[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-3.1-testing] x86/64: Fix security vulnerability CVE-2007-4573.



# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1191315238 -3600
# Node ID 72193fd51a8cd8628f9e8352d2dfae668e1e1bb0
# Parent  1c71f66b3b005142d551d8f14f3f5dd93b4f8aff
x86/64: Fix security vulnerability CVE-2007-4573.

Zero-extend all registers after ptrace in 32-bit entry path. Actually
only needed for %rax (which indexes into syscall table).

This is a backport of the upstream Linux patch.

Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
linux-2.6.18-xen changeset:   218:aafef975e5186fe684b466235f26194bb89609be
linux-2.6.18-xen date:        Tue Oct 02 09:52:15 2007 +0100
---
 linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S |   18 +++++++++++++++---
 1 files changed, 15 insertions(+), 3 deletions(-)

diff -r 1c71f66b3b00 -r 72193fd51a8c 
linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S
--- a/linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S     Tue Oct 02 
09:44:55 2007 +0100
+++ b/linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S     Tue Oct 02 
09:53:58 2007 +0100
@@ -38,6 +38,18 @@
        movq    %rax,R10(%rsp)
        movq    %rax,R9(%rsp)
        movq    %rax,R8(%rsp)
+       .endm
+
+       .macro LOAD_ARGS32 offset
+       movl \offset(%rsp),%r11d
+       movl \offset+8(%rsp),%r10d
+       movl \offset+16(%rsp),%r9d
+       movl \offset+24(%rsp),%r8d
+       movl \offset+40(%rsp),%ecx
+       movl \offset+48(%rsp),%edx
+       movl \offset+56(%rsp),%esi
+       movl \offset+64(%rsp),%edi
+       movl \offset+72(%rsp),%eax
        .endm
 
 #if defined (__XEN_X86_64)
@@ -171,7 +183,7 @@ sysenter_tracesys:
        movq    $-ENOSYS,RAX(%rsp)      /* really needed? */
        movq    %rsp,%rdi        /* &pt_regs -> arg1 */
        call    syscall_trace_enter
-       LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed 
it */
+       LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed 
it */
        RESTORE_REST
        movl    %ebp, %ebp
        /* no need to do an access_ok check here because rbp has been
@@ -275,7 +287,7 @@ cstar_tracesys:
        movq $-ENOSYS,RAX(%rsp) /* really needed? */
        movq %rsp,%rdi        /* &pt_regs -> arg1 */
        call syscall_trace_enter
-       LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed 
it */
+       LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed 
it */
        RESTORE_REST
        movl RSP-ARGOFFSET(%rsp), %r8d
        /* no need to do an access_ok check here because r8 has been
@@ -357,7 +369,7 @@ ia32_tracesys:
        movq $-ENOSYS,RAX(%rsp) /* really needed? */
        movq %rsp,%rdi        /* &pt_regs -> arg1 */
        call syscall_trace_enter
-       LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed 
it */
+       LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed 
it */
        RESTORE_REST
        jmp ia32_do_syscall
 END(ia32_syscall)

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.