summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@redhat.com>2013-02-18 08:42:21 -0500
committerJosh Boyer <jwboyer@redhat.com>2013-02-18 08:42:21 -0500
commitb8330c970504e660e538fffa698c49a30fcce0ce (patch)
treecb017af734946752266daa9e07e06b0e357775b7
parent8bcc7be947130b235c1216bee8cc5b3ff558059c (diff)
downloadkernel-b8330c970504e660e538fffa698c49a30fcce0ce.tar.gz
kernel-b8330c970504e660e538fffa698c49a30fcce0ce.tar.xz
kernel-b8330c970504e660e538fffa698c49a30fcce0ce.zip
Linux v3.8-rc7-93-gf741656
-rw-r--r--kernel.spec11
-rw-r--r--sources2
-rw-r--r--xen-dont-assume-ds-is-usable-in-xen_iret-for-32-bit-PVOPS.patch131
3 files changed, 5 insertions, 139 deletions
diff --git a/kernel.spec b/kernel.spec
index 259ae73c3..97374a617 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 7
# The git snapshot level
-%define gitrev 3
+%define gitrev 4
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@@ -748,9 +748,6 @@ Patch21249: pstore-Create-a-convenient-mount-point-for-pstore.patch
#rhbz 909591
Patch21255: usb-cypress-supertop.patch
-#rhbz 906309 910848 CVE-2013-0228
-Patch21260: xen-dont-assume-ds-is-usable-in-xen_iret-for-32-bit-PVOPS.patch
-
Patch22000: weird-root-dentry-name-debug.patch
#selinux ptrace child permissions
@@ -1461,9 +1458,6 @@ ApplyPatch ath9k_rx_dma_stop_check.patch
#rhbz 910126
ApplyPatch pstore-Create-a-convenient-mount-point-for-pstore.patch
-#rhbz 906309 910848 CVE-2013-0228
-ApplyPatch xen-dont-assume-ds-is-usable-in-xen_iret-for-32-bit-PVOPS.patch
-
#rhbz 909591
ApplyPatch usb-cypress-supertop.patch
@@ -2322,6 +2316,9 @@ fi
# ||----w |
# || ||
%changelog
+* Mon Feb 18 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc7.git4.1
+- Linux v3.8-rc7-93-gf741656
+
* Thu Feb 14 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc7.git3.1
- Linux v3.8-rc7-73-g323a72d
diff --git a/sources b/sources
index 967752254..d08367aac 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz
8aeeb8d7743d0edfefc87c58118433b0 patch-3.8-rc7.xz
-6388057aad7a86dfb5e74c2f36dbcb9c patch-3.8-rc7-git3.xz
+82367849e606967734522254169e3b1d patch-3.8-rc7-git4.xz
diff --git a/xen-dont-assume-ds-is-usable-in-xen_iret-for-32-bit-PVOPS.patch b/xen-dont-assume-ds-is-usable-in-xen_iret-for-32-bit-PVOPS.patch
deleted file mode 100644
index d3b2b5602..000000000
--- a/xen-dont-assume-ds-is-usable-in-xen_iret-for-32-bit-PVOPS.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 13d2b4d11d69a92574a55bfd985cfb0ca77aebdc Mon Sep 17 00:00:00 2001
-From: Jan Beulich <JBeulich@suse.com>
-Date: Thu, 24 Jan 2013 13:11:10 +0000
-Subject: [PATCH] x86/xen: don't assume %ds is usable in xen_iret for 32-bit
- PVOPS.
-
-This fixes CVE-2013-0228 / XSA-42
-
-Drew Jones while working on CVE-2013-0190 found that that unprivileged guest user
-in 32bit PV guest can use to crash the > guest with the panic like this:
-
--------------
-general protection fault: 0000 [#1] SMP
-last sysfs file: /sys/devices/vbd-51712/block/xvda/dev
-Modules linked in: sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4
-iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6
-xt_state nf_conntrack ip6table_filter ip6_tables ipv6 xen_netfront ext4
-mbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last
-unloaded: scsi_wait_scan]
-
-Pid: 1250, comm: r Not tainted 2.6.32-356.el6.i686 #1
-EIP: 0061:[<c0407462>] EFLAGS: 00010086 CPU: 0
-EIP is at xen_iret+0x12/0x2b
-EAX: eb8d0000 EBX: 00000001 ECX: 08049860 EDX: 00000010
-ESI: 00000000 EDI: 003d0f00 EBP: b77f8388 ESP: eb8d1fe0
- DS: 0000 ES: 007b FS: 0000 GS: 00e0 SS: 0069
-Process r (pid: 1250, ti=eb8d0000 task=c2953550 task.ti=eb8d0000)
-Stack:
- 00000000 0027f416 00000073 00000206 b77f8364 0000007b 00000000 00000000
-Call Trace:
-Code: c3 8b 44 24 18 81 4c 24 38 00 02 00 00 8d 64 24 30 e9 03 00 00 00
-8d 76 00 f7 44 24 08 00 00 02 80 75 33 50 b8 00 e0 ff ff 21 e0 <8b> 40
-10 8b 04 85 a0 f6 ab c0 8b 80 0c b0 b3 c0 f6 44 24 0d 02
-EIP: [<c0407462>] xen_iret+0x12/0x2b SS:ESP 0069:eb8d1fe0
-general protection fault: 0000 [#2]
----[ end trace ab0d29a492dcd330 ]---
-Kernel panic - not syncing: Fatal exception
-Pid: 1250, comm: r Tainted: G D ---------------
-2.6.32-356.el6.i686 #1
-Call Trace:
- [<c08476df>] ? panic+0x6e/0x122
- [<c084b63c>] ? oops_end+0xbc/0xd0
- [<c084b260>] ? do_general_protection+0x0/0x210
- [<c084a9b7>] ? error_code+0x73/
--------------
-
-Petr says: "
- I've analysed the bug and I think that xen_iret() cannot cope with
- mangled DS, in this case zeroed out (null selector/descriptor) by either
- xen_failsafe_callback() or RESTORE_REGS because the corresponding LDT
- entry was invalidated by the reproducer. "
-
-Jan took a look at the preliminary patch and came up a fix that solves
-this problem:
-
-"This code gets called after all registers other than those handled by
-IRET got already restored, hence a null selector in %ds or a non-null
-one that got loaded from a code or read-only data descriptor would
-cause a kernel mode fault (with the potential of crashing the kernel
-as a whole, if panic_on_oops is set)."
-
-The way to fix this is to realize that the we can only relay on the
-registers that IRET restores. The two that are guaranteed are the
-%cs and %ss as they are always fixed GDT selectors. Also they are
-inaccessible from user mode - so they cannot be altered. This is
-the approach taken in this patch.
-
-Another alternative option suggested by Jan would be to relay on
-the subtle realization that using the %ebp or %esp relative references uses
-the %ss segment. In which case we could switch from using %eax to %ebp and
-would not need the %ss over-rides. That would also require one extra
-instruction to compensate for the one place where the register is used
-as scaled index. However Andrew pointed out that is too subtle and if
-further work was to be done in this code-path it could escape folks attention
-and lead to accidents.
-
-Reviewed-by: Petr Matousek <pmatouse@redhat.com>
-Reported-by: Petr Matousek <pmatouse@redhat.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
----
- arch/x86/xen/xen-asm_32.S | 14 +++++++-------
- 1 files changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S
-index f9643fc..33ca6e4 100644
---- a/arch/x86/xen/xen-asm_32.S
-+++ b/arch/x86/xen/xen-asm_32.S
-@@ -89,11 +89,11 @@ ENTRY(xen_iret)
- */
- #ifdef CONFIG_SMP
- GET_THREAD_INFO(%eax)
-- movl TI_cpu(%eax), %eax
-- movl __per_cpu_offset(,%eax,4), %eax
-- mov xen_vcpu(%eax), %eax
-+ movl %ss:TI_cpu(%eax), %eax
-+ movl %ss:__per_cpu_offset(,%eax,4), %eax
-+ mov %ss:xen_vcpu(%eax), %eax
- #else
-- movl xen_vcpu, %eax
-+ movl %ss:xen_vcpu, %eax
- #endif
-
- /* check IF state we're restoring */
-@@ -106,11 +106,11 @@ ENTRY(xen_iret)
- * resuming the code, so we don't have to be worried about
- * being preempted to another CPU.
- */
-- setz XEN_vcpu_info_mask(%eax)
-+ setz %ss:XEN_vcpu_info_mask(%eax)
- xen_iret_start_crit:
-
- /* check for unmasked and pending */
-- cmpw $0x0001, XEN_vcpu_info_pending(%eax)
-+ cmpw $0x0001, %ss:XEN_vcpu_info_pending(%eax)
-
- /*
- * If there's something pending, mask events again so we can
-@@ -118,7 +118,7 @@ xen_iret_start_crit:
- * touch XEN_vcpu_info_mask.
- */
- jne 1f
-- movb $1, XEN_vcpu_info_mask(%eax)
-+ movb $1, %ss:XEN_vcpu_info_mask(%eax)
-
- 1: popl %eax
-
---
-1.7.7.6
-