~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH v3.3] main/xen: security fixes #6572

Sergey Lukin <sergej.lukin@gmail.com>
Details
Message ID
<1482832919-4267-1-git-send-email-sergej.lukin@gmail.com>
Sender timestamp
1482832919
DKIM signature
missing
Download raw message
7 years ago
Patch: +179 -1 
CVE-2016-10024, XSA-202: x86 PV guests may be able to mask interrupts
http://xenbits.xen.org/xsa/advisory-202.html

CVE-2016-10025, XSA-203: x86: missing NULL pointer check in VMFUNC emulation
http://xenbits.xen.org/xsa/advisory-203.html

CVE-2016-10013, XSA-204: x86: Mishandling of SYSCALL singlestep during emulation
http://xenbits.xen.org/xsa/advisory-204.html
---
 main/xen/APKBUILD         | 19 +++++++++++-
 main/xen/xsa202-4.6.patch | 73 +++++++++++++++++++++++++++++++++++++++++++++++
 main/xen/xsa203-4.7.patch | 19 ++++++++++++
 main/xen/xsa204-4.7.patch | 69 ++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 179 insertions(+), 1 deletion(-)
 create mode 100644 main/xen/xsa202-4.6.patch
 create mode 100644 main/xen/xsa203-4.7.patch
 create mode 100644 main/xen/xsa204-4.7.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 6cf681e..dfeec64 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -1,9 +1,10 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: William Pitcock <nenolod@dereferenced.org>
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.6.3
pkgrel=4
pkgrel=5
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64"
@@ -24,6 +25,10 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor"
#     - CVE-2016-9816 XSA-201
#     - CVE-2016-9817 XSA-201
#     - CVE-2016-9818 XSA-201
#   4.6.3-r5:
#     - CVE-2016-10024 XSA-202
#     - CVE-2016-10025 XSA-203
#     - CVE-2016-10013 XSA-204

# grep _VERSION= stubdom/configure
_ZLIB_VERSION="1.2.3"
@@ -74,6 +79,9 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
	xsa201-2.patch
	xsa201-3-4.7.patch
	xsa201-4.patch
	xsa202-4.6.patch
	xsa203-4.7.patch
	xsa204-4.7.patch

	qemu-coroutine-gthread.patch
	qemu-xen_paths.patch
@@ -306,6 +314,9 @@ add3ad7828d582fc272073e906ce17a1  xsa200-4.6.patch
76394482eaf0caeb3e0611ba70e8923c  xsa201-2.patch
136b9ad8b2bcc57d5a7ed3bf13bebe3c  xsa201-3-4.7.patch
9cb1516d783fc9c765e9a37574bb3cbd  xsa201-4.patch
a5a39c6354c952095e1d78a582385933  xsa202-4.6.patch
da401ec1a25668a2dabc666f6687409b  xsa203-4.7.patch
dc4ad05682ce371e1755817b22229601  xsa204-4.7.patch
de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
e449bb3359b490804ffc7b0ae08d62a0  hotplug-vif-vtrill.patch
@@ -361,6 +372,9 @@ d3af265879196c05b3fdd2cdeb5e95446f454dd3c1151452fe4f3389eccc39e4  xsa197-qemut-C
0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b  xsa201-2.patch
a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76  xsa201-3-4.7.patch
388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919  xsa201-4.patch
e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4  xsa202-4.6.patch
7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46  xsa203-4.7.patch
d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2  xsa204-4.7.patch
3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a  hotplug-vif-vtrill.patch
@@ -416,6 +430,9 @@ b61429fbf4d1677a8dab2710ab21335f18b3f998f2e5e19e45a4727f71b9671b3d1bd709bef3594c
afed1ed3c5b4dd3a1d2c1c0fe824cdeb58efdc40fdaf5ce439deb2feef63141168114ea362fc5c683eb0494bb6bd3c76773b099495af21550ae3a1e5cb4e924d  xsa201-2.patch
ad0f4217ef8218dac6997385690981e7a88d05b735e04779f582ad4a0307d8e7804c015971403133fe1d3334c628da784c696161768b275ed3ab64d6140293dc  xsa201-3-4.7.patch
1761ca422fe9e3caee3442b43b84da49721a01ed8417f653c568695b08718c40be1493cc7a0a6145c7ce195c7fb0c753b190fe2f1782d5242e1e304c18005610  xsa201-4.patch
dee7a595324ea5de3754c9aad2422fc2021bcb53999e344dbe6e4edfd4772a5ed20e8ebfb40750b81287a2a022037d49cbe4f0f7ba481ae0ac79a4249ef630bf  xsa202-4.6.patch
b86ef48db23dacb51fbbdd55041bf08fac8aa0db76a272bb2f9d9be7195cd9a359a30fbbb61e040c66f23358f12ae102a92a30296fb18e4feb1023b58ffad4ff  xsa203-4.7.patch
a2a091cd51ed54f5b5ba4131efc1c9cc0a69a647cea46415f73c29e5764efb00025e2e65bd5d24cf26f903263fce150b2b1c52ca5d61fd81dea7efe16abf57be  xsa204-4.7.patch
c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa202-4.6.patch b/main/xen/xsa202-4.6.patch
new file mode 100644
index 0000000..0c7fff0
--- /dev/null
+++ b/main/xen/xsa202-4.6.patch
@@ -0,0 +1,73 @@
From: Jan Beulich <jbeulich@suse.com>
Subject: x86: force EFLAGS.IF on when exiting to PV guests

Guest kernels modifying instructions in the process of being emulated
for another of their vCPU-s may effect EFLAGS.IF to be cleared upon
next exiting to guest context, by converting the being emulated
instruction to CLI (at the right point in time). Prevent any such bad
effects by always forcing EFLAGS.IF on. And to cover hypothetical other
similar issues, also force EFLAGS.{IOPL,NT,VM} to zero.

This is XSA-202.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -174,6 +174,8 @@ compat_bad_hypercall:
 /* %rbx: struct vcpu, interrupts disabled */
 ENTRY(compat_restore_all_guest)
         ASSERT_INTERRUPTS_DISABLED
+        mov   $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d
+        and   UREGS_eflags(%rsp),%r11d
 .Lcr4_orig:
         .skip .Lcr4_alt_end - .Lcr4_alt, 0x90
 .Lcr4_orig_end:
@@ -209,6 +211,8 @@ ENTRY(compat_restore_all_guest)
                              (.Lcr4_orig_end - .Lcr4_orig), \
                              (.Lcr4_alt_end - .Lcr4_alt)
         .popsection
+        or    $X86_EFLAGS_IF,%r11
+        mov   %r11d,UREGS_eflags(%rsp)
         RESTORE_ALL adj=8 compat=1
 .Lft0:  iretq
 
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -40,28 +40,29 @@ restore_all_guest:
         testw $TRAP_syscall,4(%rsp)
         jz    iret_exit_to_guest
 
+        movq  24(%rsp),%r11           # RFLAGS
+        andq  $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11
+        orq   $X86_EFLAGS_IF,%r11
+
         /* Don't use SYSRET path if the return address is not canonical. */
         movq  8(%rsp),%rcx
         sarq  $47,%rcx
         incl  %ecx
         cmpl  $1,%ecx
-        ja    .Lforce_iret
+        movq  8(%rsp),%rcx            # RIP
+        ja    iret_exit_to_guest
 
         cmpw  $FLAT_USER_CS32,16(%rsp)# CS
-        movq  8(%rsp),%rcx            # RIP
-        movq  24(%rsp),%r11           # RFLAGS
         movq  32(%rsp),%rsp           # RSP
         je    1f
         sysretq
 1:      sysretl
 
-.Lforce_iret:
-        /* Mimic SYSRET behavior. */
-        movq  8(%rsp),%rcx            # RIP
-        movq  24(%rsp),%r11           # RFLAGS
         ALIGN
 /* No special register assumptions. */
 iret_exit_to_guest:
+        andl  $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp)
+        orl   $X86_EFLAGS_IF,24(%rsp)
         addq  $8,%rsp
 .Lft0:  iretq
 
diff --git a/main/xen/xsa203-4.7.patch b/main/xen/xsa203-4.7.patch
new file mode 100644
index 0000000..d623d84
--- /dev/null
+++ b/main/xen/xsa203-4.7.patch
@@ -0,0 +1,19 @@
From: Jan Beulich <jbeulich@suse.com>
Subject: x86/HVM: add missing NULL check before using VMFUNC hook

This is XSA-203.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -1643,6 +1643,8 @@ static int hvmemul_vmfunc(
 {
     int rc;
 
+    if ( !hvm_funcs.altp2m_vcpu_emulate_vmfunc )
+        return X86EMUL_UNHANDLEABLE;
     rc = hvm_funcs.altp2m_vcpu_emulate_vmfunc(ctxt->regs);
     if ( rc != X86EMUL_OKAY )
         hvmemul_inject_hw_exception(TRAP_invalid_op, 0, ctxt);
diff --git a/main/xen/xsa204-4.7.patch b/main/xen/xsa204-4.7.patch
new file mode 100644
index 0000000..ea41789
--- /dev/null
+++ b/main/xen/xsa204-4.7.patch
@@ -0,0 +1,69 @@
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Sun, 18 Dec 2016 15:42:59 +0000
Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL

A singlestep #DB is determined by the resulting eflags value from the
execution of SYSCALL, not the original eflags value.

By using the original eflags value, we negate the guest kernels attempt to
protect itself from a privilege escalation by masking TF.

Introduce a tf boolean and have the SYSCALL emulation recalculate it
after the instruction is complete.

This is XSA-204

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
 xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index bca7045..abe442e 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1582,6 +1582,7 @@ x86_emulate(
     union vex vex = {};
     unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
     bool_t lock_prefix = 0;
+    bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
     int override_seg = -1, rc = X86EMUL_OKAY;
     struct operand src = { .reg = REG_POISON };
     struct operand dst = { .reg = REG_POISON };
@@ -3910,9 +3911,8 @@ x86_emulate(
     }
 
  no_writeback:
-    /* Inject #DB if single-step tracing was enabled at instruction start. */
-    if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
-         (ops->inject_hw_exception != NULL) )
+    /* Should a singlestep #DB be raised? */
+    if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
 
     /* Commit shadow register state. */
@@ -4143,6 +4143,23 @@ x86_emulate(
              (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
             goto done;
 
+        /*
+         * SYSCALL (unlike most instructions) evaluates its singlestep action
+         * based on the resulting EFLG_TF, not the starting EFLG_TF.
+         *
+         * As the #DB is raised after the CPL change and before the OS can
+         * switch stack, it is a large risk for privilege escalation.
+         *
+         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
+         * vulnerability.  Running the #DB handler on an IST stack is also a
+         * mitigation.
+         *
+         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
+         * mitigation is to use a task gate for handling #DB (or to not use
+         * enable EFER.SCE to start with).
+         */
+        tf = !!(_regs.eflags & EFLG_TF);
+
         break;
     }
 
-- 
2.6.6



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)