~alpine/devel

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
2 2

[alpine-devel] [PATCH 1/2] xen: XSA-41

Roger Pau Monne <roger.pau@citrix.com>
Details
Message ID
<1358355666-72279-1-git-send-email-roger.pau@citrix.com>
Sender timestamp
1358355665
DKIM signature
missing
Download raw message
Patch: +75 -1
---
 main/xen/APKBUILD    |    4 ++-
 main/xen/xsa41.patch |   72 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+), 1 deletions(-)
 create mode 100644 main/xen/xsa41.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 681a9d4..1aa0d1e 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.2.1
pkgrel=2
pkgrel=3
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86 x86_64"
@@ -19,6 +19,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
	librt.patch
	qemu-xen_paths.patch
	xsa33-4.2-unstable.patch
	xsa41.patch

	xenstored.initd
	xenstored.confd
@@ -135,6 +136,7 @@ md5sums="0d48cbe1767b82aba12517898d4e0408  xen-4.2.1.tar.gz
2dc5ddf47c53ea168729975046c3c1f9  librt.patch
1ccde6b36a6f9542a16d998204dc9a22  qemu-xen_paths.patch
8aa341b27fac3f93a99113c72671c864  xsa33-4.2-unstable.patch
8ad8942000b8a4be4917599cad9209cf  xsa41.patch
95d8af17bf844d41a015ff32aae51ba1  xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
ed262f15fb880badb53575539468646c  xenconsoled.initd
diff --git a/main/xen/xsa41.patch b/main/xen/xsa41.patch
new file mode 100644
index 0000000..7821839
--- /dev/null
+++ b/main/xen/xsa41.patch
@@ -0,0 +1,72 @@
From b0d9ffcd0251161c7c92f94804dcf599dfa3edeb Mon Sep 17 00:00:00 2001
From: Michael Contreras <michael@inetric.com>
Date: Sun, 2 Dec 2012 20:11:22 -0800
Subject: [PATCH] e1000: Discard packets that are too long if !SBP and !LPE

The e1000_receive function for the e1000 needs to discard packets longer than
1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
this behavior and allocates memory based on this assumption.

Signed-off-by: Michael Contreras <michael@inetric.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---

diff --git a/tools/qemu-xen/hw/e1000.c b/tools/qemu-xen/hw/e1000.c
index cb7e7e8..5537ad2 100644
--- a/tools/qemu-xen/hw/e1000.c
+++ b/tools/qemu-xen/hw/e1000.c
@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
 #define PNPMMIO_SIZE      0x20000
 #define MIN_BUF_SIZE      60 /* Min. octets in an ethernet frame sans FCS */
 
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+
 /*
  * HW models:
  *  E1000_DEV_ID_82540EM works with Windows and Linux
@@ -805,6 +808,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
         size = sizeof(min_buf);
     }
 
+    /* Discard oversized packets if !LPE and !SBP. */
+    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
+        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+        return size;
+    }
+
     if (!receive_filter(s, buf, size))
         return size;
 
diff --git a/tools/qemu-xen-traditional/hw/e1000.c b/tools/qemu-xen-traditional/hw/e1000.c
index cb7e7e8..5537ad2 100644
--- a/tools/qemu-xen-traditional/hw/e1000.c
+++ b/tools/qemu-xen-traditional/hw/e1000.c
@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
 #define PNPMMIO_SIZE      0x20000
 #define MIN_BUF_SIZE      60 /* Min. octets in an ethernet frame sans FCS */
 
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+
 /*
  * HW models:
  *  E1000_DEV_ID_82540EM works with Windows and Linux
@@ -805,6 +808,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
         size = sizeof(min_buf);
     }
 
+    /* Discard oversized packets if !LPE and !SBP. */
+    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
+        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+        return size;
+    }
+
     if (!receive_filter(s, buf, size))
         return size;
 
-- 
1.7.0.4

-- 
1.7.7.5 (Apple Git-26)



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

[alpine-devel] [PATCH 2/2] linux-grsec: XSA-40

Roger Pau Monne <roger.pau@citrix.com>
Details
Message ID
<1358355666-72279-2-git-send-email-roger.pau@citrix.com>
In-Reply-To
<1358355666-72279-1-git-send-email-roger.pau@citrix.com> (view parent)
Sender timestamp
1358355666
DKIM signature
missing
Download raw message
Patch: +59 -1
---
I don't know the policy Alpine Linux follows regarding kernel patches,
if you prefer to consume them from upstream or they are allowed as
critical security fixes.
---
 main/linux-grsec/APKBUILD    |    4 ++-
 main/linux-grsec/xsa40.patch |   56 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 1 deletions(-)
 create mode 100644 main/linux-grsec/xsa40.patch

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 6d100bd..b860ce4 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.6.11
_kernver=3.6
pkgrel=2
pkgrel=3
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -18,6 +18,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
	
	0004-arp-flush-arp-cache-on-device-change.patch
	r8169-num-rx-desc.patch
	xsa40.patch

	kernelconfig.x86
	kernelconfig.x86_64
@@ -144,5 +145,6 @@ bd4bba74093405887d521309a74c19e9  patch-3.6.11.xz
dce5c43ac3b5d8e35e245b35e90e1837  grsecurity-2.9.1-3.6.11-unofficial-1.patch
776adeeb5272093574f8836c5037dd7d  0004-arp-flush-arp-cache-on-device-change.patch
daf2cbb558588c49c138fe9ca2482b64  r8169-num-rx-desc.patch
d9de28f8a74fe0347866705b4bd6db85  xsa40.patch
373db5888708938c6b1baed6da781fcb  kernelconfig.x86
190788fb10e79abce9d570d5e87ec3b4  kernelconfig.x86_64"
diff --git a/main/linux-grsec/xsa40.patch b/main/linux-grsec/xsa40.patch
new file mode 100644
index 0000000..29db917
--- /dev/null
+++ b/main/linux-grsec/xsa40.patch
@@ -0,0 +1,56 @@
Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.

This fixes CVE-2013-0190 / XSA-40

There has been an error on the xen_failsafe_callback path for failed
iret, which causes the stack pointer to be wrong when entering the
iret_exc error path.  This can result in the kernel crashing.

In the classic kernel case, the relevant code looked a little like:

        popl %eax      # Error code from hypervisor
        jz 5f
        addl $16,%esp
        jmp iret_exc   # Hypervisor said iret fault
5:      addl $16,%esp
                       # Hypervisor said segment selector fault

Here, there are two identical addls on either option of a branch which
appears to have been optimised by hoisting it above the jz, and
converting it to an lea, which leaves the flags register unaffected.

In the PVOPS case, the code looks like:

        popl_cfi %eax         # Error from the hypervisor
        lea 16(%esp),%esp     # Add $16 before choosing fault path
        CFI_ADJUST_CFA_OFFSET -16
        jz 5f
        addl $16,%esp         # Incorrectly adjust %esp again
        jmp iret_exc

It is possible unprivileged userspace applications to cause this
behaviour, for example by loading an LDT code selector, then changing
the code selector to be not-present.  At this point, there is a race
condition where it is possible for the hypervisor to return back to
userspace from an interrupt, fault on its own iret, and inject a
failsafe_callback into the kernel.

This bug has been present since the introduction of Xen PVOPS support
in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.

Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index ff84d54..6ed91d9 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
 	lea 16(%esp),%esp
 	CFI_ADJUST_CFA_OFFSET -16
 	jz 5f
-	addl $16,%esp
 	jmp iret_exc
 5:	pushl_cfi $-1 /* orig_ax = -1 => not a system call */
 	SAVE_ALL

-- 
1.7.7.5 (Apple Git-26)



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] [PATCH 2/2] linux-grsec: XSA-40

Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20130117170814.57147f3a@ncopa-desktop.alpinelinux.org>
In-Reply-To
<1358355666-72279-2-git-send-email-roger.pau@citrix.com> (view parent)
Sender timestamp
1358438894
DKIM signature
missing
Download raw message
On Wed, 16 Jan 2013 18:01:06 +0100
Roger Pau Monne <roger.pau@citrix.com> wrote:

> ---
> I don't know the policy Alpine Linux follows regarding kernel patches,
> if you prefer to consume them from upstream or they are allowed as
> critical security fixes.

We prefer follow upstream but we do allow critical security patches.

I applied them. Thanks!

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)