/[linux-patches]/genpatches-2.6/trunk/2.6.14/1496_16.5_x86_64-force-irit-on-rip-change.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.14/1496_16.5_x86_64-force-irit-on-rip-change.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 381 - (hide annotations) (download) (as text)
Thu Apr 13 15:29:29 2006 UTC (14 years, 7 months ago) by johnm
File MIME type: text/x-diff
File size: 2111 byte(s)
Applying appropriate CVE fixes
1 johnm 381 From stable-bounces@linux.kernel.org Tue Apr 11 23:19:40 2006
2     Date: Wed, 12 Apr 2006 08:19:29 +0200
3     From: Andi Kleen <ak@suse.de>
4     To: stable@kernel.org
5     Message-ID: <20060412061929.GA29657@wotan.suse.de>
6     Content-Disposition: inline
7     Cc:
8     Subject: x86_64: When user could have changed RIP always force IRET (CVE-2006-0744)
9    
10    
11     Intel EM64T CPUs handle uncanonical return addresses differently from
12     AMD CPUs.
13    
14     The exception is reported in the SYSRET, not the next instruction.
15     Thgis leads to the kernel exception handler running on the user stack
16     with the wrong GS because the kernel didn't expect exceptions on this
17     instruction.
18    
19     This version of the patch has the teething problems that plagued an
20     earlier version fixed.
21    
22     This is CVE-2006-0744
23    
24     Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
25     patches.
26    
27     Signed-off-by: Andi Kleen <ak@suse.de>
28     Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
29    
30     ---
31     arch/x86_64/kernel/entry.S | 12 ++++++++++--
32     1 file changed, 10 insertions(+), 2 deletions(-)
33    
34     --- linux-2.6.16.4.orig/arch/x86_64/kernel/entry.S
35     +++ linux-2.6.16.4/arch/x86_64/kernel/entry.S
36     @@ -180,6 +180,10 @@ rff_trace:
37     *
38     * XXX if we had a free scratch register we could save the RSP into the stack frame
39     * and report it properly in ps. Unfortunately we haven't.
40     + *
41     + * When user can change the frames always force IRET. That is because
42     + * it deals with uncanonical addresses better. SYSRET has trouble
43     + * with them due to bugs in both AMD and Intel CPUs.
44     */
45    
46     ENTRY(system_call)
47     @@ -254,7 +258,10 @@ sysret_signal:
48     xorl %esi,%esi # oldset -> arg2
49     call ptregscall_common
50     1: movl $_TIF_NEED_RESCHED,%edi
51     - jmp sysret_check
52     + /* Use IRET because user could have changed frame. This
53     + works because ptregscall_common has called FIXUP_TOP_OF_STACK. */
54     + cli
55     + jmp int_with_check
56    
57     badsys:
58     movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
59     @@ -280,7 +287,8 @@ tracesys:
60     call syscall_trace_leave
61     RESTORE_TOP_OF_STACK %rbx
62     RESTORE_REST
63     - jmp ret_from_sys_call
64     + /* Use IRET because user could have changed frame */
65     + jmp int_ret_from_sys_call
66     CFI_ENDPROC
67    
68     /*

  ViewVC Help
Powered by ViewVC 1.1.20