[pve-devel] r5175 - pve-kernel-2.6.32/trunk

Fri Sep 17 18:02:14 CEST 2010

Author: dietmar
Date: 2010-09-17 16:02:14 +0000 (Fri, 17 Sep 2010)
New Revision: 5175

Added:
   pve-kernel-2.6.32/trunk/security-fix2.patch
Modified:
   pve-kernel-2.6.32/trunk/Makefile
   pve-kernel-2.6.32/trunk/changelog.Debian
Log:


Modified: pve-kernel-2.6.32/trunk/Makefile
===================================================================

--- pve-kernel-2.6.32/trunk/Makefile	2010-09-17 13:43:31 UTC (rev 5174)
+++ pve-kernel-2.6.32/trunk/Makefile	2010-09-17 16:02:14 UTC (rev 5175)
@@ -3,7 +3,7 @@
 KERNEL_VER=2.6.32
 KERNEL_DEB_REL=22
 
-PKGREL=17
+PKGREL=18
 KREL=3
 
 EXTRAVERSION=-${KREL}-pve
@@ -124,6 +124,8 @@
 	zcat ${KERNEL_DEB_DIFF}|patch -p1 -d ${KERNEL_SRC}
 	# fix CVE-2010-3081
 	cd ${KERNEL_SRC}; patch -p1 <../security-fix1.patch 
+	# fix CVE-2010-3301
+	cd ${KERNEL_SRC}; patch -p1 <../security-fix2.patch 
 	./applydebpatches.pl ${KERNEL_SRC} ${KERNEL_DEB_REL}
 	cd ${KERNEL_SRC}; patch -p1 <../bootsplash-3.1.9-2.6.31.patch 
 	cd ${KERNEL_SRC}; patch -p1 <../bridge-patch.diff

Modified: pve-kernel-2.6.32/trunk/changelog.Debian
===================================================================
--- pve-kernel-2.6.32/trunk/changelog.Debian	2010-09-17 13:43:31 UTC (rev 5174)
+++ pve-kernel-2.6.32/trunk/changelog.Debian	2010-09-17 16:02:14 UTC (rev 5175)
@@ -1,6 +1,13 @@
+pve-kernel-2.6.32 (2.6.32-18) unstable; urgency=low
+
+  * fix previous fix: see http://sota.gen.nz/compat1/ and
+    http://sota.gen.nz/compat2/ (security-fix2.patch)
+
+ -- Proxmox Support Team <support at proxmox.com>  Fri, 17 Sep 2010 17:29:28 +0200
+
 pve-kernel-2.6.32 (2.6.32-17) unstable; urgency=low
 
-  * fix  CVE-2010-3081 kernel
+  * fix CVE-2010-3081 kernel (security-fix1.patch)
   
  -- Proxmox Support Team <support at proxmox.com>  Fri, 17 Sep 2010 15:42:14 +0200
 

Added: pve-kernel-2.6.32/trunk/security-fix2.patch
===================================================================
--- pve-kernel-2.6.32/trunk/security-fix2.patch	                        (rev 0)
+++ pve-kernel-2.6.32/trunk/security-fix2.patch	2010-09-17 16:02:14 UTC (rev 5175)
@@ -0,0 +1,137 @@
+commit 36d001c70d8a0144ac1d038f6876c484849a74de
+Author: H. Peter Anvin <hpa at linux.intel.com>
+Date:   Tue Sep 14 12:42:41 2010 -0700
+
+    x86-64, compat: Test %rax for the syscall number, not %eax
+    
+    On 64 bits, we always, by necessity, jump through the system call
+    table via %rax.  For 32-bit system calls, in theory the system call
+    number is stored in %eax, and the code was testing %eax for a valid
+    system call number.  At one point we loaded the stored value back from
+    the stack to enforce zero-extension, but that was removed in checkin
+    d4d67150165df8bf1cc05e532f6efca96f907cab.  An actual 32-bit process
+    will not be able to introduce a non-zero-extended number, but it can
+    happen via ptrace.
+    
+    Instead of re-introducing the zero-extension, test what we are
+    actually going to use, i.e. %rax.  This only adds a handful of REX
+    prefixes to the code.
+    
+    Reported-by: Ben Hawkes <hawkes at sota.gen.nz>
+    Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+    Cc: <stable at kernel.org>
+    Cc: Roland McGrath <roland at redhat.com>
+    Cc: Andrew Morton <akpm at linux-foundation.org>
+
+diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
+index b86feab..84e3a4e 100644
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target)
+ 	testl  $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ 	CFI_REMEMBER_STATE
+ 	jnz  sysenter_tracesys
+-	cmpl	$(IA32_NR_syscalls-1),%eax
++	cmpq	$(IA32_NR_syscalls-1),%rax
+ 	ja	ia32_badsys
+ sysenter_do_call:
+ 	IA32_ARG_FIXUP
+@@ -195,7 +195,7 @@ sysexit_from_sys_call:
+ 	movl $AUDIT_ARCH_I386,%edi	/* 1st arg: audit arch */
+ 	call audit_syscall_entry
+ 	movl RAX-ARGOFFSET(%rsp),%eax	/* reload syscall number */
+-	cmpl $(IA32_NR_syscalls-1),%eax
++	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja ia32_badsys
+ 	movl %ebx,%edi			/* reload 1st syscall arg */
+ 	movl RCX-ARGOFFSET(%rsp),%esi	/* reload 2nd syscall arg */
+@@ -248,7 +248,7 @@ sysenter_tracesys:
+ 	call	syscall_trace_enter
+ 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
+ 	RESTORE_REST
+-	cmpl	$(IA32_NR_syscalls-1),%eax
++	cmpq	$(IA32_NR_syscalls-1),%rax
+ 	ja	int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
+ 	jmp	sysenter_do_call
+ 	CFI_ENDPROC
+@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target)
+ 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ 	CFI_REMEMBER_STATE
+ 	jnz   cstar_tracesys
+-	cmpl $IA32_NR_syscalls-1,%eax
++	cmpq $IA32_NR_syscalls-1,%rax
+ 	ja  ia32_badsys
+ cstar_do_call:
+ 	IA32_ARG_FIXUP 1
+@@ -367,7 +367,7 @@ cstar_tracesys:
+ 	LOAD_ARGS32 ARGOFFSET, 1  /* reload args from stack in case ptrace changed it */
+ 	RESTORE_REST
+ 	xchgl %ebp,%r9d
+-	cmpl $(IA32_NR_syscalls-1),%eax
++	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
+ 	jmp cstar_do_call
+ END(ia32_cstar_target)
+@@ -425,7 +425,7 @@ ENTRY(ia32_syscall)
+ 	orl   $TS_COMPAT,TI_status(%r10)
+ 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
+ 	jnz ia32_tracesys
+-	cmpl $(IA32_NR_syscalls-1),%eax
++	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja ia32_badsys
+ ia32_do_call:
+ 	IA32_ARG_FIXUP
+@@ -444,7 +444,7 @@ ia32_tracesys:
+ 	call syscall_trace_enter
+ 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
+ 	RESTORE_REST
+-	cmpl $(IA32_NR_syscalls-1),%eax
++	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja  int_ret_from_sys_call	/* ia32_tracesys has set RAX(%rsp) */
+ 	jmp ia32_do_call
+ END(ia32_syscall)
+
+commit eefdca043e8391dcd719711716492063030b55ac
+Author: Roland McGrath <roland at redhat.com>
+Date:   Tue Sep 14 12:22:58 2010 -0700
+
+    x86-64, compat: Retruncate rax after ia32 syscall entry tracing
+    
+    In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a
+    32-bit tracee in system call entry.  A %rax value set via ptrace at the
+    entry tracing stop gets used whole as a 32-bit syscall number, while we
+    only check the low 32 bits for validity.
+    
+    Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
+    in addition to testing the full 64 bits as has already been added.
+    
+    Reported-by: Ben Hawkes <hawkes at sota.gen.nz>
+    Signed-off-by: Roland McGrath <roland at redhat.com>
+    Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>
+
+diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
+index 84e3a4e..518bb99 100644
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -50,7 +50,12 @@
+ 	/*
+ 	 * Reload arg registers from stack in case ptrace changed them.
+ 	 * We don't reload %eax because syscall_trace_enter() returned
+-	 * the value it wants us to use in the table lookup.
++	 * the %rax value we should see.  Instead, we just truncate that
++	 * value to 32 bits again as we did on entry from user mode.
++	 * If it's a new value set by user_regset during entry tracing,
++	 * this matches the normal truncation of the user-mode value.
++	 * If it's -1 to make us punt the syscall, then (u32)-1 is still
++	 * an appropriately invalid value.
+ 	 */
+ 	.macro LOAD_ARGS32 offset, _r9=0
+ 	.if \_r9
+@@ -60,6 +65,7 @@
+ 	movl \offset+48(%rsp),%edx
+ 	movl \offset+56(%rsp),%esi
+ 	movl \offset+64(%rsp),%edi
++	movl %eax,%eax			/* zero extension */
+ 	.endm
+ 	
+ 	.macro CFI_STARTPROC32 simple


