From 4295bf9702fd653ef99a89df9cfac89a60a022bd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 18 Jan 2013 14:06:12 -0800 Subject: [PATCH] 3.0-stable patches added patches: xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch --- queue-3.0/series | 1 + ...safe_callback-for-32bit-pvops-guests.patch | 66 +++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 queue-3.0/xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch diff --git a/queue-3.0/series b/queue-3.0/series index 4339f6df84b..d63e7f65513 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -9,3 +9,4 @@ usb-fix-endpoint-disabling-for-failed-config-changes.patch intel-iommu-prevent-devices-with-rmrrs-from-being-placed.patch drbd-add-missing-part_round_stats-to-_drbd_start_io_acct.patch xhci-fix-null-pointer-dereference-when-destroying-half-built.patch +xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch diff --git a/queue-3.0/xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch b/queue-3.0/xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch new file mode 100644 index 00000000000..7f6fa2ecc4a --- /dev/null +++ b/queue-3.0/xen-fix-stack-corruption-in-xen_failsafe_callback-for-32bit-pvops-guests.patch @@ -0,0 +1,66 @@ +From 9174adbee4a9a49d0139f5d71969852b36720809 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Wed, 16 Jan 2013 12:00:55 +0000 +Subject: xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. + +From: Andrew Cooper + +commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream. + +This fixes CVE-2013-0190 / XSA-40 + +There has been an error on the xen_failsafe_callback path for failed +iret, which causes the stack pointer to be wrong when entering the +iret_exc error path. This can result in the kernel crashing. + +In the classic kernel case, the relevant code looked a little like: + + popl %eax # Error code from hypervisor + jz 5f + addl $16,%esp + jmp iret_exc # Hypervisor said iret fault +5: addl $16,%esp + # Hypervisor said segment selector fault + +Here, there are two identical addls on either option of a branch which +appears to have been optimised by hoisting it above the jz, and +converting it to an lea, which leaves the flags register unaffected. + +In the PVOPS case, the code looks like: + + popl_cfi %eax # Error from the hypervisor + lea 16(%esp),%esp # Add $16 before choosing fault path + CFI_ADJUST_CFA_OFFSET -16 + jz 5f + addl $16,%esp # Incorrectly adjust %esp again + jmp iret_exc + +It is possible unprivileged userspace applications to cause this +behaviour, for example by loading an LDT code selector, then changing +the code selector to be not-present. At this point, there is a race +condition where it is possible for the hypervisor to return back to +userspace from an interrupt, fault on its own iret, and inject a +failsafe_callback into the kernel. + +This bug has been present since the introduction of Xen PVOPS support +in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23. + +Signed-off-by: Frediano Ziglio +Signed-off-by: Andrew Cooper +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/entry_32.S | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -1078,7 +1078,6 @@ ENTRY(xen_failsafe_callback) + lea 16(%esp),%esp + CFI_ADJUST_CFA_OFFSET -16 + jz 5f +- addl $16,%esp + jmp iret_exc + 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */ + SAVE_ALL -- 2.47.3