULE_VERSION(HPWDT_VERSION); + MODULE_ALIAS_MISCDEV(WATCHDOG_MINOR); + + module_param(soft_margin, int, 0); diff --git a/queue-2.6.27/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch b/queue-2.6.27/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch new file mode 100644 index 00000000000..f7b64f5f24b --- /dev/null +++ b/queue-2.6.27/kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch @@ -0,0 +1,65 @@ +From cebbert@redhat.com Fri Oct 9 15:40:17 2009 +From: Jan Kiszka +Date: Wed, 7 Oct 2009 17:40:32 -0400 +Subject: KVM: x86: Disallow hypercalls for guest callers in rings > 0 [CVE-2009-3290] +To: stable@kernel.org +Message-ID: <20091007174032.17897459@katamari.usersys.redhat.com> + + +From: Jan Kiszka + +[ backport to 2.6.27 by Chuck Ebbert ] + +commit 07708c4af1346ab1521b26a202f438366b7bcffd upstream. + +So far unprivileged guest callers running in ring 3 can issue, e.g., MMU +hypercalls. Normally, such callers cannot provide any hand-crafted MMU +command structure as it has to be passed by its physical address, but +they can still crash the guest kernel by passing random addresses. + +To close the hole, this patch considers hypercalls valid only if issued +from guest ring 0. This may still be relaxed on a per-hypercall base in +the future once required. + +Signed-off-by: Jan Kiszka +Signed-off-by: Avi Kivity +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 6 ++++++ + include/linux/kvm_para.h | 1 + + 2 files changed, 7 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2571,6 +2571,11 @@ int kvm_emulate_hypercall(struct kvm_vcp + a3 &= 0xFFFFFFFF; + } + ++ if (kvm_x86_ops->get_cpl(vcpu) != 0) { ++ ret = -KVM_EPERM; ++ goto out; ++ } ++ + switch (nr) { + case KVM_HC_VAPIC_POLL_IRQ: + ret = 0; +@@ -2582,6 +2587,7 @@ int kvm_emulate_hypercall(struct kvm_vcp + ret = -KVM_ENOSYS; + break; + } ++out: + vcpu->arch.regs[VCPU_REGS_RAX] = ret; + kvm_x86_ops->decache_regs(vcpu); + ++vcpu->stat.hypercalls; +--- a/include/linux/kvm_para.h ++++ b/include/linux/kvm_para.h +@@ -13,6 +13,7 @@ + #define KVM_ENOSYS 1000 + #define KVM_EFAULT EFAULT + #define KVM_E2BIG E2BIG ++#define KVM_EPERM EPERM + + #define KVM_HC_VAPIC_POLL_IRQ 1 + #define KVM_HC_MMU_OP 2 diff --git a/queue-2.6.27/net-fix-wrong-sizeof.patch b/queue-2.6.27/net-fix-wrong-sizeof.patch new file mode 100644 index 00000000000..5145b959669 --- /dev/null +++ b/queue-2.6.27/net-fix-wrong-sizeof.patch @@ -0,0 +1,32 @@ +From b607bd900051efc3308c4edc65dd98b34b230021 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Fri, 2 Oct 2009 09:55:19 -0700 +Subject: net: Fix wrong sizeof + +From: Jean Delvare + +commit b607bd900051efc3308c4edc65dd98b34b230021 upstream. + +Which is why I have always preferred sizeof(struct foo) over +sizeof(var). + +Signed-off-by: Jean Delvare +Acked-by: Randy Dunlap +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/iseries_veth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/iseries_veth.c ++++ b/drivers/net/iseries_veth.c +@@ -495,7 +495,7 @@ static void veth_take_cap_ack(struct vet + cnx->remote_lp); + } else { + memcpy(&cnx->cap_ack_event, event, +- sizeof(&cnx->cap_ack_event)); ++ sizeof(cnx->cap_ack_event)); + cnx->state |= VETH_STATE_GOTCAPACK; + veth_kick_statemachine(cnx); + } diff --git a/queue-2.6.27/series b/queue-2.6.27/series new file mode 100644 index 00000000000..40153c89887 --- /dev/null +++ b/queue-2.6.27/series @@ -0,0 +1,8 @@ +net-fix-wrong-sizeof.patch +x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch +x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch +ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch +x86-increase-min_gap-to-include-randomized-stack.patch +kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch +hpwdt.c-add-new-hp-bmc-controller.patch +time-catch-xtime_nsec-underflows-and-fix-them.patch diff --git a/queue-2.6.27/time-catch-xtime_nsec-underflows-and-fix-them.patch b/queue-2.6.27/time-catch-xtime_nsec-underflows-and-fix-them.patch new file mode 100644 index 00000000000..e0d433ce218 --- /dev/null +++ b/queue-2.6.27/time-catch-xtime_nsec-underflows-and-fix-them.patch @@ -0,0 +1,103 @@ +From 6c9bacb41c10ba84ff68f238e234d96f35fb64f7 Mon Sep 17 00:00:00 2001 +From: john stultz +Date: Mon, 1 Dec 2008 18:34:41 -0800 +Subject: time: catch xtime_nsec underflows and fix them + +From: john stultz + +commit 6c9bacb41c10ba84ff68f238e234d96f35fb64f7 upstream. + +Impact: fix time warp bug + +Alex Shi, along with Yanmin Zhang have been noticing occasional time +inconsistencies recently. Through their great diagnosis, they found that +the xtime_nsec value used in update_wall_time was occasionally going +negative. After looking through the code for awhile, I realized we have +the possibility for an underflow when three conditions are met in +update_wall_time(): + + 1) We have accumulated a second's worth of nanoseconds, so we + incremented xtime.tv_sec and appropriately decrement xtime_nsec. + (This doesn't cause xtime_nsec to go negative, but it can cause it + to be small). + + 2) The remaining offset value is large, but just slightly less then + cycle_interval. + + 3) clocksource_adjust() is speeding up the clock, causing a + corrective amount (compensating for the increase in the multiplier + being multiplied against the unaccumulated offset value) to be + subtracted from xtime_nsec. + +This can cause xtime_nsec to underflow. + +Unfortunately, since we notify the NTP subsystem via second_overflow() +whenever we accumulate a full second, and this effects the error +accumulation that has already occured, we cannot simply revert the +accumulated second from xtime nor move the second accumulation to after +the clocksource_adjust call without a change in behavior. + +This leaves us with (at least) two options: + +1) Simply return from clocksource_adjust() without making a change if we + notice the adjustment would cause xtime_nsec to go negative. + +This would work, but I'm concerned that if a large adjustment was needed +(due to the error being large), it may be possible to get stuck with an +ever increasing error that becomes too large to correct (since it may +always force xtime_nsec negative). This may just be paranoia on my part. + +2) Catch xtime_nsec if it is negative, then add back the amount its + negative to both xtime_nsec and the error. + +This second method is consistent with how we've handled earlier rounding +issues, and also has the benefit that the error being added is always in +the oposite direction also always equal or smaller then the correction +being applied. So the risk of a corner case where things get out of +control is lessened. + +This patch fixes bug 11970, as tested by Yanmin Zhang +http://bugzilla.kernel.org/show_bug.cgi?id=11970 + +Reported-by: alex.shi@intel.com +Signed-off-by: John Stultz +Acked-by: "Zhang, Yanmin" +Tested-by: "Zhang, Yanmin" +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timekeeping.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -477,6 +477,28 @@ void update_wall_time(void) + /* correct the clock when NTP error is too big */ + clocksource_adjust(offset); + ++ /* ++ * Since in the loop above, we accumulate any amount of time ++ * in xtime_nsec over a second into xtime.tv_sec, its possible for ++ * xtime_nsec to be fairly small after the loop. Further, if we're ++ * slightly speeding the clocksource up in clocksource_adjust(), ++ * its possible the required corrective factor to xtime_nsec could ++ * cause it to underflow. ++ * ++ * Now, we cannot simply roll the accumulated second back, since ++ * the NTP subsystem has been notified via second_overflow. So ++ * instead we push xtime_nsec forward by the amount we underflowed, ++ * and add that amount into the error. ++ * ++ * We'll correct this error next time through this function, when ++ * xtime_nsec is not as small. ++ */ ++ if (unlikely((s64)clock->xtime_nsec < 0)) { ++ s64 neg = -(s64)clock->xtime_nsec; ++ clock->xtime_nsec = 0; ++ clock->error += neg << (NTP_SCALE_SHIFT - clock->shift); ++ } ++ + /* store full nanoseconds into xtime */ + xtime.tv_nsec = (s64)clock->xtime_nsec >> clock->shift; + clock->xtime_nsec -= (s64)xtime.tv_nsec << clock->shift; diff --git a/queue-2.6.27/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch b/queue-2.6.27/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch new file mode 100644 index 00000000000..0f5c22d62e0 --- /dev/null +++ b/queue-2.6.27/x86-64-slightly-stream-line-32-bit-syscall-entry-code.patch @@ -0,0 +1,127 @@ +From cebbert@redhat.com Fri Oct 9 15:36:28 2009 +From: Jan Beulich +Date: Wed, 7 Oct 2009 17:33:08 -0400 +Subject: x86-64: slightly stream-line 32-bit syscall entry code +To: stable@kernel.org +Cc: Jan Beulich +Message-ID: <20091007173308.1e56746f@katamari.usersys.redhat.com> + +From: Jan Beulich + +commit 295286a89107c353b9677bc604361c537fd6a1c0 upstream + +x86-64: slightly stream-line 32-bit syscall entry code + +[ required for following patch to apply properly ] + +Avoid updating registers or memory twice as well as needlessly loading +or copying registers. + +Signed-off-by: Jan Beulich +Signed-off-by: Ingo Molnar +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32entry.S | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -39,11 +39,11 @@ + .endm + + /* clobbers %eax */ +- .macro CLEAR_RREGS ++ .macro CLEAR_RREGS _r9=rax + xorl %eax,%eax + movq %rax,R11(%rsp) + movq %rax,R10(%rsp) +- movq %rax,R9(%rsp) ++ movq %\_r9,R9(%rsp) + movq %rax,R8(%rsp) + .endm + +@@ -52,11 +52,10 @@ + * We don't reload %eax because syscall_trace_enter() returned + * the value it wants us to use in the table lookup. + */ +- .macro LOAD_ARGS32 offset +- movl \offset(%rsp),%r11d +- movl \offset+8(%rsp),%r10d ++ .macro LOAD_ARGS32 offset, _r9=0 ++ .if \_r9 + movl \offset+16(%rsp),%r9d +- movl \offset+24(%rsp),%r8d ++ .endif + movl \offset+40(%rsp),%ecx + movl \offset+48(%rsp),%edx + movl \offset+56(%rsp),%esi +@@ -145,7 +144,7 @@ ENTRY(ia32_sysenter_target) + SAVE_ARGS 0,0,1 + /* no need to do an access_ok check here because rbp has been + 32bit zero extended */ +-1: movl (%rbp),%r9d ++1: movl (%rbp),%ebp + .section __ex_table,"a" + .quad 1b,ia32_badarg + .previous +@@ -157,7 +156,7 @@ ENTRY(ia32_sysenter_target) + cmpl $(IA32_NR_syscalls-1),%eax + ja ia32_badsys + sysenter_do_call: +- IA32_ARG_FIXUP 1 ++ IA32_ARG_FIXUP + sysenter_dispatch: + call *ia32_sys_call_table(,%rax,8) + movq %rax,RAX-ARGOFFSET(%rsp) +@@ -234,20 +233,17 @@ sysexit_audit: + #endif + + sysenter_tracesys: +- xchgl %r9d,%ebp + #ifdef CONFIG_AUDITSYSCALL + testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10) + jz sysenter_auditsys + #endif + SAVE_REST + CLEAR_RREGS +- movq %r9,R9(%rsp) + movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST +- xchgl %ebp,%r9d + cmpl $(IA32_NR_syscalls-1),%eax + ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ + jmp sysenter_do_call +@@ -314,9 +310,9 @@ ENTRY(ia32_cstar_target) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) + CFI_REMEMBER_STATE + jnz cstar_tracesys +-cstar_do_call: + cmpl $IA32_NR_syscalls-1,%eax + ja ia32_badsys ++cstar_do_call: + IA32_ARG_FIXUP 1 + cstar_dispatch: + call *ia32_sys_call_table(,%rax,8) +@@ -357,15 +353,13 @@ cstar_tracesys: + #endif + xchgl %r9d,%ebp + SAVE_REST +- CLEAR_RREGS +- movq %r9,R9(%rsp) ++ CLEAR_RREGS r9 + movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */ + RESTORE_REST + xchgl %ebp,%r9d +- movl RSP-ARGOFFSET(%rsp), %r8d + cmpl $(IA32_NR_syscalls-1),%eax + ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ + jmp cstar_do_call diff --git a/queue-2.6.27/x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch b/queue-2.6.27/x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch new file mode 100644 index 00000000000..2e940cc52bb --- /dev/null +++ b/queue-2.6.27/x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch @@ -0,0 +1,133 @@ +From cebbert@redhat.com Fri Oct 9 15:37:09 2009 +From: Jan Beulich +Date: Wed, 7 Oct 2009 17:34:09 -0400 +Subject: x86: Don't leak 64-bit kernel register values to 32-bit processes +To: stable@kernel.org +Cc: Jan Beulich +Message-ID: <20091007173409.2d4978d9@katamari.usersys.redhat.com> + +From: Jan Beulich + +commit 24e35800cdc4350fc34e2bed37b608a9e13ab3b6 upstream + +x86: Don't leak 64-bit kernel register values to 32-bit processes + +While 32-bit processes can't directly access R8...R15, they can +gain access to these registers by temporarily switching themselves +into 64-bit mode. + +Therefore, registers not preserved anyway by called C functions +(i.e. R8...R11) must be cleared prior to returning to user mode. + +Signed-off-by: Jan Beulich +LKML-Reference: <4AC34D73020000780001744A@vpn.id2.novell.com> +Signed-off-by: Ingo Molnar +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32entry.S | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -21,8 +21,8 @@ + #define __AUDIT_ARCH_LE 0x40000000 + + #ifndef CONFIG_AUDITSYSCALL +-#define sysexit_audit int_ret_from_sys_call +-#define sysretl_audit int_ret_from_sys_call ++#define sysexit_audit ia32_ret_from_sys_call ++#define sysretl_audit ia32_ret_from_sys_call + #endif + + #define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8) +@@ -39,12 +39,12 @@ + .endm + + /* clobbers %eax */ +- .macro CLEAR_RREGS _r9=rax ++ .macro CLEAR_RREGS offset=0, _r9=rax + xorl %eax,%eax +- movq %rax,R11(%rsp) +- movq %rax,R10(%rsp) +- movq %\_r9,R9(%rsp) +- movq %rax,R8(%rsp) ++ movq %rax,\offset+R11(%rsp) ++ movq %rax,\offset+R10(%rsp) ++ movq %\_r9,\offset+R9(%rsp) ++ movq %rax,\offset+R8(%rsp) + .endm + + /* +@@ -172,6 +172,10 @@ sysexit_from_sys_call: + movl RIP-R11(%rsp),%edx /* User %eip */ + CFI_REGISTER rip,rdx + RESTORE_ARGS 1,24,1,1,1,1 ++ xorq %r8,%r8 ++ xorq %r9,%r9 ++ xorq %r10,%r10 ++ xorq %r11,%r11 + popfq + CFI_ADJUST_CFA_OFFSET -8 + /*CFI_RESTORE rflags*/ +@@ -202,7 +206,7 @@ sysexit_from_sys_call: + + .macro auditsys_exit exit,ebpsave=RBP + testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10) +- jnz int_ret_from_sys_call ++ jnz ia32_ret_from_sys_call + TRACE_IRQS_ON + sti + movl %eax,%esi /* second arg, syscall return value */ +@@ -218,8 +222,9 @@ sysexit_from_sys_call: + cli + TRACE_IRQS_OFF + testl %edi,TI_flags(%r10) +- jnz int_with_check +- jmp \exit ++ jz \exit ++ CLEAR_RREGS -ARGOFFSET ++ jmp int_with_check + .endm + + sysenter_auditsys: +@@ -329,6 +334,9 @@ sysretl_from_sys_call: + CFI_REGISTER rip,rcx + movl EFLAGS-ARGOFFSET(%rsp),%r11d + /*CFI_REGISTER rflags,r11*/ ++ xorq %r10,%r10 ++ xorq %r9,%r9 ++ xorq %r8,%r8 + TRACE_IRQS_ON + movl RSP-ARGOFFSET(%rsp),%esp + CFI_RESTORE rsp +@@ -353,7 +361,7 @@ cstar_tracesys: + #endif + xchgl %r9d,%ebp + SAVE_REST +- CLEAR_RREGS r9 ++ CLEAR_RREGS 0, r9 + movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +@@ -425,6 +433,8 @@ ia32_do_call: + call *ia32_sys_call_table(,%rax,8) # xxx: rip relative + ia32_sysret: + movq %rax,RAX-ARGOFFSET(%rsp) ++ia32_ret_from_sys_call: ++ CLEAR_RREGS -ARGOFFSET + jmp int_ret_from_sys_call + + ia32_tracesys: +@@ -442,8 +452,8 @@ END(ia32_syscall) + + ia32_badsys: + movq $0,ORIG_RAX-ARGOFFSET(%rsp) +- movq $-ENOSYS,RAX-ARGOFFSET(%rsp) +- jmp int_ret_from_sys_call ++ movq $-ENOSYS,%rax ++ jmp ia32_sysret + + quiet_ni_syscall: + movq $-ENOSYS,%rax diff --git a/queue-2.6.27/x86-increase-min_gap-to-include-randomized-stack.patch b/queue-2.6.27/x86-increase-min_gap-to-include-randomized-stack.patch new file mode 100644 index 00000000000..030490c887d --- /dev/null +++ b/queue-2.6.27/x86-increase-min_gap-to-include-randomized-stack.patch @@ -0,0 +1,79 @@ +From cebbert@redhat.com Fri Oct 9 15:39:43 2009 +From: Michal Hocko +Date: Wed, 7 Oct 2009 17:38:24 -0400 +Subject: x86: Increase MIN_GAP to include randomized stack +To: stable@kernel.org +Message-ID: <20091007173824.5a9bce1f@katamari.usersys.redhat.com> + +From: Michal Hocko + +[ trivial backport to 2.6.27: Chuck Ebbert ] + +commit 80938332d8cf652f6b16e0788cf0ca136befe0b5 upstream. + +Currently we are not including randomized stack size when calculating +mmap_base address in arch_pick_mmap_layout for topdown case. This might +cause that mmap_base starts in the stack reserved area because stack is +randomized by 1GB for 64b (8MB for 32b) and the minimum gap is 128MB. + +If the stack really grows down to mmap_base then we can get silent mmap +region overwrite by the stack values. + +Let's include maximum stack randomization size into MIN_GAP which is +used as the low bound for the gap in mmap. + +Signed-off-by: Michal Hocko +LKML-Reference: <1252400515-6866-1-git-send-email-mhocko@suse.cz> +Acked-by: Jiri Kosina +Signed-off-by: H. Peter Anvin +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/x86/mm/mmap.c | 17 +++++++++++++++-- + include/asm-x86/elf.h | 2 ++ + 2 files changed, 17 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -29,13 +29,26 @@ + #include + #include + #include ++#include ++ ++static unsigned int stack_maxrandom_size(void) ++{ ++ unsigned int max = 0; ++ if ((current->flags & PF_RANDOMIZE) && ++ !(current->personality & ADDR_NO_RANDOMIZE)) { ++ max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; ++ } ++ ++ return max; ++} ++ + + /* + * Top of mmap area (just below the process stack). + * +- * Leave an at least ~128 MB hole. ++ * Leave an at least ~128 MB hole with possible stack randomization. + */ +-#define MIN_GAP (128*1024*1024) ++#define MIN_GAP (128*1024*1024UL + stack_maxrandom_size()) + #define MAX_GAP (TASK_SIZE/6*5) + + /* +--- a/include/asm-x86/elf.h ++++ b/include/asm-x86/elf.h +@@ -287,6 +287,8 @@ do { \ + + #ifdef CONFIG_X86_32 + ++#define STACK_RND_MASK (0x7ff) ++ + #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO)) + + #define ARCH_DLINFO ARCH_DLINFO_IA32(vdso_enabled)