[kernel/f20] CVE-2015-2672 unprivileged DoS du to mis-protected xsave/xstor instructions (rhbz 1204724 1204729)
Josh Boyer
jwboyer at fedoraproject.org
Mon Mar 23 13:23:33 UTC 2015
commit 02d0c3ee780ebb3d097823e4dcaa43202f41a318
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Mar 23 09:22:53 2015 -0400
CVE-2015-2672 unprivileged DoS du to mis-protected xsave/xstor instructions (rhbz 1204724 1204729)
kernel.spec | 7 ++
...pu-xsaves-Fix-improper-uses-of-__ex_table.patch | 114 +++++++++++++++++++++
2 files changed, 121 insertions(+)
---
diff --git a/kernel.spec b/kernel.spec
index 30732e7..0fb7794 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -798,6 +798,9 @@ Patch26171: acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
#CVE-2015-2666 rhbz 1204724 1204722
Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
+#CVE-2015-2672 rhbz 1204724 1204729
+Patch26173: x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1559,6 +1562,9 @@ ApplyPatch acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
#CVE-2015-2666 rhbz 1204724 1204722
ApplyPatch x86-microcode-intel-Guard-against-stack-overflow-in-.patch
+#CVE-2015-2672 rhbz 1204724 1204729
+ApplyPatch x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2378,6 +2384,7 @@ fi
# || ||
%changelog
* Mon Mar 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-2672 unprivileged DoS du to mis-protected xsave/xstor instructions (rhbz 1204724 1204729)
- CVE-2015-2666 execution in the early microcode loader (rhbz 1204724 1204722)
* Fri Mar 20 2015 Josh Boyer <jwboyer at fedoraproject.org>
diff --git a/x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch b/x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch
new file mode 100644
index 0000000..4ed5747
--- /dev/null
+++ b/x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch
@@ -0,0 +1,114 @@
+From 06c8173eb92bbfc03a0fe8bb64315857d0badd06 Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Date: Thu, 5 Mar 2015 13:19:22 +0100
+Subject: [PATCH] x86/fpu/xsaves: Fix improper uses of __ex_table
+
+Commit:
+
+ f31a9f7c7169 ("x86/xsaves: Use xsaves/xrstors to save and restore xsave area")
+
+introduced alternative instructions for XSAVES/XRSTORS and commit:
+
+ adb9d526e982 ("x86/xsaves: Add xsaves and xrstors support for booting time")
+
+added support for the XSAVES/XRSTORS instructions at boot time.
+
+Unfortunately both failed to properly protect them against faulting:
+
+The 'xstate_fault' macro will use the closest label named '1'
+backward and that ends up in the .altinstr_replacement section
+rather than in .text. This means that the kernel will never find
+in the __ex_table the .text address where this instruction might
+fault, leading to serious problems if userspace manages to
+trigger the fault.
+
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Signed-off-by: Jamie Iles <jamie.iles at oracle.com>
+[ Improved the changelog, fixed some whitespace noise. ]
+Acked-by: Borislav Petkov <bp at alien8.de>
+Acked-by: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: <stable at vger.kernel.org>
+Cc: Allan Xavier <mr.a.xavier at gmail.com>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Fixes: adb9d526e982 ("x86/xsaves: Add xsaves and xrstors support for booting time")
+Fixes: f31a9f7c7169 ("x86/xsaves: Use xsaves/xrstors to save and restore xsave area")
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+---
+ arch/x86/include/asm/xsave.h | 28 +++++++++++-----------------
+ 1 file changed, 11 insertions(+), 17 deletions(-)
+
+diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h
+index 5fa9770035dc..c9a6d68b8d62 100644
+--- a/arch/x86/include/asm/xsave.h
++++ b/arch/x86/include/asm/xsave.h
+@@ -82,18 +82,15 @@ static inline int xsave_state_booting(struct xsave_struct *fx, u64 mask)
+ if (boot_cpu_has(X86_FEATURE_XSAVES))
+ asm volatile("1:"XSAVES"\n\t"
+ "2:\n\t"
+- : : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
++ xstate_fault
++ : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ : "memory");
+ else
+ asm volatile("1:"XSAVE"\n\t"
+ "2:\n\t"
+- : : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
++ xstate_fault
++ : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ : "memory");
+-
+- asm volatile(xstate_fault
+- : "0" (0)
+- : "memory");
+-
+ return err;
+ }
+
+@@ -112,18 +109,15 @@ static inline int xrstor_state_booting(struct xsave_struct *fx, u64 mask)
+ if (boot_cpu_has(X86_FEATURE_XSAVES))
+ asm volatile("1:"XRSTORS"\n\t"
+ "2:\n\t"
+- : : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
++ xstate_fault
++ : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ : "memory");
+ else
+ asm volatile("1:"XRSTOR"\n\t"
+ "2:\n\t"
+- : : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
++ xstate_fault
++ : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ : "memory");
+-
+- asm volatile(xstate_fault
+- : "0" (0)
+- : "memory");
+-
+ return err;
+ }
+
+@@ -149,9 +143,9 @@ static inline int xsave_state(struct xsave_struct *fx, u64 mask)
+ */
+ alternative_input_2(
+ "1:"XSAVE,
+- "1:"XSAVEOPT,
++ XSAVEOPT,
+ X86_FEATURE_XSAVEOPT,
+- "1:"XSAVES,
++ XSAVES,
+ X86_FEATURE_XSAVES,
+ [fx] "D" (fx), "a" (lmask), "d" (hmask) :
+ "memory");
+@@ -178,7 +172,7 @@ static inline int xrstor_state(struct xsave_struct *fx, u64 mask)
+ */
+ alternative_input(
+ "1: " XRSTOR,
+- "1: " XRSTORS,
++ XRSTORS,
+ X86_FEATURE_XSAVES,
+ "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ : "memory");
+--
+2.1.0
+
More information about the scm-commits
mailing list