rpms/kernel/F-10 x86-dont-leak-64-bit-kernel-register-values.patch, NONE, 1.1.2.1 x86-streamline-32-bit-syscall-entry-code.patch, NONE, 1.1.2.1 kernel.spec, 1.1206.2.98, 1.1206.2.99
Chuck Ebbert
cebbert at fedoraproject.org
Wed Oct 7 16:22:42 UTC 2009
- Previous message (by thread): rpms/dbus/F-12 diagram.png, NONE, 1.1 diagram.svg, NONE, 1.1 dbus.spec, 1.174, 1.175
- Next message (by thread): rpms/perl-PPI/devel .cvsignore, 1.8, 1.9 perl-PPI.spec, 1.14, 1.15 sources, 1.8, 1.9
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27900
Modified Files:
Tag: private-fedora-10-2_6_27
kernel.spec
Added Files:
Tag: private-fedora-10-2_6_27
x86-dont-leak-64-bit-kernel-register-values.patch
x86-streamline-32-bit-syscall-entry-code.patch
Log Message:
x86: fix leakage of kernel 64-bit registers to 32-bit tasks.
x86-dont-leak-64-bit-kernel-register-values.patch:
ia32entry.S | 36 +++++++++++++++++++++++-------------
1 file changed, 23 insertions(+), 13 deletions(-)
--- NEW FILE x86-dont-leak-64-bit-kernel-register-values.patch ---
From: Jan Beulich <JBeulich at novell.com>
Date: Wed, 30 Sep 2009 10:22:11 +0000 (+0100)
Subject: x86: Don't leak 64-bit kernel register values to 32-bit processes
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=24e35800cdc4350fc34e2bed37b608a9e13ab3b6
x86: Don't leak 64-bit kernel register values to 32-bit processes
While 32-bit processes can't directly access R8...R15, they can
gain access to these registers by temporarily switching themselves
into 64-bit mode.
Therefore, registers not preserved anyway by called C functions
(i.e. R8...R11) must be cleared prior to returning to user mode.
Signed-off-by: Jan Beulich <jbeulich at novell.com>
Cc: <stable at kernel.org>
LKML-Reference: <4AC34D73020000780001744A at vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo at elte.hu>
---
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 74619c4..1733f9f 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -21,8 +21,8 @@
#define __AUDIT_ARCH_LE 0x40000000
#ifndef CONFIG_AUDITSYSCALL
-#define sysexit_audit int_ret_from_sys_call
-#define sysretl_audit int_ret_from_sys_call
+#define sysexit_audit ia32_ret_from_sys_call
+#define sysretl_audit ia32_ret_from_sys_call
#endif
#define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8)
@@ -39,12 +39,12 @@
.endm
/* clobbers %eax */
- .macro CLEAR_RREGS _r9=rax
+ .macro CLEAR_RREGS offset=0, _r9=rax
xorl %eax,%eax
- movq %rax,R11(%rsp)
- movq %rax,R10(%rsp)
- movq %\_r9,R9(%rsp)
- movq %rax,R8(%rsp)
+ movq %rax,\offset+R11(%rsp)
+ movq %rax,\offset+R10(%rsp)
+ movq %\_r9,\offset+R9(%rsp)
+ movq %rax,\offset+R8(%rsp)
.endm
/*
@@ -172,6 +172,10 @@ sysexit_from_sys_call:
movl RIP-R11(%rsp),%edx /* User %eip */
CFI_REGISTER rip,rdx
RESTORE_ARGS 1,24,1,1,1,1
+ xorq %r8,%r8
+ xorq %r9,%r9
+ xorq %r10,%r10
+ xorq %r11,%r11
popfq
CFI_ADJUST_CFA_OFFSET -8
/*CFI_RESTORE rflags*/
@@ -202,7 +206,7 @@ sysexit_from_sys_call:
.macro auditsys_exit exit,ebpsave=RBP
testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
- jnz int_ret_from_sys_call
+ jnz ia32_ret_from_sys_call
TRACE_IRQS_ON
sti
movl %eax,%esi /* second arg, syscall return value */
@@ -218,8 +222,9 @@ sysexit_from_sys_call:
cli
TRACE_IRQS_OFF
testl %edi,TI_flags(%r10)
- jnz int_with_check
- jmp \exit
+ jz \exit
+ CLEAR_RREGS -ARGOFFSET
+ jmp int_with_check
.endm
sysenter_auditsys:
@@ -329,6 +334,9 @@ sysretl_from_sys_call:
CFI_REGISTER rip,rcx
movl EFLAGS-ARGOFFSET(%rsp),%r11d
/*CFI_REGISTER rflags,r11*/
+ xorq %r10,%r10
+ xorq %r9,%r9
+ xorq %r8,%r8
TRACE_IRQS_ON
movl RSP-ARGOFFSET(%rsp),%esp
CFI_RESTORE rsp
@@ -353,7 +361,7 @@ cstar_tracesys:
#endif
xchgl %r9d,%ebp
SAVE_REST
- CLEAR_RREGS r9
+ CLEAR_RREGS 0, r9
movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
@@ -425,6 +433,8 @@ ia32_do_call:
call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
ia32_sysret:
movq %rax,RAX-ARGOFFSET(%rsp)
+ia32_ret_from_sys_call:
+ CLEAR_RREGS -ARGOFFSET
jmp int_ret_from_sys_call
ia32_tracesys:
@@ -442,8 +452,8 @@ END(ia32_syscall)
ia32_badsys:
movq $0,ORIG_RAX-ARGOFFSET(%rsp)
- movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
- jmp int_ret_from_sys_call
+ movq $-ENOSYS,%rax
+ jmp ia32_sysret
quiet_ni_syscall:
movq $-ENOSYS,%rax
x86-streamline-32-bit-syscall-entry-code.patch:
ia32entry.S | 26 ++++++++++----------------
1 file changed, 10 insertions(+), 16 deletions(-)
--- NEW FILE x86-streamline-32-bit-syscall-entry-code.patch ---
From: Jan Beulich <jbeulich at novell.com>
Date: Fri, 29 Aug 2008 12:21:11 +0000 (+0100)
Subject: x86-64: slightly stream-line 32-bit syscall entry code
X-Git-Tag: v2.6.28-rc1~611^2~97
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=295286a89107c353b9677bc604361c537fd6a1c0
x86-64: slightly stream-line 32-bit syscall entry code
Avoid updating registers or memory twice as well as needlessly loading
or copying registers.
Signed-off-by: Jan Beulich <jbeulich at novell.com>
Signed-off-by: Ingo Molnar <mingo at elte.hu>
---
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index ffc1bb4..eb43147 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -39,11 +39,11 @@
.endm
/* clobbers %eax */
- .macro CLEAR_RREGS
+ .macro CLEAR_RREGS _r9=rax
xorl %eax,%eax
movq %rax,R11(%rsp)
movq %rax,R10(%rsp)
- movq %rax,R9(%rsp)
+ movq %\_r9,R9(%rsp)
movq %rax,R8(%rsp)
.endm
@@ -52,11 +52,10 @@
* We don't reload %eax because syscall_trace_enter() returned
* the value it wants us to use in the table lookup.
*/
- .macro LOAD_ARGS32 offset
- movl \offset(%rsp),%r11d
- movl \offset+8(%rsp),%r10d
+ .macro LOAD_ARGS32 offset, _r9=0
+ .if \_r9
movl \offset+16(%rsp),%r9d
- movl \offset+24(%rsp),%r8d
+ .endif
movl \offset+40(%rsp),%ecx
movl \offset+48(%rsp),%edx
movl \offset+56(%rsp),%esi
@@ -145,7 +144,7 @@ ENTRY(ia32_sysenter_target)
SAVE_ARGS 0,0,1
/* no need to do an access_ok check here because rbp has been
32bit zero extended */
-1: movl (%rbp),%r9d
+1: movl (%rbp),%ebp
.section __ex_table,"a"
.quad 1b,ia32_badarg
.previous
@@ -157,7 +156,7 @@ ENTRY(ia32_sysenter_target)
cmpl $(IA32_NR_syscalls-1),%eax
ja ia32_badsys
sysenter_do_call:
- IA32_ARG_FIXUP 1
+ IA32_ARG_FIXUP
sysenter_dispatch:
call *ia32_sys_call_table(,%rax,8)
movq %rax,RAX-ARGOFFSET(%rsp)
@@ -234,20 +233,17 @@ sysexit_audit:
#endif
sysenter_tracesys:
- xchgl %r9d,%ebp
#ifdef CONFIG_AUDITSYSCALL
testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
jz sysenter_auditsys
#endif
SAVE_REST
CLEAR_RREGS
- movq %r9,R9(%rsp)
movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
- xchgl %ebp,%r9d
cmpl $(IA32_NR_syscalls-1),%eax
ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
jmp sysenter_do_call
@@ -314,9 +310,9 @@ ENTRY(ia32_cstar_target)
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
CFI_REMEMBER_STATE
jnz cstar_tracesys
-cstar_do_call:
cmpl $IA32_NR_syscalls-1,%eax
ja ia32_badsys
+cstar_do_call:
IA32_ARG_FIXUP 1
cstar_dispatch:
call *ia32_sys_call_table(,%rax,8)
@@ -357,15 +353,13 @@ cstar_tracesys:
#endif
xchgl %r9d,%ebp
SAVE_REST
- CLEAR_RREGS
- movq %r9,R9(%rsp)
+ CLEAR_RREGS r9
movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
RESTORE_REST
xchgl %ebp,%r9d
- movl RSP-ARGOFFSET(%rsp), %r8d
cmpl $(IA32_NR_syscalls-1),%eax
ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
jmp cstar_do_call
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1206.2.98
retrieving revision 1.1206.2.99
diff -u -p -r1.1206.2.98 -r1.1206.2.99
--- kernel.spec 7 Oct 2009 11:14:39 -0000 1.1206.2.98
+++ kernel.spec 7 Oct 2009 16:22:41 -0000 1.1206.2.99
@@ -795,6 +795,10 @@ Patch15300: x86-increase-min_gap-to-incl
# CVE-2009-2908
Patch15400: ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
+# fix leakage of 64-bit regs to 32-bit tasks
+Patch15500: x86-streamline-32-bit-syscall-entry-code.patch
+Patch15510: x86-dont-leak-64-bit-kernel-register-values.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1439,6 +1443,10 @@ ApplyPatch x86-increase-min_gap-to-inclu
# CVE-2009-2908
ApplyPatch ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
+# fix leakage of 64-bit regs to 32-bit tasks
+ApplyPatch x86-streamline-32-bit-syscall-entry-code.patch
+ApplyPatch x86-dont-leak-64-bit-kernel-register-values.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2014,6 +2022,9 @@ fi
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
+* Wed Oct 07 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.36-170.2.99
+- x86: fix leakage of kernel 64-bit registers to 32-bit tasks.
+
* Wed Oct 07 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.36-170.2.98
- eCryptfs: Prevent lower dentry from going negative during unlink (CVE-2009-2908)
- Previous message (by thread): rpms/dbus/F-12 diagram.png, NONE, 1.1 diagram.svg, NONE, 1.1 dbus.spec, 1.174, 1.175
- Next message (by thread): rpms/perl-PPI/devel .cvsignore, 1.8, 1.9 perl-PPI.spec, 1.14, 1.15 sources, 1.8, 1.9
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list