From 5325d16e0aafd28478e52d254ce310ef7bcf855d Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 16 Jan 2013 09:52:46 -0600 Subject: [PATCH] Fix for CVE-2013-0190 xen corruption with 32bit pvops (rhbz 896051 896038) --- ext4-set-bg_itable_unused-when-resizing.patch | 26 ++++++++ kernel.spec | 17 ++++- ...-corruption-in-xen_failsafe_callback.patch | 62 +++++++++++++++++++ 3 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 ext4-set-bg_itable_unused-when-resizing.patch create mode 100644 xen-fix-stack-corruption-in-xen_failsafe_callback.patch diff --git a/ext4-set-bg_itable_unused-when-resizing.patch b/ext4-set-bg_itable_unused-when-resizing.patch new file mode 100644 index 000000000..bd7bc4424 --- /dev/null +++ b/ext4-set-bg_itable_unused-when-resizing.patch @@ -0,0 +1,26 @@ +commit 93f9052643409c13b3b5f76833865087351f55b8 +Author: Theodore Ts'o +Date: Wed Sep 12 14:32:42 2012 -0400 + + ext4: set bg_itable_unused when resizing + + Set bg_itable_unused for file systems that have uninit_bg enabled. + This will speed up the first e2fsck run after the file system is + resized. + + Signed-off-by: "Theodore Ts'o" + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 7adc088..a5be589 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1268,6 +1268,9 @@ static int ext4_setup_new_descs(handle_t *handle, struct super_block *sb, + ext4_free_group_clusters_set(sb, gdp, + EXT4_B2C(sbi, group_data->free_blocks_count)); + ext4_free_inodes_set(sb, gdp, EXT4_INODES_PER_GROUP(sb)); ++ if (ext4_has_group_desc_csum(sb)) ++ ext4_itable_unused_set(sb, gdp, ++ EXT4_INODES_PER_GROUP(sb)); + gdp->bg_flags = cpu_to_le16(*bg_flags); + ext4_group_desc_csum_set(sb, group, gdp); + diff --git a/kernel.spec b/kernel.spec index 7a76430ad..1e30ecffc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 5 +%global baserelease 6 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -741,6 +741,12 @@ Patch21240: ACPI-do-not-use-Lid-and-Sleep-button-for-S5-wakeup.patch #rhbz 886946 Patch21241: iwlegacy-fix-IBSS-cleanup.patch +#rhbz 852833 +Patch21245: ext4-set-bg_itable_unused-when-resizing.patch + +#rhbz 896051 896038 CVE-2013-0190 +Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch + # END OF PATCH DEFINITIONS %endif @@ -1399,6 +1405,11 @@ ApplyPatch ACPI-do-not-use-Lid-and-Sleep-button-for-S5-wakeup.patch #rhbz 886946 ApplyPatch iwlegacy-fix-IBSS-cleanup.patch +#rhbz 852833 +ApplyPatch ext4-set-bg_itable_unused-when-resizing.patch + +#rhbz 896051 896038 CVE-2013-0190 +ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch # END OF PATCH APPLICATIONS @@ -2100,6 +2111,10 @@ fi # and build. %changelog +* Wed Jan 16 2013 Justin M. Forbes 3.6.11-6 +- Fix resize2fs issue with ext4 (rhbz 852833) +- Fix for CVE-2013-0190 xen corruption with 32bit pvops (rhbz 896051 896038) + * Wed Jan 16 2013 Josh Boyer - Add patch from Stanislaw Gruszka to fix iwlegacy IBSS cleanup (rhbz 886946) diff --git a/xen-fix-stack-corruption-in-xen_failsafe_callback.patch b/xen-fix-stack-corruption-in-xen_failsafe_callback.patch new file mode 100644 index 000000000..9d83ea0c9 --- /dev/null +++ b/xen-fix-stack-corruption-in-xen_failsafe_callback.patch @@ -0,0 +1,62 @@ +From 38174c8c07ad638cd18285ba402b59076849dc21 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Thu, 10 Jan 2013 17:16:30 +0000 +Subject: [PATCH] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. + +There has been an error on the xen_failsafe_callback path for failed +iret, which causes the stack pointer to be wrong when entering the +iret_exc error path. This can result in the kernel crashing. + +In the classic kernel case, the relevant code looked a little like: + + popl %eax # Error code from hypervisor + jz 5f + addl $16,%esp + jmp iret_exc # Hypervisor said iret fault +5: addl $16,%esp + # Hypervisor said segment selector fault + +Here, there are two identical addls on either option of a branch which +appears to have been optimised by hoisting it above the jz, and +converting it to an lea, which leaves the flags register unaffected. + +In the PVOPS case, the code looks like: + + popl_cfi %eax # Error from the hypervisor + lea 16(%esp),%esp # Add $16 before choosing fault path + CFI_ADJUST_CFA_OFFSET -16 + jz 5f + addl $16,%esp # Incorrectly adjust %esp again + jmp iret_exc + +It is possible unprivileged userspace applications to cause this +behaviour, for example by loading an LDT code selector, then changing +the code selector to be not-present. At this point, there is a race +condition where it is possible for the hypervisor to return back to +userspace from an interrupt, fault on its own iret, and inject a +failsafe_callback into the kernel. + +This bug has been present since the introduction of Xen PVOPS support +in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23. + +Signed-off-by: Frediano Ziglio +Signed-off-by: Andrew Cooper +--- + arch/x86/kernel/entry_32.S | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S +index ff84d54..6ed91d9 100644 +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback) + lea 16(%esp),%esp + CFI_ADJUST_CFA_OFFSET -16 + jz 5f +- addl $16,%esp + jmp iret_exc + 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */ + SAVE_ALL +-- +1.7.2.5 +