3 2

[alpine-devel] [PATCH 0/2] XSA-40 and XSA-42 patches for 2.4 stable

Roger Pau Monne
Details
Message ID
<1358357408-73850-1-git-send-email-roger.pau@citrix.com>
Sender timestamp
1358357406
DKIM signature
missing
Download raw message
To be applied against the 2.4 stable branch.


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

[alpine-devel] [PATCH 1/2] xen: XSA-41

Roger Pau Monne
Details
Message ID
<1358357408-73850-2-git-send-email-roger.pau@citrix.com>
In-Reply-To
<1358357408-73850-1-git-send-email-roger.pau@citrix.com> (view parent)
Sender timestamp
1358357407
DKIM signature
missing
Download raw message
Patch: +46 -1
---
 main/xen/APKBUILD    |    4 +++-
 main/xen/xsa41.patch |   43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletions(-)
 create mode 100644 main/xen/xsa41.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 3903347..dbeee60 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.1.4
-pkgrel=1
+pkgrel=2
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86 x86_64"
@@ -23,6 +23,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	librt.patch
 	busybox-sed.patch
 	xsa33-4.1.patch
+	xsa41.patch
 
 	xenstored.initd
 	xenstored.confd
@@ -123,6 +124,7 @@ b973dc1ffcc6872e222b36f3b7b4836b  fix_bswap_blktap2.patch
 fa06495a175571f4aa3b6cb88937953e  librt.patch
 1bea3543ddc712330527b62fd9ff6520  busybox-sed.patch
 25ba4efc5eee29daa12855fbadce84f8  xsa33-4.1.patch
+ce56f00762139cd611dfc3332b7571cf  xsa41.patch
 6e5739dad7e2bd1b625e55ddc6c782b7  xenstored.initd
 b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
 ed262f15fb880badb53575539468646c  xenconsoled.initd
diff --git a/main/xen/xsa41.patch b/main/xen/xsa41.patch
new file mode 100644
index 0000000..2c5b542
--- /dev/null
+++ b/main/xen/xsa41.patch
@@ -0,0 +1,43 @@
+From b0d9ffcd0251161c7c92f94804dcf599dfa3edeb Mon Sep 17 00:00:00 2001
+From: Michael Contreras <michael@inetric.com>
+Date: Sun, 2 Dec 2012 20:11:22 -0800
+Subject: [PATCH] e1000: Discard packets that are too long if !SBP and !LPE
+
+The e1000_receive function for the e1000 needs to discard packets longer than
+1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
+this behavior and allocates memory based on this assumption.
+
+Signed-off-by: Michael Contreras <michael@inetric.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+---
+diff --git a/tools/ioemu-qemu-xen/hw/e1000.c b/tools/ioemu-qemu-xen/hw/e1000.c
+index cb7e7e8..5537ad2 100644
+--- a/tools/ioemu-qemu-xen/hw/e1000.c
+@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ #define PNPMMIO_SIZE      0x20000
+ #define MIN_BUF_SIZE      60 /* Min. octets in an ethernet frame sans FCS */
+ 
++/* this is the size past which hardware will drop packets when setting LPE=0 */
++#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++
+ /*
+  * HW models:
+  *  E1000_DEV_ID_82540EM works with Windows and Linux
+@@ -805,6 +808,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+         size = sizeof(min_buf);
+     }
+ 
++    /* Discard oversized packets if !LPE and !SBP. */
++    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
++        return size;
++    }
++
+     if (!receive_filter(s, buf, size))
+         return size;
+ 
+-- 
+1.7.0.4
+
-- 
1.7.7.5 (Apple Git-26)



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

[alpine-devel] [PATCH 2/2] linux-grsec: XSA-40

Roger Pau Monne
Details
Message ID
<1358357408-73850-3-git-send-email-roger.pau@citrix.com>
In-Reply-To
<1358357408-73850-1-git-send-email-roger.pau@citrix.com> (view parent)
Sender timestamp
1358357408
DKIM signature
missing
Download raw message
Patch: +59 -1
---
 main/linux-grsec/APKBUILD    |    4 ++-
 main/linux-grsec/xsa40.patch |   56 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 1 deletions(-)
 create mode 100644 main/linux-grsec/xsa40.patch

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 68db9fb..f796f5f 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=3.4.24
 _kernver=3.4
-pkgrel=2
+pkgrel=3
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 
 	0001-r8169-avoid-NAPI-scheduling-delay.patch
 	r8169-num-rx-desc.patch
+	xsa40.patch
 
 	kernelconfig.x86
 	kernelconfig.x86_64
@@ -151,5 +152,6 @@ cb6fcd6e966e73c87a839c4c0183f81f  0001-Revert-ipv4-Don-t-use-the-cached-pmtu-inf
 d2f7ba780ff7567c21381428264d7fdd  intel_idle.patch
 8e5611c6bf3dfb0008d4e58051a8b0ff  0001-r8169-avoid-NAPI-scheduling-delay.patch
 daf2cbb558588c49c138fe9ca2482b64  r8169-num-rx-desc.patch
+d9de28f8a74fe0347866705b4bd6db85  xsa40.patch
 50a13359236dbd676fa355f0b4fd27ff  kernelconfig.x86
 c402f52babc729d1280c1677075aa0d7  kernelconfig.x86_64"
diff --git a/main/linux-grsec/xsa40.patch b/main/linux-grsec/xsa40.patch
new file mode 100644
index 0000000..29db917
--- /dev/null
+++ b/main/linux-grsec/xsa40.patch
@@ -0,0 +1,56 @@
+Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
+
+This fixes CVE-2013-0190 / XSA-40
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path.  This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+        popl %eax      # Error code from hypervisor
+        jz 5f
+        addl $16,%esp
+        jmp iret_exc   # Hypervisor said iret fault
+5:      addl $16,%esp
+                       # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+        popl_cfi %eax         # Error from the hypervisor
+        lea 16(%esp),%esp     # Add $16 before choosing fault path
+        CFI_ADJUST_CFA_OFFSET -16
+        jz 5f
+        addl $16,%esp         # Incorrectly adjust %esp again
+        jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present.  At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
+index ff84d54..6ed91d9 100644
+--- a/arch/x86/kernel/entry_32.S
+@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
+ 	lea 16(%esp),%esp
+ 	CFI_ADJUST_CFA_OFFSET -16
+ 	jz 5f
+-	addl $16,%esp
+ 	jmp iret_exc
+ 5:	pushl_cfi $-1 /* orig_ax = -1 => not a system call */
+ 	SAVE_ALL
+
-- 
1.7.7.5 (Apple Git-26)



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20130117193951.5733d2eb@ncopa-laptop.res.nor.wtbts.net>
In-Reply-To
<1358357408-73850-1-git-send-email-roger.pau@citrix.com> (view parent)
Sender timestamp
1358447991
DKIM signature
missing
Download raw message
On Wed, 16 Jan 2013 18:30:06 +0100
Roger Pau Monne <roger.pau@citrix.com> wrote:

> To be applied against the 2.4 stable branch.
 applied. thanks!

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---