Fix for CVE-2013-0190 xen corruption with 32bit pvops (rhbz 896051 896038)
This commit is contained in:
parent
e158c0561c
commit
5325d16e0a
|
@ -0,0 +1,26 @@
|
||||||
|
commit 93f9052643409c13b3b5f76833865087351f55b8
|
||||||
|
Author: Theodore Ts'o <tytso@mit.edu>
|
||||||
|
Date: Wed Sep 12 14:32:42 2012 -0400
|
||||||
|
|
||||||
|
ext4: set bg_itable_unused when resizing
|
||||||
|
|
||||||
|
Set bg_itable_unused for file systems that have uninit_bg enabled.
|
||||||
|
This will speed up the first e2fsck run after the file system is
|
||||||
|
resized.
|
||||||
|
|
||||||
|
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
|
||||||
|
|
||||||
|
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
|
||||||
|
index 7adc088..a5be589 100644
|
||||||
|
--- a/fs/ext4/resize.c
|
||||||
|
+++ b/fs/ext4/resize.c
|
||||||
|
@@ -1268,6 +1268,9 @@ static int ext4_setup_new_descs(handle_t *handle, struct super_block *sb,
|
||||||
|
ext4_free_group_clusters_set(sb, gdp,
|
||||||
|
EXT4_B2C(sbi, group_data->free_blocks_count));
|
||||||
|
ext4_free_inodes_set(sb, gdp, EXT4_INODES_PER_GROUP(sb));
|
||||||
|
+ if (ext4_has_group_desc_csum(sb))
|
||||||
|
+ ext4_itable_unused_set(sb, gdp,
|
||||||
|
+ EXT4_INODES_PER_GROUP(sb));
|
||||||
|
gdp->bg_flags = cpu_to_le16(*bg_flags);
|
||||||
|
ext4_group_desc_csum_set(sb, group, gdp);
|
||||||
|
|
17
kernel.spec
17
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
||||||
# For non-released -rc kernels, this will be appended after the rcX and
|
# For non-released -rc kernels, this will be appended after the rcX and
|
||||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||||
#
|
#
|
||||||
%global baserelease 5
|
%global baserelease 6
|
||||||
%global fedora_build %{baserelease}
|
%global fedora_build %{baserelease}
|
||||||
|
|
||||||
# base_sublevel is the kernel version we're starting with and patching
|
# base_sublevel is the kernel version we're starting with and patching
|
||||||
|
@ -741,6 +741,12 @@ Patch21240: ACPI-do-not-use-Lid-and-Sleep-button-for-S5-wakeup.patch
|
||||||
#rhbz 886946
|
#rhbz 886946
|
||||||
Patch21241: iwlegacy-fix-IBSS-cleanup.patch
|
Patch21241: iwlegacy-fix-IBSS-cleanup.patch
|
||||||
|
|
||||||
|
#rhbz 852833
|
||||||
|
Patch21245: ext4-set-bg_itable_unused-when-resizing.patch
|
||||||
|
|
||||||
|
#rhbz 896051 896038 CVE-2013-0190
|
||||||
|
Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
@ -1399,6 +1405,11 @@ ApplyPatch ACPI-do-not-use-Lid-and-Sleep-button-for-S5-wakeup.patch
|
||||||
#rhbz 886946
|
#rhbz 886946
|
||||||
ApplyPatch iwlegacy-fix-IBSS-cleanup.patch
|
ApplyPatch iwlegacy-fix-IBSS-cleanup.patch
|
||||||
|
|
||||||
|
#rhbz 852833
|
||||||
|
ApplyPatch ext4-set-bg_itable_unused-when-resizing.patch
|
||||||
|
|
||||||
|
#rhbz 896051 896038 CVE-2013-0190
|
||||||
|
ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
|
@ -2100,6 +2111,10 @@ fi
|
||||||
# and build.
|
# and build.
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 16 2013 Justin M. Forbes <jforbes@redhat.com> 3.6.11-6
|
||||||
|
- Fix resize2fs issue with ext4 (rhbz 852833)
|
||||||
|
- Fix for CVE-2013-0190 xen corruption with 32bit pvops (rhbz 896051 896038)
|
||||||
|
|
||||||
* Wed Jan 16 2013 Josh Boyer <jwboyer@redhat.com>
|
* Wed Jan 16 2013 Josh Boyer <jwboyer@redhat.com>
|
||||||
- Add patch from Stanislaw Gruszka to fix iwlegacy IBSS cleanup (rhbz 886946)
|
- Add patch from Stanislaw Gruszka to fix iwlegacy IBSS cleanup (rhbz 886946)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,62 @@
|
||||||
|
From 38174c8c07ad638cd18285ba402b59076849dc21 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||||
|
Date: Thu, 10 Jan 2013 17:16:30 +0000
|
||||||
|
Subject: [PATCH] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
|
||||||
|
|
||||||
|
There has been an error on the xen_failsafe_callback path for failed
|
||||||
|
iret, which causes the stack pointer to be wrong when entering the
|
||||||
|
iret_exc error path. This can result in the kernel crashing.
|
||||||
|
|
||||||
|
In the classic kernel case, the relevant code looked a little like:
|
||||||
|
|
||||||
|
popl %eax # Error code from hypervisor
|
||||||
|
jz 5f
|
||||||
|
addl $16,%esp
|
||||||
|
jmp iret_exc # Hypervisor said iret fault
|
||||||
|
5: addl $16,%esp
|
||||||
|
# Hypervisor said segment selector fault
|
||||||
|
|
||||||
|
Here, there are two identical addls on either option of a branch which
|
||||||
|
appears to have been optimised by hoisting it above the jz, and
|
||||||
|
converting it to an lea, which leaves the flags register unaffected.
|
||||||
|
|
||||||
|
In the PVOPS case, the code looks like:
|
||||||
|
|
||||||
|
popl_cfi %eax # Error from the hypervisor
|
||||||
|
lea 16(%esp),%esp # Add $16 before choosing fault path
|
||||||
|
CFI_ADJUST_CFA_OFFSET -16
|
||||||
|
jz 5f
|
||||||
|
addl $16,%esp # Incorrectly adjust %esp again
|
||||||
|
jmp iret_exc
|
||||||
|
|
||||||
|
It is possible unprivileged userspace applications to cause this
|
||||||
|
behaviour, for example by loading an LDT code selector, then changing
|
||||||
|
the code selector to be not-present. At this point, there is a race
|
||||||
|
condition where it is possible for the hypervisor to return back to
|
||||||
|
userspace from an interrupt, fault on its own iret, and inject a
|
||||||
|
failsafe_callback into the kernel.
|
||||||
|
|
||||||
|
This bug has been present since the introduction of Xen PVOPS support
|
||||||
|
in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
|
||||||
|
|
||||||
|
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
|
||||||
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||||
|
---
|
||||||
|
arch/x86/kernel/entry_32.S | 1 -
|
||||||
|
1 files changed, 0 insertions(+), 1 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
|
||||||
|
index ff84d54..6ed91d9 100644
|
||||||
|
--- a/arch/x86/kernel/entry_32.S
|
||||||
|
+++ b/arch/x86/kernel/entry_32.S
|
||||||
|
@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
|
||||||
|
lea 16(%esp),%esp
|
||||||
|
CFI_ADJUST_CFA_OFFSET -16
|
||||||
|
jz 5f
|
||||||
|
- addl $16,%esp
|
||||||
|
jmp iret_exc
|
||||||
|
5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */
|
||||||
|
SAVE_ALL
|
||||||
|
--
|
||||||
|
1.7.2.5
|
||||||
|
|
Loading…
Reference in New Issue