[kernel/f20] CVE-2015-2672 unprivileged DoS du to mis-protected xsave/xstor instructions (rhbz 1204724 1204729)

Josh Boyer jwboyer at fedoraproject.org
Mon Mar 23 13:23:33 UTC 2015 

commit 02d0c3ee780ebb3d097823e4dcaa43202f41a318
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Mar 23 09:22:53 2015 -0400

    CVE-2015-2672 unprivileged DoS du to mis-protected xsave/xstor instructions (rhbz 1204724 1204729)

 kernel.spec                                        |   7 ++
 ...pu-xsaves-Fix-improper-uses-of-__ex_table.patch | 114 +++++++++++++++++++++
 2 files changed, 121 insertions(+)
---
diff --git a/kernel.spec b/kernel.spec
index 30732e7..0fb7794 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -798,6 +798,9 @@ Patch26171: acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
 #CVE-2015-2666 rhbz 1204724 1204722
 Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
 
+#CVE-2015-2672 rhbz 1204724 1204729
+Patch26173: x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1559,6 +1562,9 @@ ApplyPatch acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
 #CVE-2015-2666 rhbz 1204724 1204722
 ApplyPatch x86-microcode-intel-Guard-against-stack-overflow-in-.patch
 
+#CVE-2015-2672 rhbz 1204724 1204729
+ApplyPatch x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2378,6 +2384,7 @@ fi
 #                 ||     ||
 %changelog
 * Mon Mar 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-2672 unprivileged DoS du to mis-protected xsave/xstor instructions (rhbz 1204724 1204729)
 - CVE-2015-2666 execution in the early microcode loader (rhbz 1204724 1204722)
 
 * Fri Mar 20 2015 Josh Boyer <jwboyer at fedoraproject.org>
diff --git a/x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch b/x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch
new file mode 100644
index 0000000..4ed5747
--- /dev/null
+++ b/x86-fpu-xsaves-Fix-improper-uses-of-__ex_table.patch
@@ -0,0 +1,114 @@
+From 06c8173eb92bbfc03a0fe8bb64315857d0badd06 Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Date: Thu, 5 Mar 2015 13:19:22 +0100
+Subject: [PATCH] x86/fpu/xsaves: Fix improper uses of __ex_table
+
+Commit:
+
+  f31a9f7c7169 ("x86/xsaves: Use xsaves/xrstors to save and restore xsave area")
+
+introduced alternative instructions for XSAVES/XRSTORS and commit:
+
+  adb9d526e982 ("x86/xsaves: Add xsaves and xrstors support for booting time")
+
+added support for the XSAVES/XRSTORS instructions at boot time.
+
+Unfortunately both failed to properly protect them against faulting:
+
+The 'xstate_fault' macro will use the closest label named '1'
+backward and that ends up in the .altinstr_replacement section
+rather than in .text. This means that the kernel will never find
+in the __ex_table the .text address where this instruction might
+fault, leading to serious problems if userspace manages to
+trigger the fault.
+
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Signed-off-by: Jamie Iles <jamie.iles at oracle.com>
+[ Improved the changelog, fixed some whitespace noise. ]
+Acked-by: Borislav Petkov <bp at alien8.de>
+Acked-by: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: <stable at vger.kernel.org>
+Cc: Allan Xavier <mr.a.xavier at gmail.com>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Fixes: adb9d526e982 ("x86/xsaves: Add xsaves and xrstors support for booting time")
+Fixes: f31a9f7c7169 ("x86/xsaves: Use xsaves/xrstors to save and restore xsave area")
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+---
+ arch/x86/include/asm/xsave.h | 28 +++++++++++-----------------
+ 1 file changed, 11 insertions(+), 17 deletions(-)
+
+diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h
+index 5fa9770035dc..c9a6d68b8d62 100644
+--- a/arch/x86/include/asm/xsave.h
++++ b/arch/x86/include/asm/xsave.h
+@@ -82,18 +82,15 @@ static inline int xsave_state_booting(struct xsave_struct *fx, u64 mask)
+ 	if (boot_cpu_has(X86_FEATURE_XSAVES))
+ 		asm volatile("1:"XSAVES"\n\t"
+ 			"2:\n\t"
+-			: : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
++			     xstate_fault
++			: "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ 			:   "memory");
+ 	else
+ 		asm volatile("1:"XSAVE"\n\t"
+ 			"2:\n\t"
+-			: : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
++			     xstate_fault
++			: "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ 			:   "memory");
+-
+-	asm volatile(xstate_fault
+-		     : "0" (0)
+-		     : "memory");
+-
+ 	return err;
+ }
+ 
+@@ -112,18 +109,15 @@ static inline int xrstor_state_booting(struct xsave_struct *fx, u64 mask)
+ 	if (boot_cpu_has(X86_FEATURE_XSAVES))
+ 		asm volatile("1:"XRSTORS"\n\t"
+ 			"2:\n\t"
+-			: : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
++			     xstate_fault
++			: "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ 			:   "memory");
+ 	else
+ 		asm volatile("1:"XRSTOR"\n\t"
+ 			"2:\n\t"
+-			: : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
++			     xstate_fault
++			: "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ 			:   "memory");
+-
+-	asm volatile(xstate_fault
+-		     : "0" (0)
+-		     : "memory");
+-
+ 	return err;
+ }
+ 
+@@ -149,9 +143,9 @@ static inline int xsave_state(struct xsave_struct *fx, u64 mask)
+ 	 */
+ 	alternative_input_2(
+ 		"1:"XSAVE,
+-		"1:"XSAVEOPT,
++		XSAVEOPT,
+ 		X86_FEATURE_XSAVEOPT,
+-		"1:"XSAVES,
++		XSAVES,
+ 		X86_FEATURE_XSAVES,
+ 		[fx] "D" (fx), "a" (lmask), "d" (hmask) :
+ 		"memory");
+@@ -178,7 +172,7 @@ static inline int xrstor_state(struct xsave_struct *fx, u64 mask)
+ 	 */
+ 	alternative_input(
+ 		"1: " XRSTOR,
+-		"1: " XRSTORS,
++		XRSTORS,
+ 		X86_FEATURE_XSAVES,
+ 		"D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+ 		: "memory");
+-- 
+2.1.0
+

More information about the scm-commits mailing list