CVE-2015-6666 x86_64 NT flag handling DoS (rhbz 1256746 1256753)

2015-08-25 08:47:13 -04:00 · 2015-08-25 08:47:13 -04:00 · 2634b95c75
parent 33d32884c2
commit 2634b95c75
2 changed files with 71 additions and 0 deletions
--- a/Revert-sched-x86_64-Don-t-save-flags-on-context-swit.patch
+++ b/Revert-sched-x86_64-Don-t-save-flags-on-context-swit.patch
@ -0,0 +1,62 @@
+From 512255a2ad2c832ca7d4de9f31245f73781922d0 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 17 Aug 2015 12:22:50 -0700
+Subject: [PATCH] Revert "sched/x86_64: Don't save flags on context switch"
+
+This reverts commit:
+
+  2c7577a75837 ("sched/x86_64: Don't save flags on context switch")
+
+It was a nice speedup.  It's also not quite correct: SYSENTER
+enables interrupts too early.
+
+We can re-add this optimization once the SYSENTER code is beaten
+into shape, which should happen in 4.3 or 4.4.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org # v3.19
+Link: http://lkml.kernel.org/r/85f56651f59f76624e80785a8fd3bdfdd089a818.1439838962.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/include/asm/switch_to.h | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/include/asm/switch_to.h b/arch/x86/include/asm/switch_to.h
+index 751bf4b7bf11..d7f3b3b78ac3 100644
+--- a/arch/x86/include/asm/switch_to.h
+++ b/arch/x86/include/asm/switch_to.h
+@@ -79,12 +79,12 @@ do {									\
+ #else /* CONFIG_X86_32 */
+ 
+ /* frame pointer must be last for get_wchan */
+-#define SAVE_CONTEXT    "pushq %%rbp ; movq %%rsi,%%rbp\n\t"
+-#define RESTORE_CONTEXT "movq %%rbp,%%rsi ; popq %%rbp\t"
+#define SAVE_CONTEXT    "pushf ; pushq %%rbp ; movq %%rsi,%%rbp\n\t"
+#define RESTORE_CONTEXT "movq %%rbp,%%rsi ; popq %%rbp ; popf\t"
+ 
+ #define __EXTRA_CLOBBER  \
+ 	, "rcx", "rbx", "rdx", "r8", "r9", "r10", "r11", \
+-	  "r12", "r13", "r14", "r15", "flags"
+	  "r12", "r13", "r14", "r15"
+ 
+ #ifdef CONFIG_CC_STACKPROTECTOR
+ #define __switch_canary							  \
+@@ -100,11 +100,7 @@ do {									\
+ #define __switch_canary_iparam
+ #endif	/* CC_STACKPROTECTOR */
+ 
+-/*
+- * There is no need to save or restore flags, because flags are always
+- * clean in kernel mode, with the possible exception of IOPL.  Kernel IOPL
+- * has no effect.
+- */
+/* Save restore flags to clear handle leaking NT */
+ #define switch_to(prev, next, last) \
+ 	asm volatile(SAVE_CONTEXT					  \
+ 	     "movq %%rsp,%P[threadrsp](%[prev])\n\t" /* save RSP */	  \
+-- 
+2.4.3
+
--- a/kernel.spec
+++ b/kernel.spec
@ -644,6 +644,9 @@ Patch511: iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch
 #rhbz 1250717
 Patch512: ext4-dont-manipulate-recovery-flag-when-freezing.patch

+#CVE-2015-6666 rhbz 1256746 1256753
+Patch513: Revert-sched-x86_64-Don-t-save-flags-on-context-swit.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1393,6 +1396,9 @@ ApplyPatch iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch
 #rhbz 1250717
 ApplyPatch ext4-dont-manipulate-recovery-flag-when-freezing.patch

+#CVE-2015-6666 rhbz 1256746 1256753
+ApplyPatch Revert-sched-x86_64-Don-t-save-flags-on-context-swit.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2252,6 +2258,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Tue Aug 25 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-6666 x86_64 NT flag handling DoS (rhbz 1256746 1256753)
+
 * Fri Aug 21 2015 Josh Boyer <jwboyer@fedoraproject.org>
 - Disable EFI_VARS (rhbz 1252137)