From ed12bfb0f64b462b19bc2cf310de73b6fef932b8 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 29 Mar 2016 14:22:22 -0400
Subject: CVE-2016-3157 xen: priv escalation on 64bit PV domains with io port
 access (rhbz 1315711 1321948)

---
 kernel.spec                                        |  6 ++
 ...64-Properly-context-switch-IOPL-on-Xen-PV.patch | 96 ++++++++++++++++++++++
 2 files changed, 102 insertions(+)
 create mode 100644 x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch

diff --git a/kernel.spec b/kernel.spec
index 9e54aaa21..09a63d68c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -671,6 +671,9 @@ Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
 #CVE-2016-3136 rhbz 1317007 1317010
 Patch687: mct_u232-sanity-checking-in-probe.patch
 
+# CVE-2016-3157 rhbz 1315711 1321948
+Patch688: x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2192,6 +2195,9 @@ fi
 #
 # 
 %changelog
+* Tue Mar 29 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3157 xen: priv escalation on 64bit PV domains with io port access (rhbz 1315711 1321948)
+
 * Tue Mar 29 2016 Justin M. Forbes <jforbes@fedoraproject.org>
 - Turn off DEBUG_WX (rhbz 1318599)
 
diff --git a/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch b/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
new file mode 100644
index 000000000..38f7bfbb0
--- /dev/null
+++ b/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
@@ -0,0 +1,96 @@
+From b7a584598aea7ca73140cb87b40319944dd3393f Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 16 Mar 2016 14:14:21 -0700
+Subject: [PATCH] x86/iopl/64: Properly context-switch IOPL on Xen PV
+
+On Xen PV, regs->flags doesn't reliably reflect IOPL and the
+exit-to-userspace code doesn't change IOPL.  We need to context
+switch it manually.
+
+I'm doing this without going through paravirt because this is
+specific to Xen PV.  After the dust settles, we can merge this with
+the 32-bit code, tidy up the iopl syscall implementation, and remove
+the set_iopl pvop entirely.
+
+Fixes XSA-171.
+
+Reviewewd-by: Jan Beulich <JBeulich@suse.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: David Vrabel <david.vrabel@citrix.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jan Beulich <JBeulich@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/693c3bd7aeb4d3c27c92c622b7d0f554a458173c.1458162709.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/include/asm/xen/hypervisor.h |  2 ++
+ arch/x86/kernel/process_64.c          | 12 ++++++++++++
+ arch/x86/xen/enlighten.c              |  2 +-
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h
+index 8b2d4bea9962..39171b3646bb 100644
+--- a/arch/x86/include/asm/xen/hypervisor.h
++++ b/arch/x86/include/asm/xen/hypervisor.h
+@@ -62,4 +62,6 @@ void xen_arch_register_cpu(int num);
+ void xen_arch_unregister_cpu(int num);
+ #endif
+ 
++extern void xen_set_iopl_mask(unsigned mask);
++
+ #endif /* _ASM_X86_XEN_HYPERVISOR_H */
+diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
+index b9d99e0f82c4..9f751876066f 100644
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -48,6 +48,7 @@
+ #include <asm/syscalls.h>
+ #include <asm/debugreg.h>
+ #include <asm/switch_to.h>
++#include <asm/xen/hypervisor.h>
+ 
+ asmlinkage extern void ret_from_fork(void);
+ 
+@@ -411,6 +412,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
+ 		     task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV))
+ 		__switch_to_xtra(prev_p, next_p, tss);
+ 
++#ifdef CONFIG_XEN
++	/*
++	 * On Xen PV, IOPL bits in pt_regs->flags have no effect, and
++	 * current_pt_regs()->flags may not match the current task's
++	 * intended IOPL.  We need to switch it manually.
++	 */
++	if (unlikely(static_cpu_has(X86_FEATURE_XENPV) &&
++		     prev->iopl != next->iopl))
++		xen_set_iopl_mask(next->iopl);
++#endif
++
+ 	if (static_cpu_has_bug(X86_BUG_SYSRET_SS_ATTRS)) {
+ 		/*
+ 		 * AMD CPUs have a misfeature: SYSRET sets the SS selector but
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 2c261082eadf..8381fb990c7f 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -961,7 +961,7 @@ static void xen_load_sp0(struct tss_struct *tss,
+ 	tss->x86_tss.sp0 = thread->sp0;
+ }
+ 
+-static void xen_set_iopl_mask(unsigned mask)
++void xen_set_iopl_mask(unsigned mask)
+ {
+ 	struct physdev_set_iopl set_iopl;
+ 
+-- 
+2.5.5
+
-- 
cgit