---
main/linux-grsec/APKBUILD | 4 ++-main/linux-grsec/xsa40.patch | 56 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 59 insertions(+), 1 deletions(-)
create mode 100644 main/linux-grsec/xsa40.patch
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 68db9fb..f796f5f 100644
--- a/main/linux-grsec/APKBUILD+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.4.24
_kernver=3.4
-pkgrel=2+pkgrel=3pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
0001-r8169-avoid-NAPI-scheduling-delay.patch
r8169-num-rx-desc.patch
+ xsa40.patch kernelconfig.x86
kernelconfig.x86_64
@@ -151,5 +152,6 @@ cb6fcd6e966e73c87a839c4c0183f81f 0001-Revert-ipv4-Don-t-use-the-cached-pmtu-inf
d2f7ba780ff7567c21381428264d7fdd intel_idle.patch
8e5611c6bf3dfb0008d4e58051a8b0ff 0001-r8169-avoid-NAPI-scheduling-delay.patch
daf2cbb558588c49c138fe9ca2482b64 r8169-num-rx-desc.patch
+d9de28f8a74fe0347866705b4bd6db85 xsa40.patch50a13359236dbd676fa355f0b4fd27ff kernelconfig.x86
c402f52babc729d1280c1677075aa0d7 kernelconfig.x86_64"
diff --git a/main/linux-grsec/xsa40.patch b/main/linux-grsec/xsa40.patch
new file mode 100644
index 0000000..29db917
--- /dev/null+++ b/main/linux-grsec/xsa40.patch
@@ -0,0 +1,56 @@
+Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.++This fixes CVE-2013-0190 / XSA-40++There has been an error on the xen_failsafe_callback path for failed+iret, which causes the stack pointer to be wrong when entering the+iret_exc error path. This can result in the kernel crashing.++In the classic kernel case, the relevant code looked a little like:++ popl %eax # Error code from hypervisor+ jz 5f+ addl $16,%esp+ jmp iret_exc # Hypervisor said iret fault+5: addl $16,%esp+ # Hypervisor said segment selector fault++Here, there are two identical addls on either option of a branch which+appears to have been optimised by hoisting it above the jz, and+converting it to an lea, which leaves the flags register unaffected.++In the PVOPS case, the code looks like:++ popl_cfi %eax # Error from the hypervisor+ lea 16(%esp),%esp # Add $16 before choosing fault path+ CFI_ADJUST_CFA_OFFSET -16+ jz 5f+ addl $16,%esp # Incorrectly adjust %esp again+ jmp iret_exc++It is possible unprivileged userspace applications to cause this+behaviour, for example by loading an LDT code selector, then changing+the code selector to be not-present. At this point, there is a race+condition where it is possible for the hypervisor to return back to+userspace from an interrupt, fault on its own iret, and inject a+failsafe_callback into the kernel.++This bug has been present since the introduction of Xen PVOPS support+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.++Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>++diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S+index ff84d54..6ed91d9 100644+--- a/arch/x86/kernel/entry_32.S++++ b/arch/x86/kernel/entry_32.S+@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)+ lea 16(%esp),%esp+ CFI_ADJUST_CFA_OFFSET -16+ jz 5f+- addl $16,%esp+ jmp iret_exc+ 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */+ SAVE_ALL+
--
1.7.7.5 (Apple Git-26)
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---