[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [linux-2.6.18-xen] x86/64: Fix security vulnerability CVE-2007-4573.
# HG changeset patch # User Keir Fraser <keir@xxxxxxxxxxxxx> # Date 1191315135 -3600 # Node ID aafef975e5186fe684b466235f26194bb89609be # Parent c1c57fea77e93a992e668f1c634fb8e8922ea52d x86/64: Fix security vulnerability CVE-2007-4573. Zero-extend all registers after ptrace in 32-bit entry path. Actually only needed for %rax (which indexes into syscall table). This is a backport of the upstream Linux patch. Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx> --- arch/x86_64/ia32/ia32entry-xen.S | 18 +++++++++++++++--- 1 files changed, 15 insertions(+), 3 deletions(-) diff -r c1c57fea77e9 -r aafef975e518 arch/x86_64/ia32/ia32entry-xen.S --- a/arch/x86_64/ia32/ia32entry-xen.S Mon Sep 24 16:56:50 2007 -0700 +++ b/arch/x86_64/ia32/ia32entry-xen.S Tue Oct 02 09:52:15 2007 +0100 @@ -38,6 +38,18 @@ movq %rax,R10(%rsp) movq %rax,R9(%rsp) movq %rax,R8(%rsp) + .endm + + .macro LOAD_ARGS32 offset + movl \offset(%rsp),%r11d + movl \offset+8(%rsp),%r10d + movl \offset+16(%rsp),%r9d + movl \offset+24(%rsp),%r8d + movl \offset+40(%rsp),%ecx + movl \offset+48(%rsp),%edx + movl \offset+56(%rsp),%esi + movl \offset+64(%rsp),%edi + movl \offset+72(%rsp),%eax .endm #if defined (__XEN_X86_64) @@ -171,7 +183,7 @@ sysenter_tracesys: movq $-ENOSYS,RAX(%rsp) /* really needed? */ movq %rsp,%rdi /* &pt_regs -> arg1 */ call syscall_trace_enter - LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ RESTORE_REST movl %ebp, %ebp /* no need to do an access_ok check here because rbp has been @@ -275,7 +287,7 @@ cstar_tracesys: movq $-ENOSYS,RAX(%rsp) /* really needed? */ movq %rsp,%rdi /* &pt_regs -> arg1 */ call syscall_trace_enter - LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ RESTORE_REST movl RSP-ARGOFFSET(%rsp), %r8d /* no need to do an access_ok check here because r8 has been @@ -357,7 +369,7 @@ ia32_tracesys: movq $-ENOSYS,RAX(%rsp) /* really needed? */ movq %rsp,%rdi /* &pt_regs -> arg1 */ call syscall_trace_enter - LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ RESTORE_REST jmp ia32_do_syscall END(ia32_syscall) _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |