From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
Andrew Cooper <andrew.cooper3@citrix.com>,
Frediano Ziglio <frediano.ziglio@citrix.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: [ 059/128] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
Date: Sun, 03 Feb 2013 15:47:43 +0100 [thread overview]
Message-ID: <20130203144649.281157905@decadent.org.uk> (raw)
In-Reply-To: <20130203144644.035172954@decadent.org.uk>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Cooper <andrew.cooper3@citrix.com>
commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream.
This fixes CVE-2013-0190 / XSA-40
There has been an error on the xen_failsafe_callback path for failed
iret, which causes the stack pointer to be wrong when entering the
iret_exc error path. This can result in the kernel crashing.
In the classic kernel case, the relevant code looked a little like:
popl %eax # Error code from hypervisor
jz 5f
addl $16,%esp
jmp iret_exc # Hypervisor said iret fault
5: addl $16,%esp
# Hypervisor said segment selector fault
Here, there are two identical addls on either option of a branch which
appears to have been optimised by hoisting it above the jz, and
converting it to an lea, which leaves the flags register unaffected.
In the PVOPS case, the code looks like:
popl_cfi %eax # Error from the hypervisor
lea 16(%esp),%esp # Add $16 before choosing fault path
CFI_ADJUST_CFA_OFFSET -16
jz 5f
addl $16,%esp # Incorrectly adjust %esp again
jmp iret_exc
It is possible unprivileged userspace applications to cause this
behaviour, for example by loading an LDT code selector, then changing
the code selector to be not-present. At this point, there is a race
condition where it is possible for the hypervisor to return back to
userspace from an interrupt, fault on its own iret, and inject a
failsafe_callback into the kernel.
This bug has been present since the introduction of Xen PVOPS support
in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/entry_32.S | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index 88b725a..cf8639b 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1084,7 +1084,6 @@ ENTRY(xen_failsafe_callback)
lea 16(%esp),%esp
CFI_ADJUST_CFA_OFFSET -16
jz 5f
- addl $16,%esp
jmp iret_exc
5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */
SAVE_ALL
next prev parent reply other threads:[~2013-02-03 15:13 UTC|newest]
Thread overview: 149+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-03 14:46 [ 000/128] 3.2.38-stable review Ben Hutchings
2013-02-03 14:46 ` [ 001/128] usb: gadget: dummy: fix enumeration with g_multi Ben Hutchings
2013-02-03 14:46 ` [ 002/128] usb: musb: core: print new line in the driver banner again Ben Hutchings
2013-02-03 14:46 ` [ 003/128] virtio-blk: Dont free ida when disk is in use Ben Hutchings
2013-02-03 14:46 ` [ 004/128] mac80211: use del_timer_sync for final sta cleanup timer deletion Ben Hutchings
2013-02-03 14:46 ` [ 005/128] xhci: Handle HS bulk/ctrl endpoints that dont NAK Ben Hutchings
2013-02-03 14:46 ` [ 006/128] USB: Handle auto-transition from hot to warm reset Ben Hutchings
2013-02-03 14:46 ` [ 007/128] USB: Ignore xHCI Reset Device status Ben Hutchings
2013-02-03 14:46 ` [ 008/128] USB: Allow USB 3.0 ports to be disabled Ben Hutchings
2013-02-03 14:46 ` [ 009/128] USB: Increase reset timeout Ben Hutchings
2013-02-03 14:46 ` [ 010/128] USB: Ignore port state until reset completes Ben Hutchings
2013-02-03 14:46 ` [ 011/128] USB: Handle warm reset failure on empty port Ben Hutchings
2013-02-03 14:46 ` [ 012/128] xhci: Avoid "dead ports", add roothub port polling Ben Hutchings
2013-02-03 14:46 ` [ 013/128] ASoC: wm5100: Remove DSP B and left justified formats Ben Hutchings
2013-02-03 14:46 ` [ 014/128] mwifiex: wakeup and stop multiple tx queues in net_device Ben Hutchings
2013-02-04 19:43 ` Bing Zhao
2013-02-04 23:41 ` Ben Hutchings
2013-02-05 0:36 ` Bing Zhao
2013-02-06 4:21 ` Ben Hutchings
2013-02-05 18:44 ` Bing Zhao
2013-02-03 14:46 ` [ 015/128] mwifiex: handle association failure case correctly Ben Hutchings
2013-02-03 14:47 ` [ 016/128] mwifiex: check wait_event_interruptible return value Ben Hutchings
2013-02-03 14:47 ` [ 017/128] ASoC: wm2000: Fix sense of speech clarity enable Ben Hutchings
2013-02-03 14:47 ` [ 018/128] ioat: Fix DMA memory sync direction correct flag Ben Hutchings
2013-02-03 14:47 ` [ 019/128] drm/i915; Only increment the user-pin-count after successfully pinning the bo Ben Hutchings
2013-02-03 14:47 ` [ 020/128] staging: r8712u: Add new device ID Ben Hutchings
2013-02-03 14:47 ` [ 021/128] staging: speakup: avoid out-of-range access in synth_init() Ben Hutchings
2013-02-03 14:47 ` [ 022/128] staging: speakup: avoid out-of-range access in synth_add() Ben Hutchings
2013-02-03 14:47 ` [ 023/128] staging: comedi: fix minimum AO period for NI 625x and NI 628x Ben Hutchings
2013-02-03 14:47 ` [ 024/128] staging: comedi: comedi_test: fix race when cancelling command Ben Hutchings
2013-02-03 14:47 ` [ 025/128] regulator: max8997: Use uV in voltage_map_desc Ben Hutchings
2013-02-03 14:47 ` [ 026/128] ALSA: pxa27x: fix ac97 cold reset Ben Hutchings
2013-02-03 14:47 ` [ 027/128] ALSA: pxa27x: fix ac97 warm reset Ben Hutchings
2013-02-03 14:47 ` [ 028/128] SUNRPC: Ensure we release the socket write lock if the rpc_task exits early Ben Hutchings
2013-02-03 14:47 ` [ 029/128] target: use correct sense code for LUN communication failure Ben Hutchings
2013-02-03 14:47 ` [ 030/128] Revert "ALSA: hda - Shut up pins at power-saving mode with Conexnat codecs" Ben Hutchings
2013-02-03 14:47 ` [ 031/128] regulator: max8998: Ensure enough delay time for max8998_set_voltage_buck_time_sel Ben Hutchings
2013-02-03 14:47 ` [ 032/128] radeon/kms: force rn50 chip to always report connected on analog output Ben Hutchings
2013-02-03 14:47 ` [ 033/128] tcm_fc: Do not indicate retry capability to initiators Ben Hutchings
2013-02-03 14:47 ` [ 034/128] tcm_fc: Do not report target role when target is not defined Ben Hutchings
2013-02-03 14:47 ` [ 035/128] sh: Fix FDPIC binary loader Ben Hutchings
2013-02-03 14:47 ` [ 036/128] USB: option: Add new MEDIATEK PID support Ben Hutchings
2013-02-03 14:47 ` [ 037/128] USB: option: blacklist network interface on ZTE MF880 Ben Hutchings
2013-02-03 14:47 ` [ 038/128] USB: option: add Telekom Speedstick LTE II Ben Hutchings
2013-02-03 14:47 ` [ 039/128] USB: option: add Nexpring NP10T terminal id Ben Hutchings
2013-02-03 14:47 ` [ 040/128] USB: cdc-acm: Add support for "PSC Scanning, Magellan 800i" Ben Hutchings
2013-02-03 14:47 ` [ 041/128] USB: hub: handle claim of enabled remote wakeup after reset Ben Hutchings
2013-02-03 14:47 ` [ 042/128] mm: compaction: fix echo 1 > compact_memory return error issue Ben Hutchings
2013-02-03 14:47 ` [ 043/128] mm: use aligned zone start for pfn_to_bitidx calculation Ben Hutchings
2013-02-03 14:47 ` [ 044/128] USB: Add device quirk for Microsoft VX700 webcam Ben Hutchings
2013-02-03 14:47 ` [ 045/128] PCI: pciehp: Fix wrong workqueue cleanup Ben Hutchings
2013-02-03 14:47 ` [ 046/128] PCI: pciehp: Handle push button event asynchronously Ben Hutchings
2013-02-03 14:47 ` [ 047/128] PCI: pciehp: Use per-slot workqueues to avoid deadlock Ben Hutchings
2013-02-03 14:47 ` [ 048/128] usb: ftdi_sio: Crucible Technologies COMET Caller ID - pid added Ben Hutchings
2013-02-03 14:47 ` [ 049/128] PCI/AER: pci_get_domain_bus_and_slot() call missing required pci_dev_put() Ben Hutchings
2013-02-03 14:47 ` [ 050/128] PCI: shpchp: Handle push button event asynchronously Ben Hutchings
2013-02-03 14:47 ` [ 051/128] PCI: shpchp: Use per-slot workqueues to avoid deadlock Ben Hutchings
2013-02-03 14:47 ` [ 052/128] PCI: Allow pcie_aspm=force even when FADT indicates it is unsupported Ben Hutchings
2013-02-03 14:47 ` [ 053/128] serial:ifx6x60:Delete SPI timer when shut down port Ben Hutchings
2013-02-03 14:47 ` [ 054/128] tty: 8250_dw: Fix inverted arguments to serial_out in IRQ handler Ben Hutchings
2013-02-03 14:47 ` [ 055/128] drm/i915: Invalidate the relocation presumed_offsets along the slow path Ben Hutchings
2013-02-03 14:47 ` [ 056/128] s390/time: fix sched_clock() overflow Ben Hutchings
2013-02-03 14:47 ` [ 057/128] ARM: 7627/1: Predicate preempt logic on PREEMP_COUNT not PREEMPT alone Ben Hutchings
2013-02-03 14:47 ` [ 058/128] ARM: 7628/1: head.S: map one extra section for the ATAG/DTB area Ben Hutchings
2013-02-03 15:17 ` Ben Hutchings
2013-02-03 18:36 ` Nicolas Pitre
2013-02-03 14:47 ` Ben Hutchings [this message]
2013-02-03 14:47 ` [ 060/128] staging: vt6656: Fix inconsistent structure packing Ben Hutchings
2013-02-03 14:47 ` [ 061/128] 8250: blacklist Winbond CIR port Ben Hutchings
2013-02-03 17:26 ` Sean Young
2013-02-03 23:23 ` Ben Hutchings
2013-02-03 14:47 ` [ 062/128] 8250/16?50: Add support for Broadcom TruManage redirected serial port Ben Hutchings
2013-02-03 14:47 ` [ 063/128] KVM: PPC: Emulate dcbf Ben Hutchings
2013-02-03 14:47 ` [ 064/128] USB: option: blacklist network interface on ONDA MT8205 4G LTE Ben Hutchings
2013-02-03 14:47 ` [ 065/128] USB: option: add TP-LINK HSUPA Modem MA180 Ben Hutchings
2013-02-03 14:47 ` [ 066/128] USB: io_ti: Fix NULL dereference in chase_port() Ben Hutchings
2013-02-03 14:47 ` [ 067/128] usb: dwc3: gadget: fix ep->maxburst for ep0 Ben Hutchings
2013-02-03 14:47 ` [ 068/128] intel_idle: Dont register CPU notifier if we are not running Ben Hutchings
2013-02-03 14:47 ` [ 069/128] ACPI / cpuidle: Fix NULL pointer issues when cpuidle is disabled Ben Hutchings
2013-02-03 14:47 ` [ 070/128] ACPI / processor: Get power info before updating the C-states Ben Hutchings
2013-02-03 14:47 ` [ 071/128] ARM: DMA: Fix struct page iterator in dma_cache_maint() to work with sparsemem Ben Hutchings
2013-02-03 14:47 ` [ 072/128] evm: checking if removexattr is not a NULL Ben Hutchings
2013-02-03 14:47 ` [ 073/128] ALSA: hda - Add Conexant CX20751/2/3/4 codec support Ben Hutchings
2013-02-03 14:47 ` [ 074/128] ALSA: hda/conexant - Correct vendor IDs for new codecs Ben Hutchings
2013-02-03 14:47 ` [ 075/128] ALSA: hda - Add Conexant CX20755/20756/20757 codec IDs Ben Hutchings
2013-02-03 14:48 ` [ 076/128] ftrace: Be first to run code modification on modules Ben Hutchings
2013-02-03 14:48 ` [ 077/128] USB: UHCI: fix IRQ race during initialization Ben Hutchings
2013-02-03 14:48 ` [ 078/128] fs/cifs/cifs_dfs_ref.c: fix potential memory leakage Ben Hutchings
2013-02-03 14:48 ` [ 079/128] Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() Ben Hutchings
2013-02-03 14:48 ` [ 080/128] ath9k_htc: Fix memory leak Ben Hutchings
2013-02-03 14:48 ` [ 081/128] ath9k: do not link receive buffers during flush Ben Hutchings
2013-02-03 14:48 ` [ 082/128] ath9k: fix double-free bug on beacon generate failure Ben Hutchings
2013-02-03 14:48 ` [ 083/128] brcmsmac: increase timer reference count for new timers only Ben Hutchings
2013-02-03 14:48 ` [ 084/128] efi, x86: Pass a proper identity mapping in efi_call_phys_prelog Ben Hutchings
2013-02-03 14:48 ` [ 085/128] ath9k_hw: fix calibration issues on chainmask that dont include chain 0 Ben Hutchings
2013-02-03 14:48 ` [ 086/128] ath9k_hw: fix chain swap setting when setting rx chainmask to 5 Ben Hutchings
2013-02-03 14:48 ` [ 087/128] mwifiex: fix typo in PCIe adapter NULL check Ben Hutchings
2013-02-03 14:48 ` [ 088/128] drm/i915: Remove the MI_FLUSH_ENABLE setting Ben Hutchings
2013-02-03 14:48 ` [ 089/128] drm/i915: Correct the bit number for the MI_FLUSH_ENABLE Ben Hutchings
2013-02-03 14:48 ` [ 090/128] drm/i915: Disable AsyncFlip performance optimisations Ben Hutchings
2013-02-03 14:48 ` [ 091/128] drm/i915: GFX_MODE Flush TLB Invalidate Mode must be 1 for scanline waits Ben Hutchings
2013-02-03 14:48 ` [ 092/128] iommu/intel: disable DMAR for g4x integrated gfx Ben Hutchings
2013-02-03 16:24 ` Mihai Moldovan
2013-02-03 20:14 ` Greg KH
2013-02-03 14:48 ` [ 093/128] drm/i915: dump UTS_RELEASE into the error_state Ben Hutchings
2013-02-03 14:48 ` [ 094/128] drm/radeon: fix a rare case of double kfree Ben Hutchings
2013-02-03 14:48 ` [ 095/128] x86/msr: Add capabilities check Ben Hutchings
2013-02-03 14:48 ` [ 096/128] can: c_can: fix invalid error codes Ben Hutchings
2013-02-03 14:48 ` [ 097/128] can: ti_hecc: " Ben Hutchings
2013-02-03 14:48 ` [ 098/128] can: pch_can: " Ben Hutchings
2013-02-03 14:48 ` [ 099/128] ALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices Ben Hutchings
2013-02-03 14:48 ` [ 100/128] smp: Fix SMP function call empty cpu mask race Ben Hutchings
2013-02-03 14:48 ` [ 101/128] IOMMU, AMD Family15h Model10-1Fh erratum 746 Workaround Ben Hutchings
2013-02-03 14:48 ` [ 102/128] xfs: Fix possible use-after-free with AIO Ben Hutchings
2013-02-03 14:48 ` [ 103/128] ALSA: hda - Fix non-snoop page handling Ben Hutchings
2013-02-03 14:48 ` [ 104/128] EDAC: Test correct variable in ->store function Ben Hutchings
2013-02-03 14:48 ` [ 105/128] efi: Make efi_enabled a function to query EFI facilities Ben Hutchings
2013-02-03 15:15 ` Ben Hutchings
2013-02-04 16:44 ` Matt Fleming
2013-02-04 18:20 ` Greg KH
2013-02-06 4:45 ` Ben Hutchings
2013-02-05 3:46 ` Ben Hutchings
2013-02-05 15:40 ` Peter Jones
2013-02-03 14:48 ` [ 106/128] samsung-laptop: Disable on EFI hardware Ben Hutchings
2013-02-03 14:48 ` [ 107/128] NFS: Dont silently fail setattr() requests on mountpoints Ben Hutchings
2013-02-03 14:48 ` [ 108/128] NFSv4.1: Handle NFS4ERR_DELAY when resetting the NFSv4.1 session Ben Hutchings
2013-02-03 14:48 ` [ 109/128] x86/Sandy Bridge: reserve pages when integrated graphics is present Ben Hutchings
2013-02-03 14:48 ` [ 110/128] x86/Sandy Bridge: mark arrays in __init functions as __initconst Ben Hutchings
2013-02-03 14:48 ` [ 111/128] x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI Ben Hutchings
2013-02-03 14:48 ` [ 112/128] ahci: Add identifiers for ASM106x devices Ben Hutchings
2013-02-03 14:48 ` [ 113/128] [SCSI] sd: Reshuffle init_sd to avoid crash Ben Hutchings
2013-02-03 14:48 ` [ 114/128] drivers/firmware/dmi_scan.c: check dmi version when get system uuid Ben Hutchings
2013-02-03 14:48 ` [ 115/128] drivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists Ben Hutchings
2013-02-03 14:48 ` [ 116/128] drm/i915: Implement WaDisableHiZPlanesWhenMSAAEnabled Ben Hutchings
2013-02-03 14:48 ` [ 117/128] x86: Use enum instead of literals for trap values Ben Hutchings
2013-02-03 14:48 ` [ 118/128] staging: comedi: Kconfig: COMEDI_NI_AT_A2150 should select COMEDI_FC Ben Hutchings
2013-02-03 14:48 ` [ 119/128] Revert "drm/i915: no lvds quirk for Zotac ZDBOX SD ID12/ID13" Ben Hutchings
2013-02-03 14:48 ` [ 120/128] staging: comedi: dont hijack hardware device private data Ben Hutchings
2013-02-03 14:48 ` [ 121/128] intel-iommu: Prevent devices with RMRRs from being placed into SI Domain Ben Hutchings
2013-02-03 14:48 ` [ 122/128] ALSA: usb - fix race in creation of M-Audio Fast track pro driver Ben Hutchings
2013-02-03 14:48 ` [ 123/128] igb: release already assigned MSI-X interrupts if setup fails Ben Hutchings
2013-02-03 14:48 ` [ 124/128] drbd: add missing part_round_stats to _drbd_start_io_acct Ben Hutchings
2013-02-03 14:48 ` [ 125/128] ALSA: usb-audio: Fix regression by disconnection-race-fix patch Ben Hutchings
2013-02-03 14:48 ` [ 126/128] staging: usbip: changed function return type to void Ben Hutchings
2013-02-03 14:48 ` [ 127/128] x86, efi: Set runtime_version to the EFI spec revision Ben Hutchings
2013-02-03 14:48 ` [ 128/128] printk: fix buffer overflow when calling log_prefix function from call_console_drivers Ben Hutchings
2013-02-03 15:20 ` [ 000/128] 3.2.38-stable review Ben Hutchings
2013-02-04 14:39 ` Satoru Takeuchi
2013-02-06 4:17 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130203144649.281157905@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=andrew.cooper3@citrix.com \
--cc=frediano.ziglio@citrix.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).