WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-changelog

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-changelog] [linux-2.6.18-xen] x86/64: Fix security vulnerability CV

from [Xen patchbot-linux-2.6.18-xen] [Permanent Link][Original]
To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [linux-2.6.18-xen] x86/64: Fix security vulnerability CVE-2006-5755.
From: "Xen patchbot-linux-2.6.18-xen" <patchbot-linux-2.6.18-xen@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 04 Oct 2007 17:42:16 -0700
Delivery-date: Thu, 04 Oct 2007 18:30:51 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx 
# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1191419621 -3600
# Node ID 01ad7d0797c6819e5b4c6cbcc4d205a6ac6a7a16
# Parent  24f70cb16e0a8596b6f9a892b5e26e3db420cd34
x86/64: Fix security vulnerability CVE-2006-5755.

Properly save/restore EFLAGS on context switch, to avoid leakage of NT
flag causing crash on IRET.

This is a port of the upstream patch to Xen-specific source files.

Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
---
 arch/x86_64/kernel/entry-xen.S           |    4 ++++
 arch/x86_64/kernel/setup64-xen.c         |    6 +++++-
 include/asm-x86_64/mach-xen/asm/system.h |    4 ++--
 3 files changed, 11 insertions(+), 3 deletions(-)

diff -r 24f70cb16e0a -r 01ad7d0797c6 arch/x86_64/kernel/entry-xen.S
--- a/arch/x86_64/kernel/entry-xen.S    Wed Oct 03 14:18:01 2007 +0100
+++ b/arch/x86_64/kernel/entry-xen.S    Wed Oct 03 14:53:41 2007 +0100
@@ -180,6 +180,10 @@ 2: /* Slow iret via hypervisor. */
 /* rdi:        prev */ 
 ENTRY(ret_from_fork)
        CFI_DEFAULT_STACK
+       push kernel_eflags(%rip)
+       CFI_ADJUST_CFA_OFFSET 4
+       popf                            # reset kernel eflags
+       CFI_ADJUST_CFA_OFFSET -4
        call schedule_tail
        GET_THREAD_INFO(%rcx)
        testl 
$(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP),threadinfo_flags(%rcx)
diff -r 24f70cb16e0a -r 01ad7d0797c6 arch/x86_64/kernel/setup64-xen.c
--- a/arch/x86_64/kernel/setup64-xen.c  Wed Oct 03 14:18:01 2007 +0100
+++ b/arch/x86_64/kernel/setup64-xen.c  Wed Oct 03 14:53:41 2007 +0100
@@ -234,6 +234,8 @@ void __cpuinit check_efer(void)
         }       
 }
 
+unsigned long kernel_eflags;
+
 /*
  * cpu_init() initializes state that is per-CPU. Some data is already
  * initialized (naturally) in the bootstrap process, such as the GDT
@@ -358,4 +360,6 @@ void __cpuinit cpu_init (void)
        set_debugreg(0UL, 7);
 
        fpu_init(); 
-}
+
+       raw_local_save_flags(kernel_eflags);
+}
diff -r 24f70cb16e0a -r 01ad7d0797c6 include/asm-x86_64/mach-xen/asm/system.h
--- a/include/asm-x86_64/mach-xen/asm/system.h  Wed Oct 03 14:18:01 2007 +0100
+++ b/include/asm-x86_64/mach-xen/asm/system.h  Wed Oct 03 14:53:41 2007 +0100
@@ -24,8 +24,8 @@
 #define __RESTORE(reg,offset) "movq (14-" #offset ")*8(%%rsp),%%" #reg "\n\t"
 
 /* frame pointer must be last for get_wchan */
-#define SAVE_CONTEXT    "pushq %%rbp ; movq %%rsi,%%rbp\n\t"
-#define RESTORE_CONTEXT "movq %%rbp,%%rsi ; popq %%rbp\n\t"
+#define SAVE_CONTEXT    "pushf ; pushq %%rbp ; movq %%rsi,%%rbp\n\t"
+#define RESTORE_CONTEXT "movq %%rbp,%%rsi ; popq %%rbp ; popf\n\t"
 
 #define __EXTRA_CLOBBER  \
        ,"rcx","rbx","rdx","r8","r9","r10","r11","r12","r13","r14","r15"

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [linux-2.6.18-xen] x86/64: Fix security vulnerability CVE-2006-5755., Xen patchbot-linux-2.6.18-xen <=
Previous by Date:  [Xen-changelog] [linux-2.6.18-xen] Use module use count on accel plugin to prevent premature unload., Xen patchbot-linux-2.6.18-xen
Next by Date:  [Xen-changelog] [xen-unstable] hvm: Fix the flush-all-tlbs hypercall., Xen patchbot-unstable
Previous by Thread:  [Xen-changelog] [linux-2.6.18-xen] Use module use count on accel plugin to prevent premature unload., Xen patchbot-linux-2.6.18-xen
Next by Thread:  [Xen-changelog] [xen-unstable] hvm: Fix the flush-all-tlbs hypercall., Xen patchbot-unstable
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy