Linux v3.7.4
This commit is contained in:
parent
ea1041cae6
commit
82e9f20090
11
kernel.spec
11
kernel.spec
|
@ -66,7 +66,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 3
|
||||
%define stable_update 4
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -746,9 +746,6 @@ Patch21233: 8139cp-re-enable-interrupts-after-tx-timeout.patch
|
|||
#rhbz 886946
|
||||
Patch21241: iwlegacy-fix-IBSS-cleanup.patch
|
||||
|
||||
#rhbz 896051 896038 CVE-2013-0190
|
||||
Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1442,9 +1439,6 @@ ApplyPatch 8139cp-re-enable-interrupts-after-tx-timeout.patch
|
|||
#rhbz 886946
|
||||
ApplyPatch iwlegacy-fix-IBSS-cleanup.patch
|
||||
|
||||
#rhbz 896051 896038 CVE-2013-0190
|
||||
ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2293,6 +2287,9 @@ fi
|
|||
# '-' | |
|
||||
# '-'
|
||||
%changelog
|
||||
* Mon Jan 21 2013 Josh Boyer <jwboyer@redhat.com> - 3.7.4-101
|
||||
- Linux v3.7.4
|
||||
|
||||
* Sun Jan 20 2013 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Merge ARM changes back to fix ARMv5 kernel build and update for 3.7
|
||||
- Drop highbank, versatile kernel as it's now unified
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz
|
||||
d4aa39ec9610e9fbd7bb4f5aff2c5db8 patch-3.7.3.xz
|
||||
87640faf7264639e1300829d1b292076 patch-3.7.4.xz
|
||||
|
|
|
@ -1,62 +0,0 @@
|
|||
From 38174c8c07ad638cd18285ba402b59076849dc21 Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||
Date: Thu, 10 Jan 2013 17:16:30 +0000
|
||||
Subject: [PATCH] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
|
||||
|
||||
There has been an error on the xen_failsafe_callback path for failed
|
||||
iret, which causes the stack pointer to be wrong when entering the
|
||||
iret_exc error path. This can result in the kernel crashing.
|
||||
|
||||
In the classic kernel case, the relevant code looked a little like:
|
||||
|
||||
popl %eax # Error code from hypervisor
|
||||
jz 5f
|
||||
addl $16,%esp
|
||||
jmp iret_exc # Hypervisor said iret fault
|
||||
5: addl $16,%esp
|
||||
# Hypervisor said segment selector fault
|
||||
|
||||
Here, there are two identical addls on either option of a branch which
|
||||
appears to have been optimised by hoisting it above the jz, and
|
||||
converting it to an lea, which leaves the flags register unaffected.
|
||||
|
||||
In the PVOPS case, the code looks like:
|
||||
|
||||
popl_cfi %eax # Error from the hypervisor
|
||||
lea 16(%esp),%esp # Add $16 before choosing fault path
|
||||
CFI_ADJUST_CFA_OFFSET -16
|
||||
jz 5f
|
||||
addl $16,%esp # Incorrectly adjust %esp again
|
||||
jmp iret_exc
|
||||
|
||||
It is possible unprivileged userspace applications to cause this
|
||||
behaviour, for example by loading an LDT code selector, then changing
|
||||
the code selector to be not-present. At this point, there is a race
|
||||
condition where it is possible for the hypervisor to return back to
|
||||
userspace from an interrupt, fault on its own iret, and inject a
|
||||
failsafe_callback into the kernel.
|
||||
|
||||
This bug has been present since the introduction of Xen PVOPS support
|
||||
in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
|
||||
|
||||
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
|
||||
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||
---
|
||||
arch/x86/kernel/entry_32.S | 1 -
|
||||
1 files changed, 0 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
|
||||
index ff84d54..6ed91d9 100644
|
||||
--- a/arch/x86/kernel/entry_32.S
|
||||
+++ b/arch/x86/kernel/entry_32.S
|
||||
@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
|
||||
lea 16(%esp),%esp
|
||||
CFI_ADJUST_CFA_OFFSET -16
|
||||
jz 5f
|
||||
- addl $16,%esp
|
||||
jmp iret_exc
|
||||
5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */
|
||||
SAVE_ALL
|
||||
--
|
||||
1.7.2.5
|
||||
|
Loading…
Reference in New Issue