From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk,
Frediano Ziglio <frediano.ziglio@citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: [ 12/16] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
Date: Fri, 18 Jan 2013 17:21:50 -0800 [thread overview]
Message-ID: <20130119012140.101455279@linuxfoundation.org> (raw)
In-Reply-To: <20130119012138.680057206@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Cooper <andrew.cooper3@citrix.com>
commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream.
This fixes CVE-2013-0190 / XSA-40
There has been an error on the xen_failsafe_callback path for failed
iret, which causes the stack pointer to be wrong when entering the
iret_exc error path. This can result in the kernel crashing.
In the classic kernel case, the relevant code looked a little like:
popl %eax # Error code from hypervisor
jz 5f
addl $16,%esp
jmp iret_exc # Hypervisor said iret fault
5: addl $16,%esp
# Hypervisor said segment selector fault
Here, there are two identical addls on either option of a branch which
appears to have been optimised by hoisting it above the jz, and
converting it to an lea, which leaves the flags register unaffected.
In the PVOPS case, the code looks like:
popl_cfi %eax # Error from the hypervisor
lea 16(%esp),%esp # Add $16 before choosing fault path
CFI_ADJUST_CFA_OFFSET -16
jz 5f
addl $16,%esp # Incorrectly adjust %esp again
jmp iret_exc
It is possible unprivileged userspace applications to cause this
behaviour, for example by loading an LDT code selector, then changing
the code selector to be not-present. At this point, there is a race
condition where it is possible for the hypervisor to return back to
userspace from an interrupt, fault on its own iret, and inject a
failsafe_callback into the kernel.
This bug has been present since the introduction of Xen PVOPS support
in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/entry_32.S | 1 -
1 file changed, 1 deletion(-)
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1078,7 +1078,6 @@ ENTRY(xen_failsafe_callback)
lea 16(%esp),%esp
CFI_ADJUST_CFA_OFFSET -16
jz 5f
- addl $16,%esp
jmp iret_exc
5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */
SAVE_ALL
next prev parent reply other threads:[~2013-01-19 1:21 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-19 1:21 [ 00/16] 3.0.60-stable review Greg Kroah-Hartman
2013-01-19 1:21 ` [ 01/16] sh: Fix FDPIC binary loader Greg Kroah-Hartman
2013-01-19 1:21 ` [ 02/16] tcm_fc: Do not indicate retry capability to initiators Greg Kroah-Hartman
2013-01-19 1:21 ` [ 03/16] tcm_fc: Do not report target role when target is not defined Greg Kroah-Hartman
2013-01-19 1:21 ` [ 04/16] s390/time: fix sched_clock() overflow Greg Kroah-Hartman
2013-01-19 1:21 ` [ 05/16] x86/Sandy Bridge: reserve pages when integrated graphics is present Greg Kroah-Hartman
2013-01-19 1:21 ` [ 06/16] ext4: init pagevec in ext4_da_block_invalidatepages Greg Kroah-Hartman
2013-01-19 1:21 ` [ 07/16] powerpc: fix wii_memory_fixups() compile error on 3.0.y tree Greg Kroah-Hartman
2013-01-19 1:21 ` [ 08/16] USB: fix endpoint-disabling for failed config changes Greg Kroah-Hartman
2013-01-19 1:21 ` [ 09/16] intel-iommu: Prevent devices with RMRRs from being placed into SI Domain Greg Kroah-Hartman
2013-01-19 1:21 ` [ 10/16] drbd: add missing part_round_stats to _drbd_start_io_acct Greg Kroah-Hartman
2013-01-19 1:21 ` [ 11/16] xhci: fix null-pointer dereference when destroying half-built segment rings Greg Kroah-Hartman
2013-01-19 1:21 ` Greg Kroah-Hartman [this message]
2013-01-19 1:21 ` [ 13/16] USB: option: add TP-LINK HSUPA Modem MA180 Greg Kroah-Hartman
2013-01-19 1:21 ` [ 14/16] USB: option: blacklist network interface on ONDA MT8205 4G LTE Greg Kroah-Hartman
2013-01-19 1:21 ` [ 15/16] serial:ifx6x60:Delete SPI timer when shut down port Greg Kroah-Hartman
2013-01-19 1:21 ` [ 16/16] staging: vt6656: Fix inconsistent structure packing Greg Kroah-Hartman
2013-01-19 18:50 ` [ 00/16] 3.0.60-stable review Shuah Khan
2013-01-20 9:00 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130119012140.101455279@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=andrew.cooper3@citrix.com \
--cc=frediano.ziglio@citrix.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).