[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [linux-2.6.18-xen] x86/64: Fix security vulnerability CVE-2006-5755.



# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1191419621 -3600
# Node ID 01ad7d0797c6819e5b4c6cbcc4d205a6ac6a7a16
# Parent  24f70cb16e0a8596b6f9a892b5e26e3db420cd34
x86/64: Fix security vulnerability CVE-2006-5755.

Properly save/restore EFLAGS on context switch, to avoid leakage of NT
flag causing crash on IRET.

This is a port of the upstream patch to Xen-specific source files.

Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
---
 arch/x86_64/kernel/entry-xen.S           |    4 ++++
 arch/x86_64/kernel/setup64-xen.c         |    6 +++++-
 include/asm-x86_64/mach-xen/asm/system.h |    4 ++--
 3 files changed, 11 insertions(+), 3 deletions(-)

diff -r 24f70cb16e0a -r 01ad7d0797c6 arch/x86_64/kernel/entry-xen.S
--- a/arch/x86_64/kernel/entry-xen.S    Wed Oct 03 14:18:01 2007 +0100
+++ b/arch/x86_64/kernel/entry-xen.S    Wed Oct 03 14:53:41 2007 +0100
@@ -180,6 +180,10 @@ 2: /* Slow iret via hypervisor. */
 /* rdi:        prev */ 
 ENTRY(ret_from_fork)
        CFI_DEFAULT_STACK
+       push kernel_eflags(%rip)
+       CFI_ADJUST_CFA_OFFSET 4
+       popf                            # reset kernel eflags
+       CFI_ADJUST_CFA_OFFSET -4
        call schedule_tail
        GET_THREAD_INFO(%rcx)
        testl 
$(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP),threadinfo_flags(%rcx)
diff -r 24f70cb16e0a -r 01ad7d0797c6 arch/x86_64/kernel/setup64-xen.c
--- a/arch/x86_64/kernel/setup64-xen.c  Wed Oct 03 14:18:01 2007 +0100
+++ b/arch/x86_64/kernel/setup64-xen.c  Wed Oct 03 14:53:41 2007 +0100
@@ -234,6 +234,8 @@ void __cpuinit check_efer(void)
         }       
 }
 
+unsigned long kernel_eflags;
+
 /*
  * cpu_init() initializes state that is per-CPU. Some data is already
  * initialized (naturally) in the bootstrap process, such as the GDT
@@ -358,4 +360,6 @@ void __cpuinit cpu_init (void)
        set_debugreg(0UL, 7);
 
        fpu_init(); 
-}
+
+       raw_local_save_flags(kernel_eflags);
+}
diff -r 24f70cb16e0a -r 01ad7d0797c6 include/asm-x86_64/mach-xen/asm/system.h
--- a/include/asm-x86_64/mach-xen/asm/system.h  Wed Oct 03 14:18:01 2007 +0100
+++ b/include/asm-x86_64/mach-xen/asm/system.h  Wed Oct 03 14:53:41 2007 +0100
@@ -24,8 +24,8 @@
 #define __RESTORE(reg,offset) "movq (14-" #offset ")*8(%%rsp),%%" #reg "\n\t"
 
 /* frame pointer must be last for get_wchan */
-#define SAVE_CONTEXT    "pushq %%rbp ; movq %%rsi,%%rbp\n\t"
-#define RESTORE_CONTEXT "movq %%rbp,%%rsi ; popq %%rbp\n\t"
+#define SAVE_CONTEXT    "pushf ; pushq %%rbp ; movq %%rsi,%%rbp\n\t"
+#define RESTORE_CONTEXT "movq %%rbp,%%rsi ; popq %%rbp ; popf\n\t"
 
 #define __EXTRA_CLOBBER  \
        ,"rcx","rbx","rdx","r8","r9","r10","r11","r12","r13","r14","r15"

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.