~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH v3.4] main/xen: security fixes #6571

Sergey Lukin <sergej.lukin@gmail.com>
Details
Message ID
<20161227093343.4260-1-sergej.lukin@gmail.com>
Sender timestamp
1482831223
DKIM signature
missing
Download raw message
7 years ago
Patch: +179 -1 
CVE-2016-10024, XSA-202: x86 PV guests may be able to mask interrupts
http://xenbits.xen.org/xsa/advisory-202.html

CVE-2016-10025, XSA-203: x86: missing NULL pointer check in VMFUNC emulation
http://xenbits.xen.org/xsa/advisory-203.html

CVE-2016-10013, XSA-204: x86: Mishandling of SYSCALL singlestep during emulation
http://xenbits.xen.org/xsa/advisory-204.html
---
 main/xen/APKBUILD         | 19 +++++++++++-
 main/xen/xsa202-4.6.patch | 73 +++++++++++++++++++++++++++++++++++++++++++++++
 main/xen/xsa203-4.7.patch | 19 ++++++++++++
 main/xen/xsa204-4.7.patch | 69 ++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 179 insertions(+), 1 deletion(-)
 create mode 100644 main/xen/xsa202-4.6.patch
 create mode 100644 main/xen/xsa203-4.7.patch
 create mode 100644 main/xen/xsa204-4.7.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index e4a159d..315b84b 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -1,9 +1,10 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: William Pitcock <nenolod@dereferenced.org>
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.6.3
pkgrel=6
pkgrel=7
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64"
@@ -34,6 +35,10 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor"
#     - CVE-2016-9816 XSA-201
#     - CVE-2016-9817 XSA-201
#     - CVE-2016-9818 XSA-201
#   4.6.3-r7:
#     - CVE-2016-10024 XSA-202
#     - CVE-2016-10025 XSA-203
#     - CVE-2016-10013 XSA-204

# grep _VERSION= stubdom/configure
_ZLIB_VERSION="1.2.3"
@@ -84,6 +89,9 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
	xsa201-2.patch
	xsa201-3-4.7.patch
	xsa201-4.patch
	xsa202-4.6.patch
	xsa203-4.7.patch
	xsa204-4.7.patch

	xenstore_client_transaction_fix.patch
	qemu-coroutine-gthread.patch
@@ -304,6 +312,9 @@ add3ad7828d582fc272073e906ce17a1  xsa200-4.6.patch
76394482eaf0caeb3e0611ba70e8923c  xsa201-2.patch
136b9ad8b2bcc57d5a7ed3bf13bebe3c  xsa201-3-4.7.patch
9cb1516d783fc9c765e9a37574bb3cbd  xsa201-4.patch
1e5a74b572d1a127d27931e8b08a400c  xsa202-4.6.patch
332134bd4d53cc640b8af674cddefadd  xsa203-4.7.patch
807eba520309001a90a6fd8d9e971dd8  xsa204-4.7.patch
b05500e9fdcec5a076ab8817fc313ac3  xenstore_client_transaction_fix.patch
de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
@@ -360,6 +371,9 @@ d3af265879196c05b3fdd2cdeb5e95446f454dd3c1151452fe4f3389eccc39e4  xsa197-qemut-C
0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b  xsa201-2.patch
a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76  xsa201-3-4.7.patch
388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919  xsa201-4.patch
3a0584363eee2fc014469df50d4cba99b3e9a6f01b92e3c4abe9b5bac6140004  xsa202-4.6.patch
07e033cc11aca365ebebe7708d965f559fdc61d570033ec327f75641303536c4  xsa203-4.7.patch
162ff128d2b63c2f46234b64e730210e1002b884d1114f49f3709a9573e81f98  xsa204-4.7.patch
c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1  xenstore_client_transaction_fix.patch
3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
@@ -416,6 +430,9 @@ b61429fbf4d1677a8dab2710ab21335f18b3f998f2e5e19e45a4727f71b9671b3d1bd709bef3594c
afed1ed3c5b4dd3a1d2c1c0fe824cdeb58efdc40fdaf5ce439deb2feef63141168114ea362fc5c683eb0494bb6bd3c76773b099495af21550ae3a1e5cb4e924d  xsa201-2.patch
ad0f4217ef8218dac6997385690981e7a88d05b735e04779f582ad4a0307d8e7804c015971403133fe1d3334c628da784c696161768b275ed3ab64d6140293dc  xsa201-3-4.7.patch
1761ca422fe9e3caee3442b43b84da49721a01ed8417f653c568695b08718c40be1493cc7a0a6145c7ce195c7fb0c753b190fe2f1782d5242e1e304c18005610  xsa201-4.patch
c748e24be7ac676726f1c45cebe878a2240f274d412886c1f63101bb8ec64a2a0392ff7450883405dd9ebadc351cfd1f940ed5632d4ba6d466cf4498b29cc2a7  xsa202-4.6.patch
ccd071bcf245014d641cbe1c36eee956adbec2e19e2b111248d04e4ce7072bbf1a935b00e95676a1d6d378bd1c5380f8fb002ce631f5b5edf47307b727d27a5b  xsa203-4.7.patch
4dc25b5206fb80651390bedc7ae8eb30f44174fe59aef09c7ca58930091e30bd1dec80e15f307f5b5d7ae417d6be4b2d509a5e762e8d6563619133bec846790b  xsa204-4.7.patch
69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077  xenstore_client_transaction_fix.patch
c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
diff --git a/main/xen/xsa202-4.6.patch b/main/xen/xsa202-4.6.patch
new file mode 100644
index 0000000..df83614
--- /dev/null
+++ b/main/xen/xsa202-4.6.patch
@@ -0,0 +1,73 @@
From: Jan Beulich <jbeulich@suse.com>
Subject: x86: force EFLAGS.IF on when exiting to PV guests

Guest kernels modifying instructions in the process of being emulated
for another of their vCPU-s may effect EFLAGS.IF to be cleared upon
next exiting to guest context, by converting the being emulated
instruction to CLI (at the right point in time). Prevent any such bad
effects by always forcing EFLAGS.IF on. And to cover hypothetical other
similar issues, also force EFLAGS.{IOPL,NT,VM} to zero.

This is XSA-202.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -174,6 +174,8 @@ compat_bad_hypercall:
 /* %rbx: struct vcpu, interrupts disabled */
 ENTRY(compat_restore_all_guest)
         ASSERT_INTERRUPTS_DISABLED
+        mov   $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d
+        and   UREGS_eflags(%rsp),%r11d
 .Lcr4_orig:
         .skip .Lcr4_alt_end - .Lcr4_alt, 0x90
 .Lcr4_orig_end:
@@ -209,6 +211,8 @@ ENTRY(compat_restore_all_guest)
                              (.Lcr4_orig_end - .Lcr4_orig), \
                              (.Lcr4_alt_end - .Lcr4_alt)
         .popsection
+        or    $X86_EFLAGS_IF,%r11
+        mov   %r11d,UREGS_eflags(%rsp)
         RESTORE_ALL adj=8 compat=1
 .Lft0:  iretq

--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -40,28 +40,29 @@ restore_all_guest:
         testw $TRAP_syscall,4(%rsp)
         jz    iret_exit_to_guest

+        movq  24(%rsp),%r11           # RFLAGS
+        andq  $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11
+        orq   $X86_EFLAGS_IF,%r11
+
         /* Don't use SYSRET path if the return address is not canonical. */
         movq  8(%rsp),%rcx
         sarq  $47,%rcx
         incl  %ecx
         cmpl  $1,%ecx
-        ja    .Lforce_iret
+        movq  8(%rsp),%rcx            # RIP
+        ja    iret_exit_to_guest

         cmpw  $FLAT_USER_CS32,16(%rsp)# CS
-        movq  8(%rsp),%rcx            # RIP
-        movq  24(%rsp),%r11           # RFLAGS
         movq  32(%rsp),%rsp           # RSP
         je    1f
         sysretq
 1:      sysretl

-.Lforce_iret:
-        /* Mimic SYSRET behavior. */
-        movq  8(%rsp),%rcx            # RIP
-        movq  24(%rsp),%r11           # RFLAGS
         ALIGN
 /* No special register assumptions. */
 iret_exit_to_guest:
+        andl  $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp)
+        orl   $X86_EFLAGS_IF,24(%rsp)
         addq  $8,%rsp
 .Lft0:  iretq

diff --git a/main/xen/xsa203-4.7.patch b/main/xen/xsa203-4.7.patch
new file mode 100644
index 0000000..e51285f
--- /dev/null
+++ b/main/xen/xsa203-4.7.patch
@@ -0,0 +1,19 @@
From: Jan Beulich <jbeulich@suse.com>
Subject: x86/HVM: add missing NULL check before using VMFUNC hook

This is XSA-203.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -1643,6 +1643,8 @@ static int hvmemul_vmfunc(
 {
     int rc;

+    if ( !hvm_funcs.altp2m_vcpu_emulate_vmfunc )
+        return X86EMUL_UNHANDLEABLE;
     rc = hvm_funcs.altp2m_vcpu_emulate_vmfunc(ctxt->regs);
     if ( rc != X86EMUL_OKAY )
         hvmemul_inject_hw_exception(TRAP_invalid_op, 0, ctxt);
diff --git a/main/xen/xsa204-4.7.patch b/main/xen/xsa204-4.7.patch
new file mode 100644
index 0000000..ceab7a1
--- /dev/null
+++ b/main/xen/xsa204-4.7.patch
@@ -0,0 +1,69 @@
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Sun, 18 Dec 2016 15:42:59 +0000
Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL

A singlestep #DB is determined by the resulting eflags value from the
execution of SYSCALL, not the original eflags value.

By using the original eflags value, we negate the guest kernels attempt to
protect itself from a privilege escalation by masking TF.

Introduce a tf boolean and have the SYSCALL emulation recalculate it
after the instruction is complete.

This is XSA-204

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
 xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index bca7045..abe442e 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1582,6 +1582,7 @@ x86_emulate(
     union vex vex = {};
     unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
     bool_t lock_prefix = 0;
+    bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
     int override_seg = -1, rc = X86EMUL_OKAY;
     struct operand src = { .reg = REG_POISON };
     struct operand dst = { .reg = REG_POISON };
@@ -3910,9 +3911,8 @@ x86_emulate(
     }

  no_writeback:
-    /* Inject #DB if single-step tracing was enabled at instruction start. */
-    if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
-         (ops->inject_hw_exception != NULL) )
+    /* Should a singlestep #DB be raised? */
+    if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;

     /* Commit shadow register state. */
@@ -4143,6 +4143,23 @@ x86_emulate(
              (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
             goto done;

+        /*
+         * SYSCALL (unlike most instructions) evaluates its singlestep action
+         * based on the resulting EFLG_TF, not the starting EFLG_TF.
+         *
+         * As the #DB is raised after the CPL change and before the OS can
+         * switch stack, it is a large risk for privilege escalation.
+         *
+         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
+         * vulnerability.  Running the #DB handler on an IST stack is also a
+         * mitigation.
+         *
+         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
+         * mitigation is to use a task gate for handling #DB (or to not use
+         * enable EFER.SCE to start with).
+         */
+        tf = !!(_regs.eflags & EFLG_TF);
+
         break;
     }

-- 
2.8.3



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)