CVE-2016-3157 xen: priv escalation on 64bit PV domains with io port access (rhbz 1315711 1321948)
This commit is contained in:
parent
b8e899e9d0
commit
169fbc4b25
11
kernel.spec
11
kernel.spec
|
@ -678,6 +678,10 @@ Patch687: mct_u232-sanity-checking-in-probe.patch
|
|||
|
||||
#rhbz 1295646
|
||||
Patch688: 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch
|
||||
|
||||
# CVE-2016-3157 rhbz 1315711 1321948
|
||||
Patch689: x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
%endif
|
||||
|
||||
|
@ -1419,6 +1423,10 @@ ApplyPatch mct_u232-sanity-checking-in-probe.patch
|
|||
|
||||
#rhbz 1295646
|
||||
ApplyPatch 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch
|
||||
|
||||
# CVE-2016-3157 rhbz 1315711 1321948
|
||||
ApplyPatch x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2268,6 +2276,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Mar 29 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-3157 xen: priv escalation on 64bit PV domains with io port access (rhbz 1315711 1321948)
|
||||
|
||||
* Wed Mar 23 2016 Laura Abbott <labbott@fedoraproject.org>
|
||||
- drm/udl: Use unlocked gem unreferencing (rhbz 1295646)
|
||||
|
||||
|
|
|
@ -0,0 +1,96 @@
|
|||
From b7a584598aea7ca73140cb87b40319944dd3393f Mon Sep 17 00:00:00 2001
|
||||
From: Andy Lutomirski <luto@kernel.org>
|
||||
Date: Wed, 16 Mar 2016 14:14:21 -0700
|
||||
Subject: [PATCH] x86/iopl/64: Properly context-switch IOPL on Xen PV
|
||||
|
||||
On Xen PV, regs->flags doesn't reliably reflect IOPL and the
|
||||
exit-to-userspace code doesn't change IOPL. We need to context
|
||||
switch it manually.
|
||||
|
||||
I'm doing this without going through paravirt because this is
|
||||
specific to Xen PV. After the dust settles, we can merge this with
|
||||
the 32-bit code, tidy up the iopl syscall implementation, and remove
|
||||
the set_iopl pvop entirely.
|
||||
|
||||
Fixes XSA-171.
|
||||
|
||||
Reviewewd-by: Jan Beulich <JBeulich@suse.com>
|
||||
Signed-off-by: Andy Lutomirski <luto@kernel.org>
|
||||
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||
Cc: Andy Lutomirski <luto@amacapital.net>
|
||||
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
|
||||
Cc: Borislav Petkov <bp@alien8.de>
|
||||
Cc: Brian Gerst <brgerst@gmail.com>
|
||||
Cc: David Vrabel <david.vrabel@citrix.com>
|
||||
Cc: Denys Vlasenko <dvlasenk@redhat.com>
|
||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: Jan Beulich <JBeulich@suse.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: http://lkml.kernel.org/r/693c3bd7aeb4d3c27c92c622b7d0f554a458173c.1458162709.git.luto@kernel.org
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
arch/x86/include/asm/xen/hypervisor.h | 2 ++
|
||||
arch/x86/kernel/process_64.c | 12 ++++++++++++
|
||||
arch/x86/xen/enlighten.c | 2 +-
|
||||
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h
|
||||
index 8b2d4bea9962..39171b3646bb 100644
|
||||
--- a/arch/x86/include/asm/xen/hypervisor.h
|
||||
+++ b/arch/x86/include/asm/xen/hypervisor.h
|
||||
@@ -62,4 +62,6 @@ void xen_arch_register_cpu(int num);
|
||||
void xen_arch_unregister_cpu(int num);
|
||||
#endif
|
||||
|
||||
+extern void xen_set_iopl_mask(unsigned mask);
|
||||
+
|
||||
#endif /* _ASM_X86_XEN_HYPERVISOR_H */
|
||||
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
|
||||
index b9d99e0f82c4..9f751876066f 100644
|
||||
--- a/arch/x86/kernel/process_64.c
|
||||
+++ b/arch/x86/kernel/process_64.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include <asm/syscalls.h>
|
||||
#include <asm/debugreg.h>
|
||||
#include <asm/switch_to.h>
|
||||
+#include <asm/xen/hypervisor.h>
|
||||
|
||||
asmlinkage extern void ret_from_fork(void);
|
||||
|
||||
@@ -411,6 +412,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
|
||||
task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV))
|
||||
__switch_to_xtra(prev_p, next_p, tss);
|
||||
|
||||
+#ifdef CONFIG_XEN
|
||||
+ /*
|
||||
+ * On Xen PV, IOPL bits in pt_regs->flags have no effect, and
|
||||
+ * current_pt_regs()->flags may not match the current task's
|
||||
+ * intended IOPL. We need to switch it manually.
|
||||
+ */
|
||||
+ if (unlikely(static_cpu_has(X86_FEATURE_XENPV) &&
|
||||
+ prev->iopl != next->iopl))
|
||||
+ xen_set_iopl_mask(next->iopl);
|
||||
+#endif
|
||||
+
|
||||
if (static_cpu_has_bug(X86_BUG_SYSRET_SS_ATTRS)) {
|
||||
/*
|
||||
* AMD CPUs have a misfeature: SYSRET sets the SS selector but
|
||||
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
|
||||
index 2c261082eadf..8381fb990c7f 100644
|
||||
--- a/arch/x86/xen/enlighten.c
|
||||
+++ b/arch/x86/xen/enlighten.c
|
||||
@@ -961,7 +961,7 @@ static void xen_load_sp0(struct tss_struct *tss,
|
||||
tss->x86_tss.sp0 = thread->sp0;
|
||||
}
|
||||
|
||||
-static void xen_set_iopl_mask(unsigned mask)
|
||||
+void xen_set_iopl_mask(unsigned mask)
|
||||
{
|
||||
struct physdev_set_iopl set_iopl;
|
||||
|
||||
--
|
||||
2.5.5
|
||||
|
Loading…
Reference in New Issue