~alpine/devel

XSA-40 and XSA-42 patches for 2.4 stable v1 PROPOSED

Roger Pau Monne <roger.pau@citrix.com>
12 years ago 
To be applied against the 2.4 stable branch.


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git: 

curl -s https://lists.alpinelinux.org/~alpine/devel/patches/388/mbox | git am -3
Learn more about email & git
Reply to thread View this thread in the archives

[alpine-devel] [PATCH 1/2] xen: XSA-41 Export this patch

Roger Pau Monne <roger.pau@citrix.com>
12 years ago 
---
 main/xen/APKBUILD    |    4 +++-
 main/xen/xsa41.patch |   43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletions(-)
 create mode 100644 main/xen/xsa41.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 3903347..dbeee60 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.1.4
pkgrel=1
pkgrel=2
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86 x86_64"
@@ -23,6 +23,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
	librt.patch
	busybox-sed.patch
	xsa33-4.1.patch
	xsa41.patch

	xenstored.initd
	xenstored.confd
@@ -123,6 +124,7 @@ b973dc1ffcc6872e222b36f3b7b4836b  fix_bswap_blktap2.patch
fa06495a175571f4aa3b6cb88937953e  librt.patch
1bea3543ddc712330527b62fd9ff6520  busybox-sed.patch
25ba4efc5eee29daa12855fbadce84f8  xsa33-4.1.patch
ce56f00762139cd611dfc3332b7571cf  xsa41.patch
6e5739dad7e2bd1b625e55ddc6c782b7  xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
ed262f15fb880badb53575539468646c  xenconsoled.initd
diff --git a/main/xen/xsa41.patch b/main/xen/xsa41.patch
new file mode 100644
index 0000000..2c5b542
--- /dev/null
+++ b/main/xen/xsa41.patch
@@ -0,0 +1,43 @@
From b0d9ffcd0251161c7c92f94804dcf599dfa3edeb Mon Sep 17 00:00:00 2001
From: Michael Contreras <michael@inetric.com>
Date: Sun, 2 Dec 2012 20:11:22 -0800
Subject: [PATCH] e1000: Discard packets that are too long if !SBP and !LPE

The e1000_receive function for the e1000 needs to discard packets longer than
1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
this behavior and allocates memory based on this assumption.

Signed-off-by: Michael Contreras <michael@inetric.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
diff --git a/tools/ioemu-qemu-xen/hw/e1000.c b/tools/ioemu-qemu-xen/hw/e1000.c
index cb7e7e8..5537ad2 100644
--- a/tools/ioemu-qemu-xen/hw/e1000.c
+++ b/tools/ioemu-qemu-xen/hw/e1000.c
@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
 #define PNPMMIO_SIZE      0x20000
 #define MIN_BUF_SIZE      60 /* Min. octets in an ethernet frame sans FCS */
 
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+
 /*
  * HW models:
  *  E1000_DEV_ID_82540EM works with Windows and Linux
@@ -805,6 +808,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
         size = sizeof(min_buf);
     }
 
+    /* Discard oversized packets if !LPE and !SBP. */
+    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
+        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+        return size;
+    }
+
     if (!receive_filter(s, buf, size))
         return size;
 
-- 
1.7.0.4

-- 
1.7.7.5 (Apple Git-26)



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

[alpine-devel] [PATCH 2/2] linux-grsec: XSA-40 Export this patch

Roger Pau Monne <roger.pau@citrix.com>
12 years ago 
---
 main/linux-grsec/APKBUILD    |    4 ++-
 main/linux-grsec/xsa40.patch |   56 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 1 deletions(-)
 create mode 100644 main/linux-grsec/xsa40.patch

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 68db9fb..f796f5f 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.4.24
_kernver=3.4
pkgrel=2
pkgrel=3
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz

	0001-r8169-avoid-NAPI-scheduling-delay.patch
	r8169-num-rx-desc.patch
	xsa40.patch

	kernelconfig.x86
	kernelconfig.x86_64
@@ -151,5 +152,6 @@ cb6fcd6e966e73c87a839c4c0183f81f  0001-Revert-ipv4-Don-t-use-the-cached-pmtu-inf
d2f7ba780ff7567c21381428264d7fdd  intel_idle.patch
8e5611c6bf3dfb0008d4e58051a8b0ff  0001-r8169-avoid-NAPI-scheduling-delay.patch
daf2cbb558588c49c138fe9ca2482b64  r8169-num-rx-desc.patch
d9de28f8a74fe0347866705b4bd6db85  xsa40.patch
50a13359236dbd676fa355f0b4fd27ff  kernelconfig.x86
c402f52babc729d1280c1677075aa0d7  kernelconfig.x86_64"
diff --git a/main/linux-grsec/xsa40.patch b/main/linux-grsec/xsa40.patch
new file mode 100644
index 0000000..29db917
--- /dev/null
+++ b/main/linux-grsec/xsa40.patch
@@ -0,0 +1,56 @@
Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.

This fixes CVE-2013-0190 / XSA-40

There has been an error on the xen_failsafe_callback path for failed
iret, which causes the stack pointer to be wrong when entering the
iret_exc error path.  This can result in the kernel crashing.

In the classic kernel case, the relevant code looked a little like:

        popl %eax      # Error code from hypervisor
        jz 5f
        addl $16,%esp
        jmp iret_exc   # Hypervisor said iret fault
5:      addl $16,%esp
                       # Hypervisor said segment selector fault

Here, there are two identical addls on either option of a branch which
appears to have been optimised by hoisting it above the jz, and
converting it to an lea, which leaves the flags register unaffected.

In the PVOPS case, the code looks like:

        popl_cfi %eax         # Error from the hypervisor
        lea 16(%esp),%esp     # Add $16 before choosing fault path
        CFI_ADJUST_CFA_OFFSET -16
        jz 5f
        addl $16,%esp         # Incorrectly adjust %esp again
        jmp iret_exc

It is possible unprivileged userspace applications to cause this
behaviour, for example by loading an LDT code selector, then changing
the code selector to be not-present.  At this point, there is a race
condition where it is possible for the hypervisor to return back to
userspace from an interrupt, fault on its own iret, and inject a
failsafe_callback into the kernel.

This bug has been present since the introduction of Xen PVOPS support
in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.

Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index ff84d54..6ed91d9 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
 	lea 16(%esp),%esp
 	CFI_ADJUST_CFA_OFFSET -16
 	jz 5f
-	addl $16,%esp
 	jmp iret_exc
 5:	pushl_cfi $-1 /* orig_ax = -1 => not a system call */
 	SAVE_ALL

-- 
1.7.7.5 (Apple Git-26)



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---