From: "Ralf Hemmenstädt" <ralf.h@hostserver.de>
To: xen-devel@lists.xensource.com
Subject: Re: Xen 3.1.1 -- Final call for patches
Date: Mon, 1 Oct 2007 19:01:36 +0200 [thread overview]
Message-ID: <200710011901.36486.ralf.h@hostserver.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 187 bytes --]
The attached patch fixes CVE-2007-4573 which allows local users to
gain root privileges under the x86_64 architecture.
It is adapted from the patch posted at kernel.org.
Regards,
Ralf
[-- Attachment #2: CVE-2007-4573-XEN.patch --]
[-- Type: text/x-diff, Size: 1834 bytes --]
--- ./linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S.orig 2007-09-29 17:23:32.564813967 +0200
+++ ./linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S 2007-09-29 17:27:48.261866088 +0200
@@ -37,6 +37,19 @@
movq %rax,R8(%rsp)
.endm
+ .macro LOAD_ARGS32 offset
+ movl \offset(%rsp),%r11d
+ movl \offset+8(%rsp),%r10d
+ movl \offset+16(%rsp),%r9d
+ movl \offset+24(%rsp),%r8d
+ movl \offset+40(%rsp),%ecx
+ movl \offset+48(%rsp),%edx
+ movl \offset+56(%rsp),%esi
+ movl \offset+64(%rsp),%edi
+ movl \offset+72(%rsp),%eax
+ .endm
+
+
#if defined (__XEN_X86_64)
#include "../kernel/xen_entry.S"
@@ -162,7 +175,7 @@
movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
movl %ebp, %ebp
/* no need to do an access_ok check here because rbp has been
@@ -259,7 +272,7 @@
movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
movl RSP-ARGOFFSET(%rsp), %r8d
/* no need to do an access_ok check here because r8 has been
@@ -336,7 +349,7 @@
movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
jmp ia32_do_syscall
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next reply other threads:[~2007-10-01 17:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-01 17:01 Ralf Hemmenstädt [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-09-30 9:23 Xen 3.1.1 -- Final call for patches Keir Fraser
2007-10-02 18:04 ` Chris Lalancette
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200710011901.36486.ralf.h@hostserver.de \
--to=ralf.h@hostserver.de \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.