3.0-stable patches

added patches:
	xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch

diff --git a/queue-3.0/series b/queue-3.0/series
index 4339f6df84bb8a726b0d5544bb80703282c5d9d8..d63e7f65513527def1c912420ab4578b545a52ff 100644 (file)
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -9,3 +9,4 @@ usb-fix-endpoint-disabling-for-failed-config-changes.patch
 intel-iommu-prevent-devices-with-rmrrs-from-being-placed.patch
 drbd-add-missing-part_round_stats-to-_drbd_start_io_acct.patch
 xhci-fix-null-pointer-dereference-when-destroying-half-built.patch
+xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch

diff --git a/queue-3.0/xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch b/queue-3.0/xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch
new file mode 100644 (file)
index 0000000..7f6fa2e
--- /dev/null
+++ b/queue-3.0/xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch
@@ -0,0 +1,66 @@
+From 9174adbee4a9a49d0139f5d71969852b36720809 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 16 Jan 2013 12:00:55 +0000
+Subject: xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+
+commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream.
+
+This fixes CVE-2013-0190 / XSA-40
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path.  This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+        popl %eax      # Error code from hypervisor
+        jz 5f
+        addl $16,%esp
+        jmp iret_exc   # Hypervisor said iret fault
+5:      addl $16,%esp
+                       # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+        popl_cfi %eax         # Error from the hypervisor
+        lea 16(%esp),%esp     # Add $16 before choosing fault path
+        CFI_ADJUST_CFA_OFFSET -16
+        jz 5f
+        addl $16,%esp         # Incorrectly adjust %esp again
+        jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present.  At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/entry_32.S |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1078,7 +1078,6 @@ ENTRY(xen_failsafe_callback)
+       lea 16(%esp),%esp
+       CFI_ADJUST_CFA_OFFSET -16
+       jz 5f
+-      addl $16,%esp
+       jmp iret_exc
+ 5:    pushl_cfi $-1 /* orig_ax = -1 => not a system call */
+       SAVE_ALL