From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Jan Beulich <jbeulich@novell.com>,
Roland McGrath <roland@redhat.com>, Ingo Molnar <mingo@elte.hu>
Subject: [15/30] x86-64: Fix register leak in 32-bit syscall audting
Date: Fri, 06 Nov 2009 13:56:18 -0800 [thread overview]
Message-ID: <20091106215951.964924845@mini.kroah.org> (raw)
In-Reply-To: <20091106220156.GA13813@kroah.com>
[-- Attachment #1: x86-64-fix-register-leak-in-32-bit-syscall-audting.patch --]
[-- Type: text/plain, Size: 1751 bytes --]
2.6.29-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jan Beulich <JBeulich@novell.com>
commit 81766741fe1eee3884219e8daaf03f466f2ed52f upstream.
Restoring %ebp after the call to audit_syscall_exit() is not
only unnecessary (because the register didn't get clobbered),
but in the sysenter case wasn't even doing the right thing: It
loaded %ebp from a location below the top of stack (RBP <
ARGOFFSET), i.e. arbitrary kernel data got passed back to user
mode in the register.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
Acked-by: Roland McGrath <roland@redhat.com>
LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/ia32/ia32entry.S | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -204,7 +204,7 @@ sysexit_from_sys_call:
movl RDI-ARGOFFSET(%rsp),%r8d /* reload 5th syscall arg */
.endm
- .macro auditsys_exit exit,ebpsave=RBP
+ .macro auditsys_exit exit
testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
jnz ia32_ret_from_sys_call
TRACE_IRQS_ON
@@ -217,7 +217,6 @@ sysexit_from_sys_call:
call audit_syscall_exit
GET_THREAD_INFO(%r10)
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall return value */
- movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */
movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
cli
TRACE_IRQS_OFF
@@ -351,7 +350,7 @@ cstar_auditsys:
jmp cstar_dispatch
sysretl_audit:
- auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */
+ auditsys_exit sysretl_from_sys_call
#endif
cstar_tracesys:
next prev parent reply other threads:[~2009-11-06 22:09 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20091106215603.413650799@mini.kroah.org>
2009-11-06 22:01 ` [00/30] 2.6.27.39-stable review Greg KH
2009-11-06 21:56 ` [01/30] 8250_pci: add IBM Saturn serial card Greg KH
2009-11-06 21:56 ` [02/30] b43: Fix Bugzilla #14181 and the bug from the previous fix Greg KH
2009-11-06 21:56 ` [03/30] dpt_i2o: Fix up copy*user Greg KH
2009-11-06 21:56 ` [04/30] dpt_i2o: Fix typo of EINVAL Greg KH
2009-11-06 21:56 ` [05/30] Driver core: fix driver_register() return value Greg KH
2009-11-06 21:56 ` [06/30] fs: pipe.c null pointer dereference Greg KH
2009-11-06 21:56 ` [07/30] hfsplus: refuse to mount volumes larger than 2TB Greg KH
2009-11-06 21:56 ` [08/30] Input: synaptics - add another Protege M300 to rate blacklist Greg KH
2009-11-06 21:56 ` [09/30] libata: fix internal command failure handling Greg KH
2009-11-06 21:56 ` [10/30] libertas if_usb: Fix crash on 64-bit machines Greg KH
2009-11-06 21:56 ` [11/30] mbind(): fix leak of never putback pages Greg KH
2009-11-06 21:56 ` [12/30] ray_cs: Fix copy_from_user handling Greg KH
2009-11-06 21:56 ` [13/30] Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible" Greg KH
2009-11-06 21:56 ` [14/30] tty: Mark generic_serial users as BROKEN Greg KH
2009-11-06 21:56 ` Greg KH [this message]
2009-11-06 21:56 ` [16/30] AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621) Greg KH
2009-11-06 21:56 ` [17/30] appletalk: Fix skb leak when ipddp interface is not loaded (CVE-2009-2903) Greg KH
2009-11-06 21:56 ` [18/30] netlink: fix typo in initialization (CVE-2009-3612) Greg KH
2009-11-06 21:56 ` [19/30] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638) Greg KH
2009-11-06 21:56 ` [20/30] irda: Add irda_skb_cb qdisc related padding Greg KH
2009-11-06 21:56 ` [21/30] nfs: Panic when commit fails Greg KH
2009-11-06 21:56 ` [22/30] NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE Greg KH
2009-11-06 21:56 ` [23/30] nfs: Avoid overrun when copying client IP address string Greg KH
2009-11-06 21:56 ` [24/30] NFSv4: Kill nfs4_renewd_prepare_shutdown() Greg KH
2009-11-06 21:56 ` [25/30] NFSv4: Fix a problem whereby a buggy server can oops the kernel Greg KH
2009-11-06 21:56 ` [26/30] NFSv4: The link() operation should return any delegation on the file Greg KH
2009-11-06 21:56 ` [27/30] printk: robustify printk Greg KH
2009-11-06 21:56 ` [28/30] bonding: fix a race condition in calls to slave MII ioctls Greg KH
2009-11-06 21:56 ` [29/30] x86/amd-iommu: Un__init function required on shutdown Greg KH
2009-11-06 21:56 ` [30/30] x86/amd-iommu: Workaround for erratum 63 Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091106215951.964924845@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jbeulich@novell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=roland@redhat.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox