[xen] apply patches for CVE-2012-0217, CVE-2012-0218 and CVE-2012-2934
myoung
myoung at fedoraproject.org
Tue Jun 12 19:38:31 UTC 2012
commit a82e36f97081fe9e0490df9b3176c3fc00976abc
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Tue Jun 12 20:37:51 2012 +0100
apply patches for CVE-2012-0217, CVE-2012-0218 and CVE-2012-2934
CVE-2012-0217.patch | 54 ++++++++++++++++++++
CVE-2012-0218.patch | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++
CVE-2012-2934.patch | 60 +++++++++++++++++++++++
xen.spec | 15 +++++-
4 files changed, 262 insertions(+), 1 deletions(-)
---
diff --git a/CVE-2012-0217.patch b/CVE-2012-0217.patch
new file mode 100644
index 0000000..7f6c597
--- /dev/null
+++ b/CVE-2012-0217.patch
@@ -0,0 +1,54 @@
+
+# HG changeset patch
+# User Jan Beulich <JBeulich at suse.com>
+# Date 1339497510 -3600
+# Node ID f08e61b9b33f553b21870d58e7c4f95f2c9ac513
+# Parent 435493696053a079ec17d6e1a63e5f2be3a2c9d0
+x86_64: Do not execute sysret with a non-canonical return address
+
+Check for non-canonical guest RIP before attempting to execute sysret.
+If sysret is executed with a non-canonical value in RCX, Intel CPUs
+take the fault in ring0, but we will necessarily already have switched
+to the the user's stack pointer.
+
+This is a security vulnerability, XSA-7 / CVE-2012-0217.
+
+Signed-off-by: Jan Beulich <JBeulich at suse.com>
+Signed-off-by: Ian Campbell <Ian.Campbell at citrix.com>
+Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
+Acked-by: Keir Fraser <keir.xen at gmail.com>
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+xen-unstable changeset: 25480:76eaf5966c05
+xen-unstable date: Tue Jun 12 11:33:40 2012 +0100
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r 435493696053 -r f08e61b9b33f xen/arch/x86/x86_64/entry.S
+--- a/xen/arch/x86/x86_64/entry.S Fri May 25 08:18:47 2012 +0100
++++ b/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:38:30 2012 +0100
+@@ -40,6 +40,13 @@ restore_all_guest:
+ testw $TRAP_syscall,4(%rsp)
+ jz iret_exit_to_guest
+
++ /* Don't use SYSRET path if the return address is not canonical. */
++ movq 8(%rsp),%rcx
++ sarq $47,%rcx
++ incl %ecx
++ cmpl $1,%ecx
++ ja .Lforce_iret
++
+ addq $8,%rsp
+ popq %rcx # RIP
+ popq %r11 # CS
+@@ -50,6 +57,10 @@ restore_all_guest:
+ sysretq
+ 1: sysretl
+
++.Lforce_iret:
++ /* Mimic SYSRET behavior. */
++ movq 8(%rsp),%rcx # RIP
++ movq 24(%rsp),%r11 # RFLAGS
+ ALIGN
+ /* No special register assumptions. */
+ iret_exit_to_guest:
+
diff --git a/CVE-2012-0218.patch b/CVE-2012-0218.patch
new file mode 100644
index 0000000..22e13b5
--- /dev/null
+++ b/CVE-2012-0218.patch
@@ -0,0 +1,134 @@
+
+# HG changeset patch
+# User Jan Beulich <JBeulich at suse.com>
+# Date 1339497971 -3600
+# Node ID 0fec1afa463808d91defa43f12cb744d3258a868
+# Parent f08e61b9b33f553b21870d58e7c4f95f2c9ac513
+x86-64: fix #GP generation in assembly code
+
+When guest use of sysenter (64-bit PV guest) or syscall (32-bit PV
+guest) gets converted into a GP fault (due to no callback having got
+registered), we must
+- honor the GP fault handler's request the keep enabled or mask event
+ delivery
+- not allow TBF_EXCEPTION to remain set past the generation of the
+ (guest) exception in the vCPU's trap_bounce.flags, as that would
+ otherwise allow for the next exception occurring in guest mode,
+ should it happen to get handled in Xen itself, to nevertheless get
+ bounced to the guest kernel.
+
+Also, just like compat mode syscall handling already did, native mode
+sysenter handling should, when converting to #GP, subtract 2 from the
+RIP present in the frame so that the guest's GP fault handler would
+see the fault pointing to the offending instruction instead of past it.
+
+Finally, since those exception generating code blocks needed to be
+modified anyway, convert them to make use of UNLIKELY_{START,END}().
+
+[ This bug is security vulnerability, XSA-8 / CVE-2012-0218. ]
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Keir Fraser <keir at xen.org>
+Committed-by: Jan Beulich <jbeulich at suse.com>
+
+xen-unstable changeset: 25200:80f4113be500 25204:569d6f05e1ef
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/asm-offsets.c
+--- a/xen/arch/x86/x86_64/asm-offsets.c Tue Jun 12 11:38:30 2012 +0100
++++ b/xen/arch/x86/x86_64/asm-offsets.c Tue Jun 12 11:46:11 2012 +0100
+@@ -90,6 +90,8 @@ void __dummy__(void)
+ arch.guest_context.trap_ctxt[TRAP_gp_fault].address);
+ OFFSET(VCPU_gp_fault_sel, struct vcpu,
+ arch.guest_context.trap_ctxt[TRAP_gp_fault].cs);
++ OFFSET(VCPU_gp_fault_flags, struct vcpu,
++ arch.guest_context.trap_ctxt[TRAP_gp_fault].flags);
+ OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp);
+ OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss);
+ OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags);
+diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/compat/entry.S
+--- a/xen/arch/x86/x86_64/compat/entry.S Tue Jun 12 11:38:30 2012 +0100
++++ b/xen/arch/x86/x86_64/compat/entry.S Tue Jun 12 11:46:11 2012 +0100
+@@ -214,6 +214,7 @@ 1: call compat_create_bounce_frame
+ ENTRY(compat_post_handle_exception)
+ testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+ jz compat_test_all_events
++.Lcompat_bounce_exception:
+ call compat_create_bounce_frame
+ movb $0,TRAPBOUNCE_flags(%rdx)
+ jmp compat_test_all_events
+@@ -226,19 +227,20 @@ ENTRY(compat_syscall)
+ leaq VCPU_trap_bounce(%rbx),%rdx
+ testl $~3,%esi
+ leal (,%rcx,TBF_INTERRUPT),%ecx
+- jz 2f
+-1: movq %rax,TRAPBOUNCE_eip(%rdx)
++UNLIKELY_START(z, compat_syscall_gpf)
++ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
++ subl $2,UREGS_rip(%rsp)
++ movl $0,TRAPBOUNCE_error_code(%rdx)
++ movl VCPU_gp_fault_addr(%rbx),%eax
++ movzwl VCPU_gp_fault_sel(%rbx),%esi
++ testb $4,VCPU_gp_fault_flags(%rbx)
++ setnz %cl
++ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
++UNLIKELY_END(compat_syscall_gpf)
++ movq %rax,TRAPBOUNCE_eip(%rdx)
+ movw %si,TRAPBOUNCE_cs(%rdx)
+ movb %cl,TRAPBOUNCE_flags(%rdx)
+- call compat_create_bounce_frame
+- jmp compat_test_all_events
+-2: movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+- subl $2,UREGS_rip(%rsp)
+- movq VCPU_gp_fault_addr(%rbx),%rax
+- movzwl VCPU_gp_fault_sel(%rbx),%esi
+- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+- movl $0,TRAPBOUNCE_error_code(%rdx)
+- jmp 1b
++ jmp .Lcompat_bounce_exception
+
+ ENTRY(compat_sysenter)
+ cmpl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/entry.S
+--- a/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:38:30 2012 +0100
++++ b/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:46:11 2012 +0100
+@@ -289,19 +289,21 @@ sysenter_eflags_saved:
+ leaq VCPU_trap_bounce(%rbx),%rdx
+ testq %rax,%rax
+ leal (,%rcx,TBF_INTERRUPT),%ecx
+- jz 2f
+-1: movq VCPU_domain(%rbx),%rdi
++UNLIKELY_START(z, sysenter_gpf)
++ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
++ subq $2,UREGS_rip(%rsp)
++ movl %eax,TRAPBOUNCE_error_code(%rdx)
++ movq VCPU_gp_fault_addr(%rbx),%rax
++ testb $4,VCPU_gp_fault_flags(%rbx)
++ setnz %cl
++ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
++UNLIKELY_END(sysenter_gpf)
++ movq VCPU_domain(%rbx),%rdi
+ movq %rax,TRAPBOUNCE_eip(%rdx)
+ movb %cl,TRAPBOUNCE_flags(%rdx)
+ testb $1,DOMAIN_is_32bit_pv(%rdi)
+ jnz compat_sysenter
+- call create_bounce_frame
+- jmp test_all_events
+-2: movl %eax,TRAPBOUNCE_error_code(%rdx)
+- movq VCPU_gp_fault_addr(%rbx),%rax
+- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+- movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+- jmp 1b
++ jmp .Lbounce_exception
+
+ ENTRY(int80_direct_trap)
+ pushq $0
+@@ -493,6 +495,7 @@ 1: movq %rsp,%rdi
+ jnz compat_post_handle_exception
+ testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+ jz test_all_events
++.Lbounce_exception:
+ call create_bounce_frame
+ movb $0,TRAPBOUNCE_flags(%rdx)
+ jmp test_all_events
+
diff --git a/CVE-2012-2934.patch b/CVE-2012-2934.patch
new file mode 100644
index 0000000..4111927
--- /dev/null
+++ b/CVE-2012-2934.patch
@@ -0,0 +1,60 @@
+
+# HG changeset patch
+# User Jan Beulich <JBeulich at suse.com>
+# Date 1339497777 -3600
+# Node ID a9c0a89c08f2a1c92f64f001b653d7c02fbc852c
+# Parent 0fec1afa463808d91defa43f12cb744d3258a868
+x86-64: detect processors subject to AMD erratum #121 and refuse to boot
+
+Processors with this erratum are subject to a DoS attack by unprivileged
+guest users.
+
+This is XSA-9 / CVE-2012-2934.
+
+Signed-off-by: Jan Beulich <JBeulich at suse.com>
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+xen-unstable changeset: 25481:422880dc94a4
+xen-unstable date: Tue Jun 12 11:33:42 2012 +0100
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r 0fec1afa4638 -r a9c0a89c08f2 xen/arch/x86/cpu/amd.c
+--- a/xen/arch/x86/cpu/amd.c Tue Jun 12 11:46:11 2012 +0100
++++ b/xen/arch/x86/cpu/amd.c Tue Jun 12 11:42:57 2012 +0100
+@@ -32,6 +32,9 @@
+ static char opt_famrev[14];
+ string_param("cpuid_mask_cpu", opt_famrev);
+
++static int opt_allow_unsafe;
++boolean_param("allow_unsafe", opt_allow_unsafe);
++
+ static inline void wrmsr_amd(unsigned int index, unsigned int lo,
+ unsigned int hi)
+ {
+@@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp
+ clear_bit(X86_FEATURE_MCE, c->x86_capability);
+
+ #ifdef __x86_64__
++ if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
++ panic("Xen will not boot on this CPU for security reasons.\n"
++ "Pass \"allow_unsafe\" if you're trusting all your"
++ " (PV) guest kernels.\n");
++
+ /* AMD CPUs do not support SYSENTER outside of legacy mode. */
+ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+
+diff -r 0fec1afa4638 -r a9c0a89c08f2 xen/include/asm-x86/amd.h
+--- a/xen/include/asm-x86/amd.h Tue Jun 12 11:46:11 2012 +0100
++++ b/xen/include/asm-x86/amd.h Tue Jun 12 11:42:57 2012 +0100
+@@ -127,6 +127,9 @@
+ #define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff)
+ #define AMD_MODEL_RANGE_END(range) ((range) & 0xfff)
+
++#define AMD_ERRATUM_121 \
++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf))
++
+ #define AMD_ERRATUM_170 \
+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf))
+
+
diff --git a/xen.spec b/xen.spec
index b642825..739ec3c 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.1.2
-Release: 19%{?dist}
+Release: 20%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -76,6 +76,9 @@ Patch38: xen-backend.rules.patch
Patch39: xend.selinux.setuid.patch
Patch40: pygrub.size.limits.patch
Patch41: xen-4.1-testing.23297.patch
+Patch42: CVE-2012-0217.patch
+Patch43: CVE-2012-0218.patch
+Patch44: CVE-2012-2934.patch
Patch50: upstream-23936:cdb34816a40a-rework
Patch51: upstream-23937:5173834e8476
@@ -243,6 +246,9 @@ manage Xen virtual machines.
%patch39 -p1
%patch40 -p1
%patch41 -p1
+%patch42 -p1
+%patch43 -p1
+%patch44 -p1
%patch50 -p1
%patch51 -p1
@@ -707,6 +713,13 @@ rm -rf %{buildroot}
%endif
%changelog
+* Tue Jun 12 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-20
+- Apply three security patches
+ 64-bit PV guest privilege escalation vulnerability [CVE-2012-0217]
+ guest denial of service on syscall/sysenter exception generation
+ [CVE-2012-0218]
+ PV guest host Denial of Service [CVE-2012-2934]
+
* Sat Jun 09 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-19
- adjust xend.service systemd file to avoid selinux problems
More information about the scm-commits
mailing list