[kernel/f17] Fix for CVE-2013-0190 xen corruption with 32bit pvops (rhbz 896051 896038)
Justin M. Forbes
jforbes at fedoraproject.org
Wed Jan 16 16:09:23 UTC 2013
commit 32a943ee1f238fc7b0daecda70a6c4c06c8730c1
Author: Justin M. Forbes <jforbes at redhat.com>
Date: Wed Jan 16 10:03:38 2013 -0600
Fix for CVE-2013-0190 xen corruption with 32bit pvops (rhbz 896051 896038)
ext4-set-bg_itable_unused-when-resizing.patch | 26 ++++++++
kernel.spec | 17 +++++-
...stack-corruption-in-xen_failsafe_callback.patch | 62 ++++++++++++++++++++
3 files changed, 104 insertions(+), 1 deletions(-)
---
diff --git a/ext4-set-bg_itable_unused-when-resizing.patch b/ext4-set-bg_itable_unused-when-resizing.patch
new file mode 100644
index 0000000..bd7bc44
--- /dev/null
+++ b/ext4-set-bg_itable_unused-when-resizing.patch
@@ -0,0 +1,26 @@
+commit 93f9052643409c13b3b5f76833865087351f55b8
+Author: Theodore Ts'o <tytso at mit.edu>
+Date: Wed Sep 12 14:32:42 2012 -0400
+
+ ext4: set bg_itable_unused when resizing
+
+ Set bg_itable_unused for file systems that have uninit_bg enabled.
+ This will speed up the first e2fsck run after the file system is
+ resized.
+
+ Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index 7adc088..a5be589 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1268,6 +1268,9 @@ static int ext4_setup_new_descs(handle_t *handle, struct super_block *sb,
+ ext4_free_group_clusters_set(sb, gdp,
+ EXT4_B2C(sbi, group_data->free_blocks_count));
+ ext4_free_inodes_set(sb, gdp, EXT4_INODES_PER_GROUP(sb));
++ if (ext4_has_group_desc_csum(sb))
++ ext4_itable_unused_set(sb, gdp,
++ EXT4_INODES_PER_GROUP(sb));
+ gdp->bg_flags = cpu_to_le16(*bg_flags);
+ ext4_group_desc_csum_set(sb, group, gdp);
+
diff --git a/kernel.spec b/kernel.spec
index 2a40895..e7ba8ae 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 7
+%global baserelease 8
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -799,6 +799,12 @@ Patch21240: ACPI-do-not-use-Lid-and-Sleep-button-for-S5-wakeup.patch
#rhbz 886946
Patch21241: iwlegacy-fix-IBSS-cleanup.patch
+#rhbz 852833
+Patch21245: ext4-set-bg_itable_unused-when-resizing.patch
+
+#rhbz 896051 896038 CVE-2013-0190
+Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1552,6 +1558,11 @@ ApplyPatch ACPI-do-not-use-Lid-and-Sleep-button-for-S5-wakeup.patch
#rhbz 886946
ApplyPatch iwlegacy-fix-IBSS-cleanup.patch
+#rhbz 852833
+ApplyPatch ext4-set-bg_itable_unused-when-resizing.patch
+
+#rhbz 896051 896038 CVE-2013-0190
+ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch
# END OF PATCH APPLICATIONS
@@ -2416,6 +2427,10 @@ fi
# '-' | |
# '-'
%changelog
+* Wed Jan 16 2013 Justin M. Forbes <jforbes at redhat.com>
+- Fix for CVE-2013-0190 xen corruption with 32bit pvops (rhbz 896051 896038)
+- Fix resize2fs issue with ext4 (rhbz 852833)
+
* Wed Jan 16 2013 Josh Boyer <jwboyer at redhat.com>
- Add patch from Stanislaw Gruszka to fix iwlegacy IBSS cleanup (rhbz 886946)
diff --git a/xen-fix-stack-corruption-in-xen_failsafe_callback.patch b/xen-fix-stack-corruption-in-xen_failsafe_callback.patch
new file mode 100644
index 0000000..9d83ea0
--- /dev/null
+++ b/xen-fix-stack-corruption-in-xen_failsafe_callback.patch
@@ -0,0 +1,62 @@
+From 38174c8c07ad638cd18285ba402b59076849dc21 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Date: Thu, 10 Jan 2013 17:16:30 +0000
+Subject: [PATCH] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path. This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+ popl %eax # Error code from hypervisor
+ jz 5f
+ addl $16,%esp
+ jmp iret_exc # Hypervisor said iret fault
+5: addl $16,%esp
+ # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+ popl_cfi %eax # Error from the hypervisor
+ lea 16(%esp),%esp # Add $16 before choosing fault path
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+ addl $16,%esp # Incorrectly adjust %esp again
+ jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present. At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio at citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+---
+ arch/x86/kernel/entry_32.S | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
+index ff84d54..6ed91d9 100644
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
+ lea 16(%esp),%esp
+ CFI_ADJUST_CFA_OFFSET -16
+ jz 5f
+- addl $16,%esp
+ jmp iret_exc
+ 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */
+ SAVE_ALL
+--
+1.7.2.5
+
More information about the scm-commits
mailing list