X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from SMTP.EU.CITRIX.COM (smtp.eu.citrix.com [46.33.159.39])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id 763AADC0227
	for <alpine-devel@lists.alpinelinux.org>; Wed, 16 Jan 2013 17:02:51 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="4.84,480,1355097600"; 
   d="scan'208";a="699275"
Received: from lonpmailmx01.citrite.net ([10.30.203.162])
  by LONPIPO01.EU.CITRIX.COM with ESMTP/TLS/RC4-MD5; 16 Jan 2013 17:02:47 +0000
Received: from localhost.localdomain (10.30.249.242) by
 LONPMAILMX01.citrite.net (10.30.203.162) with Microsoft SMTP Server id
 8.3.279.5; Wed, 16 Jan 2013 17:02:47 +0000
From: Roger Pau Monne <roger.pau@citrix.com>
To: <alpine-devel@lists.alpinelinux.org>
CC: Roger Pau Monne <roger.pau@citrix.com>
Subject: [alpine-devel] [PATCH 2/2] linux-grsec: XSA-40
Date: Wed, 16 Jan 2013 18:01:06 +0100
Message-ID: <1358355666-72279-2-git-send-email-roger.pau@citrix.com>
X-Mailer: git-send-email 1.7.7.5 (Apple Git-26)
In-Reply-To: <1358355666-72279-1-git-send-email-roger.pau@citrix.com>
References: <1358355666-72279-1-git-send-email-roger.pau@citrix.com>
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain

---
I don't know the policy Alpine Linux follows regarding kernel patches,
if you prefer to consume them from upstream or they are allowed as
critical security fixes.
---
 main/linux-grsec/APKBUILD    |    4 ++-
 main/linux-grsec/xsa40.patch |   56 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 1 deletions(-)
 create mode 100644 main/linux-grsec/xsa40.patch

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 6d100bd..b860ce4 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=3.6.11
 _kernver=3.6
-pkgrel=2
+pkgrel=3
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -18,6 +18,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	
 	0004-arp-flush-arp-cache-on-device-change.patch
 	r8169-num-rx-desc.patch
+	xsa40.patch
 
 	kernelconfig.x86
 	kernelconfig.x86_64
@@ -144,5 +145,6 @@ bd4bba74093405887d521309a74c19e9  patch-3.6.11.xz
 dce5c43ac3b5d8e35e245b35e90e1837  grsecurity-2.9.1-3.6.11-unofficial-1.patch
 776adeeb5272093574f8836c5037dd7d  0004-arp-flush-arp-cache-on-device-change.patch
 daf2cbb558588c49c138fe9ca2482b64  r8169-num-rx-desc.patch
+d9de28f8a74fe0347866705b4bd6db85  xsa40.patch
 373db5888708938c6b1baed6da781fcb  kernelconfig.x86
 190788fb10e79abce9d570d5e87ec3b4  kernelconfig.x86_64"
diff --git a/main/linux-grsec/xsa40.patch b/main/linux-grsec/xsa40.patch
new file mode 100644
index 0000000..29db917
--- /dev/null
+++ b/main/linux-grsec/xsa40.patch
@@ -0,0 +1,56 @@
+Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
+
+This fixes CVE-2013-0190 / XSA-40
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path.  This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+        popl %eax      # Error code from hypervisor
+        jz 5f
+        addl $16,%esp
+        jmp iret_exc   # Hypervisor said iret fault
+5:      addl $16,%esp
+                       # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+        popl_cfi %eax         # Error from the hypervisor
+        lea 16(%esp),%esp     # Add $16 before choosing fault path
+        CFI_ADJUST_CFA_OFFSET -16
+        jz 5f
+        addl $16,%esp         # Incorrectly adjust %esp again
+        jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present.  At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
+index ff84d54..6ed91d9 100644
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
+ 	lea 16(%esp),%esp
+ 	CFI_ADJUST_CFA_OFFSET -16
+ 	jz 5f
+-	addl $16,%esp
+ 	jmp iret_exc
+ 5:	pushl_cfi $-1 /* orig_ax = -1 => not a system call */
+ 	SAVE_ALL
+
-- 
1.7.7.5 (Apple Git-26)



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---