[xen/f16] apply patches for CVE-2012-2625, CVE-2012-0217, CVE-2012-0218 and CVE-2012-2934
myoung
myoung at fedoraproject.org
Wed Jun 13 19:06:17 UTC 2012
commit b5a850d5dd59579ac80c80371d25926b12bb1dd2
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Wed Jun 13 20:05:23 2012 +0100
apply patches for CVE-2012-2625, CVE-2012-0217, CVE-2012-0218 and CVE-2012-2934
CVE-2012-0217.patch | 54 ++++++++++++++++++
CVE-2012-0218.patch | 134 ++++++++++++++++++++++++++++++++++++++++++++++
CVE-2012-2934.patch | 60 ++++++++++++++++++++
pygrub.size.limits.patch | 80 +++++++++++++++++++++++++++
xen.spec | 17 ++++++-
5 files changed, 344 insertions(+), 1 deletions(-)
---
diff --git a/CVE-2012-0217.patch b/CVE-2012-0217.patch
new file mode 100644
index 0000000..7f6c597
--- /dev/null
+++ b/CVE-2012-0217.patch
@@ -0,0 +1,54 @@
+
+# HG changeset patch
+# User Jan Beulich <JBeulich at suse.com>
+# Date 1339497510 -3600
+# Node ID f08e61b9b33f553b21870d58e7c4f95f2c9ac513
+# Parent 435493696053a079ec17d6e1a63e5f2be3a2c9d0
+x86_64: Do not execute sysret with a non-canonical return address
+
+Check for non-canonical guest RIP before attempting to execute sysret.
+If sysret is executed with a non-canonical value in RCX, Intel CPUs
+take the fault in ring0, but we will necessarily already have switched
+to the the user's stack pointer.
+
+This is a security vulnerability, XSA-7 / CVE-2012-0217.
+
+Signed-off-by: Jan Beulich <JBeulich at suse.com>
+Signed-off-by: Ian Campbell <Ian.Campbell at citrix.com>
+Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
+Acked-by: Keir Fraser <keir.xen at gmail.com>
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+xen-unstable changeset: 25480:76eaf5966c05
+xen-unstable date: Tue Jun 12 11:33:40 2012 +0100
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r 435493696053 -r f08e61b9b33f xen/arch/x86/x86_64/entry.S
+--- a/xen/arch/x86/x86_64/entry.S Fri May 25 08:18:47 2012 +0100
++++ b/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:38:30 2012 +0100
+@@ -40,6 +40,13 @@ restore_all_guest:
+ testw $TRAP_syscall,4(%rsp)
+ jz iret_exit_to_guest
+
++ /* Don't use SYSRET path if the return address is not canonical. */
++ movq 8(%rsp),%rcx
++ sarq $47,%rcx
++ incl %ecx
++ cmpl $1,%ecx
++ ja .Lforce_iret
++
+ addq $8,%rsp
+ popq %rcx # RIP
+ popq %r11 # CS
+@@ -50,6 +57,10 @@ restore_all_guest:
+ sysretq
+ 1: sysretl
+
++.Lforce_iret:
++ /* Mimic SYSRET behavior. */
++ movq 8(%rsp),%rcx # RIP
++ movq 24(%rsp),%r11 # RFLAGS
+ ALIGN
+ /* No special register assumptions. */
+ iret_exit_to_guest:
+
diff --git a/CVE-2012-0218.patch b/CVE-2012-0218.patch
new file mode 100644
index 0000000..22e13b5
--- /dev/null
+++ b/CVE-2012-0218.patch
@@ -0,0 +1,134 @@
+
+# HG changeset patch
+# User Jan Beulich <JBeulich at suse.com>
+# Date 1339497971 -3600
+# Node ID 0fec1afa463808d91defa43f12cb744d3258a868
+# Parent f08e61b9b33f553b21870d58e7c4f95f2c9ac513
+x86-64: fix #GP generation in assembly code
+
+When guest use of sysenter (64-bit PV guest) or syscall (32-bit PV
+guest) gets converted into a GP fault (due to no callback having got
+registered), we must
+- honor the GP fault handler's request the keep enabled or mask event
+ delivery
+- not allow TBF_EXCEPTION to remain set past the generation of the
+ (guest) exception in the vCPU's trap_bounce.flags, as that would
+ otherwise allow for the next exception occurring in guest mode,
+ should it happen to get handled in Xen itself, to nevertheless get
+ bounced to the guest kernel.
+
+Also, just like compat mode syscall handling already did, native mode
+sysenter handling should, when converting to #GP, subtract 2 from the
+RIP present in the frame so that the guest's GP fault handler would
+see the fault pointing to the offending instruction instead of past it.
+
+Finally, since those exception generating code blocks needed to be
+modified anyway, convert them to make use of UNLIKELY_{START,END}().
+
+[ This bug is security vulnerability, XSA-8 / CVE-2012-0218. ]
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Keir Fraser <keir at xen.org>
+Committed-by: Jan Beulich <jbeulich at suse.com>
+
+xen-unstable changeset: 25200:80f4113be500 25204:569d6f05e1ef
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/asm-offsets.c
+--- a/xen/arch/x86/x86_64/asm-offsets.c Tue Jun 12 11:38:30 2012 +0100
++++ b/xen/arch/x86/x86_64/asm-offsets.c Tue Jun 12 11:46:11 2012 +0100
+@@ -90,6 +90,8 @@ void __dummy__(void)
+ arch.guest_context.trap_ctxt[TRAP_gp_fault].address);
+ OFFSET(VCPU_gp_fault_sel, struct vcpu,
+ arch.guest_context.trap_ctxt[TRAP_gp_fault].cs);
++ OFFSET(VCPU_gp_fault_flags, struct vcpu,
++ arch.guest_context.trap_ctxt[TRAP_gp_fault].flags);
+ OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp);
+ OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss);
+ OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags);
+diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/compat/entry.S
+--- a/xen/arch/x86/x86_64/compat/entry.S Tue Jun 12 11:38:30 2012 +0100
++++ b/xen/arch/x86/x86_64/compat/entry.S Tue Jun 12 11:46:11 2012 +0100
+@@ -214,6 +214,7 @@ 1: call compat_create_bounce_frame
+ ENTRY(compat_post_handle_exception)
+ testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+ jz compat_test_all_events
++.Lcompat_bounce_exception:
+ call compat_create_bounce_frame
+ movb $0,TRAPBOUNCE_flags(%rdx)
+ jmp compat_test_all_events
+@@ -226,19 +227,20 @@ ENTRY(compat_syscall)
+ leaq VCPU_trap_bounce(%rbx),%rdx
+ testl $~3,%esi
+ leal (,%rcx,TBF_INTERRUPT),%ecx
+- jz 2f
+-1: movq %rax,TRAPBOUNCE_eip(%rdx)
++UNLIKELY_START(z, compat_syscall_gpf)
++ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
++ subl $2,UREGS_rip(%rsp)
++ movl $0,TRAPBOUNCE_error_code(%rdx)
++ movl VCPU_gp_fault_addr(%rbx),%eax
++ movzwl VCPU_gp_fault_sel(%rbx),%esi
++ testb $4,VCPU_gp_fault_flags(%rbx)
++ setnz %cl
++ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
++UNLIKELY_END(compat_syscall_gpf)
++ movq %rax,TRAPBOUNCE_eip(%rdx)
+ movw %si,TRAPBOUNCE_cs(%rdx)
+ movb %cl,TRAPBOUNCE_flags(%rdx)
+- call compat_create_bounce_frame
+- jmp compat_test_all_events
+-2: movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+- subl $2,UREGS_rip(%rsp)
+- movq VCPU_gp_fault_addr(%rbx),%rax
+- movzwl VCPU_gp_fault_sel(%rbx),%esi
+- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+- movl $0,TRAPBOUNCE_error_code(%rdx)
+- jmp 1b
++ jmp .Lcompat_bounce_exception
+
+ ENTRY(compat_sysenter)
+ cmpl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/entry.S
+--- a/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:38:30 2012 +0100
++++ b/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:46:11 2012 +0100
+@@ -289,19 +289,21 @@ sysenter_eflags_saved:
+ leaq VCPU_trap_bounce(%rbx),%rdx
+ testq %rax,%rax
+ leal (,%rcx,TBF_INTERRUPT),%ecx
+- jz 2f
+-1: movq VCPU_domain(%rbx),%rdi
++UNLIKELY_START(z, sysenter_gpf)
++ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
++ subq $2,UREGS_rip(%rsp)
++ movl %eax,TRAPBOUNCE_error_code(%rdx)
++ movq VCPU_gp_fault_addr(%rbx),%rax
++ testb $4,VCPU_gp_fault_flags(%rbx)
++ setnz %cl
++ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
++UNLIKELY_END(sysenter_gpf)
++ movq VCPU_domain(%rbx),%rdi
+ movq %rax,TRAPBOUNCE_eip(%rdx)
+ movb %cl,TRAPBOUNCE_flags(%rdx)
+ testb $1,DOMAIN_is_32bit_pv(%rdi)
+ jnz compat_sysenter
+- call create_bounce_frame
+- jmp test_all_events
+-2: movl %eax,TRAPBOUNCE_error_code(%rdx)
+- movq VCPU_gp_fault_addr(%rbx),%rax
+- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+- movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+- jmp 1b
++ jmp .Lbounce_exception
+
+ ENTRY(int80_direct_trap)
+ pushq $0
+@@ -493,6 +495,7 @@ 1: movq %rsp,%rdi
+ jnz compat_post_handle_exception
+ testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+ jz test_all_events
++.Lbounce_exception:
+ call create_bounce_frame
+ movb $0,TRAPBOUNCE_flags(%rdx)
+ jmp test_all_events
+
diff --git a/CVE-2012-2934.patch b/CVE-2012-2934.patch
new file mode 100644
index 0000000..4111927
--- /dev/null
+++ b/CVE-2012-2934.patch
@@ -0,0 +1,60 @@
+
+# HG changeset patch
+# User Jan Beulich <JBeulich at suse.com>
+# Date 1339497777 -3600
+# Node ID a9c0a89c08f2a1c92f64f001b653d7c02fbc852c
+# Parent 0fec1afa463808d91defa43f12cb744d3258a868
+x86-64: detect processors subject to AMD erratum #121 and refuse to boot
+
+Processors with this erratum are subject to a DoS attack by unprivileged
+guest users.
+
+This is XSA-9 / CVE-2012-2934.
+
+Signed-off-by: Jan Beulich <JBeulich at suse.com>
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+xen-unstable changeset: 25481:422880dc94a4
+xen-unstable date: Tue Jun 12 11:33:42 2012 +0100
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r 0fec1afa4638 -r a9c0a89c08f2 xen/arch/x86/cpu/amd.c
+--- a/xen/arch/x86/cpu/amd.c Tue Jun 12 11:46:11 2012 +0100
++++ b/xen/arch/x86/cpu/amd.c Tue Jun 12 11:42:57 2012 +0100
+@@ -32,6 +32,9 @@
+ static char opt_famrev[14];
+ string_param("cpuid_mask_cpu", opt_famrev);
+
++static int opt_allow_unsafe;
++boolean_param("allow_unsafe", opt_allow_unsafe);
++
+ static inline void wrmsr_amd(unsigned int index, unsigned int lo,
+ unsigned int hi)
+ {
+@@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp
+ clear_bit(X86_FEATURE_MCE, c->x86_capability);
+
+ #ifdef __x86_64__
++ if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
++ panic("Xen will not boot on this CPU for security reasons.\n"
++ "Pass \"allow_unsafe\" if you're trusting all your"
++ " (PV) guest kernels.\n");
++
+ /* AMD CPUs do not support SYSENTER outside of legacy mode. */
+ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+
+diff -r 0fec1afa4638 -r a9c0a89c08f2 xen/include/asm-x86/amd.h
+--- a/xen/include/asm-x86/amd.h Tue Jun 12 11:46:11 2012 +0100
++++ b/xen/include/asm-x86/amd.h Tue Jun 12 11:42:57 2012 +0100
+@@ -127,6 +127,9 @@
+ #define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff)
+ #define AMD_MODEL_RANGE_END(range) ((range) & 0xfff)
+
++#define AMD_ERRATUM_121 \
++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf))
++
+ #define AMD_ERRATUM_170 \
+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf))
+
+
diff --git a/pygrub.size.limits.patch b/pygrub.size.limits.patch
new file mode 100644
index 0000000..af2ff7c
--- /dev/null
+++ b/pygrub.size.limits.patch
@@ -0,0 +1,80 @@
+Make pygrub cope better with big files in the guest.
+Only read the first megabyte of a configuration file (grub etc.)
+Read the kernel and ramdisk files from the guest in one megabyte pieces
+so pygrub doesn't grow too large if they are large.
+If there are problems writing the temporary copies of the kernel and ramdisk
+files delete them and exit.
+
+Signed-off-by: Michael Young <m.a.young at durham.ac.uk>
+
+--- xen-4.2.0/tools/pygrub/src/pygrub.orig 2012-05-12 16:40:48.000000000 +0100
++++ xen-4.2.0/tools/pygrub/src/pygrub
+@@ -28,6 +28,7 @@
+ import grub.ExtLinuxConf
+
+ PYGRUB_VER = 0.6
++fs_read_max=1048576
+
+ def enable_cursor(ison):
+ if ison:
+@@ -448,7 +449,8 @@
+ if self.__dict__.get('cf', None) is None:
+ raise RuntimeError, "couldn't find bootloader config file in the image provided."
+ f = fs.open_file(self.cf.filename)
+- buf = f.read()
++ # limit read size to avoid pathological cases
++ buf = f.read(fs_read_max)
+ del f
+ self.cf.parse(buf)
+
+@@ -824,21 +826,46 @@
+ if not_really:
+ bootcfg["kernel"] = "<kernel:%s>" % chosencfg["kernel"]
+ else:
+- data = fs.open_file(chosencfg["kernel"]).read()
++ datafile = fs.open_file(chosencfg["kernel"])
+ (tfd, bootcfg["kernel"]) = tempfile.mkstemp(prefix="boot_kernel.",
+ dir=output_directory)
+- os.write(tfd, data)
++ dataoff=0
++ data=datafile.read(fs_read_max)
++ while len(data)>0:
++ try:
++ os.write(tfd, data)
++ except:
++ print "error writing temporary copy of kernel"
++ os.close(tfd)
++ os.unlink(bootcfg["kernel"])
++ sys.exit(1)
++ dataoff+=len(data)
++ data=datafile.read(fs_read_max,dataoff)
+ os.close(tfd)
++ del datafile
+
+ if chosencfg["ramdisk"]:
+ if not_really:
+ bootcfg["ramdisk"] = "<ramdisk:%s>" % chosencfg["ramdisk"]
+ else:
+- data = fs.open_file(chosencfg["ramdisk"],).read()
++ datafile = fs.open_file(chosencfg["ramdisk"],)
+ (tfd, bootcfg["ramdisk"]) = tempfile.mkstemp(
+ prefix="boot_ramdisk.", dir=output_directory)
+- os.write(tfd, data)
++ dataoff=0
++ data=datafile.read(fs_read_max)
++ while len(data)>0:
++ try:
++ os.write(tfd, data)
++ except:
++ print "error writing temporary copy of ramdisk"
++ os.close(tfd)
++ os.unlink(bootcfg["ramdisk"])
++ os.unlink(bootcfg["kernel"])
++ sys.exit(1)
++ dataoff+=len(data)
++ data=datafile.read(fs_read_max,dataoff)
+ os.close(tfd)
++ del datafile
+ else:
+ initrd = None
+
diff --git a/xen.spec b/xen.spec
index 7c4eef2..c5d1ad3 100644
--- a/xen.spec
+++ b/xen.spec
@@ -10,7 +10,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.1.2
-Release: 7%{?dist}
+Release: 8%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -58,6 +58,10 @@ Patch35: xend-pci-loop.patch
Patch36: localgcc47fix.patch
Patch37: qemu-xen-4.1-testing.git-3cf61880403b4e484539596a95937cc066243388.patch
Patch38: xen-backend.rules.patch
+Patch39: pygrub.size.limits.patch
+Patch40: CVE-2012-0217.patch
+Patch41: CVE-2012-0218.patch
+Patch42: CVE-2012-2934.patch
Patch50: upstream-23936:cdb34816a40a-rework
Patch51: upstream-23937:5173834e8476
@@ -222,6 +226,10 @@ manage Xen virtual machines.
%patch36 -p1
%patch37 -p1
%patch38 -p1
+%patch39 -p1
+%patch40 -p1
+%patch41 -p1
+%patch42 -p1
%patch50 -p1
%patch51 -p1
@@ -634,6 +642,13 @@ rm -rf %{buildroot}
%endif
%changelog
+* Wed Jun 13 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-8
+- make pygrub cope better with big files from guest (#818412 CVE-2012-2625)
+- 64-bit PV guest privilege escalation vulnerability [CVE-2012-0217]
+- guest denial of service on syscall/sysenter exception generation
+ [CVE-2012-0218]
+- PV guest host Denial of Service [CVE-2012-2934]
+
* Tue May 08 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-7
- Make the udev tap rule more specific as it breaks openvpn (#819452)
- load xen-acpi-processor module (kernel 3.4 onwards) if present
More information about the scm-commits
mailing list