Linux v3.7.4

kernel.spec

@@ -66,7 +66,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 3
+%define stable_update 4
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -746,9 +746,6 @@ Patch21233: 8139cp-re-enable-interrupts-after-tx-timeout.patch
 #rhbz 886946
 Patch21241: iwlegacy-fix-IBSS-cleanup.patch
 
-#rhbz 896051 896038 CVE-2013-0190
-Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch
-
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1442,9 +1439,6 @@ ApplyPatch 8139cp-re-enable-interrupts-after-tx-timeout.patch
 #rhbz 886946
 ApplyPatch iwlegacy-fix-IBSS-cleanup.patch
 
-#rhbz 896051 896038 CVE-2013-0190
-ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch
-
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2293,6 +2287,9 @@ fi
 #    '-'      |  |
 #              '-'
 %changelog
+* Mon Jan 21 2013 Josh Boyer <jwboyer@redhat.com> - 3.7.4-101
+- Linux v3.7.4
+
 * Sun Jan 20 2013 Peter Robinson <pbrobinson@fedoraproject.org>
 - Merge ARM changes back to fix ARMv5 kernel build and update for 3.7
 - Drop highbank, versatile kernel as it's now unified

sources

@@ -1,2 +1,2 @@
 21223369d682bcf44bcdfe1521095983  linux-3.7.tar.xz
-d4aa39ec9610e9fbd7bb4f5aff2c5db8  patch-3.7.3.xz
+87640faf7264639e1300829d1b292076  patch-3.7.4.xz

xen-fix-stack-corruption-in-xen_failsafe_callback.patch

@@ -1,62 +0,0 @@
-From 38174c8c07ad638cd18285ba402b59076849dc21 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Thu, 10 Jan 2013 17:16:30 +0000
-Subject: [PATCH] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
-
-There has been an error on the xen_failsafe_callback path for failed
-iret, which causes the stack pointer to be wrong when entering the
-iret_exc error path.  This can result in the kernel crashing.
-
-In the classic kernel case, the relevant code looked a little like:
-
-        popl %eax      # Error code from hypervisor
-        jz 5f
-        addl $16,%esp
-        jmp iret_exc   # Hypervisor said iret fault
-5:      addl $16,%esp
-                       # Hypervisor said segment selector fault
-
-Here, there are two identical addls on either option of a branch which
-appears to have been optimised by hoisting it above the jz, and
-converting it to an lea, which leaves the flags register unaffected.
-
-In the PVOPS case, the code looks like:
-
-        popl_cfi %eax         # Error from the hypervisor
-        lea 16(%esp),%esp     # Add $16 before choosing fault path
-        CFI_ADJUST_CFA_OFFSET -16
-        jz 5f
-        addl $16,%esp         # Incorrectly adjust %esp again
-        jmp iret_exc
-
-It is possible unprivileged userspace applications to cause this
-behaviour, for example by loading an LDT code selector, then changing
-the code selector to be not-present.  At this point, there is a race
-condition where it is possible for the hypervisor to return back to
-userspace from an interrupt, fault on its own iret, and inject a
-failsafe_callback into the kernel.
-
-This bug has been present since the introduction of Xen PVOPS support
-in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
-
-Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
----
- arch/x86/kernel/entry_32.S |    1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
-
-diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index ff84d54..6ed91d9 100644
---- a/arch/x86/kernel/entry_32.S
-+++ b/arch/x86/kernel/entry_32.S
-@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
- 	lea 16(%esp),%esp
- 	CFI_ADJUST_CFA_OFFSET -16
- 	jz 5f
--	addl $16,%esp
- 	jmp iret_exc
- 5:	pushl_cfi $-1 /* orig_ax = -1 => not a system call */
- 	SAVE_ALL
--- 
-1.7.2.5
-