From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ralf =?utf-8?q?Hemmenst=C3=A4dt?= <ralf.h@hostserver.de>
Subject: Re: Xen 3.1.1 -- Final call for patches
Date: Mon, 1 Oct 2007 19:01:36 +0200
Message-ID: <200710011901.36486.ralf.h@hostserver.de>
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
  boundary="Boundary-00=_wfSAHAPsgFTw/6r"
Return-path: <xen-devel-bounces@lists.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

--Boundary-00=_wfSAHAPsgFTw/6r
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


The attached patch fixes CVE-2007-4573 which allows local users to 
gain root privileges under the x86_64 architecture.
It is adapted from the patch posted at kernel.org.

Regards,
Ralf

--Boundary-00=_wfSAHAPsgFTw/6r
Content-Type: text/x-diff; charset="utf-8"; name="CVE-2007-4573-XEN.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="CVE-2007-4573-XEN.patch"

--- ./linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S.orig	2007-09-29 17:23:32.564813967 +0200
+++ ./linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S	2007-09-29 17:27:48.261866088 +0200
@@ -37,6 +37,19 @@
 	movq	%rax,R8(%rsp)
 	.endm
 
+        .macro LOAD_ARGS32 offset
+        movl \offset(%rsp),%r11d
+        movl \offset+8(%rsp),%r10d
+        movl \offset+16(%rsp),%r9d
+        movl \offset+24(%rsp),%r8d
+        movl \offset+40(%rsp),%ecx
+        movl \offset+48(%rsp),%edx
+        movl \offset+56(%rsp),%esi
+        movl \offset+64(%rsp),%edi
+        movl \offset+72(%rsp),%eax
+        .endm
+ 
+
 #if defined (__XEN_X86_64)
 #include "../kernel/xen_entry.S"
 		
@@ -162,7 +175,7 @@
 	movq	$-ENOSYS,RAX(%rsp)	/* really needed? */
 	movq	%rsp,%rdi        /* &pt_regs -> arg1 */
 	call	syscall_trace_enter
-	LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed it */
+	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
 	RESTORE_REST
 	movl	%ebp, %ebp
 	/* no need to do an access_ok check here because rbp has been
@@ -259,7 +272,7 @@
 	movq $-ENOSYS,RAX(%rsp)	/* really needed? */
 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
 	call syscall_trace_enter
-	LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed it */
+	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
 	RESTORE_REST
 	movl RSP-ARGOFFSET(%rsp), %r8d
 	/* no need to do an access_ok check here because r8 has been
@@ -336,7 +349,7 @@
 	movq $-ENOSYS,RAX(%rsp)	/* really needed? */
 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
 	call syscall_trace_enter
-	LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed it */
+	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
 	RESTORE_REST
 	jmp ia32_do_syscall
 

--Boundary-00=_wfSAHAPsgFTw/6r
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--Boundary-00=_wfSAHAPsgFTw/6r--