diff options
| author |   Michael Marineau <marineam@gentoo.org> | 2007-10-10 21:37:50 +0000 |
|---|---|---|
| committer | Michael Marineau <marineam@gentoo.org> | 2007-10-10 21:37:50 +0000 |
| commit | 5b5e1c4b07d8d530caeada7391c8fab3796d07b9 (patch) | |
| tree | d7fad826d3beb5ad6783c237966411ca66ef4843 | |
| parent | Disable CONFIG_HIGHPTE when XEN support is enabled (diff) | |
| download | xen-5b5e1c4b07d8d530caeada7391c8fab3796d07b9.tar.gz xen-5b5e1c4b07d8d530caeada7391c8fab3796d07b9.tar.bz2 xen-5b5e1c4b07d8d530caeada7391c8fab3796d07b9.zip | |
Fix CVE-2007-4573 for xen 2.6.20
svn path=/patches/; revision=50
| -rw-r--r-- | trunk/2.6.20/00000_README | 5 | ||||
| -rw-r--r-- | trunk/2.6.20/30037_amd64-zero-extend-32bit-ptrace-xen.patch | 50 |
2 files changed, 55 insertions, 0 deletions
diff --git a/trunk/2.6.20/00000_README b/trunk/2.6.20/00000_README index c54dae7..6838273 100644 --- a/trunk/2.6.20/00000_README +++ b/trunk/2.6.20/00000_README @@ -25,6 +25,11 @@ Patches 20xxx-? Various bug-fix patches from Redhat. +30037_amd64-zero-extend-32bit-ptrace-xen.patch + [SECURITY] Zero extend all registers after ptrace in 32-bit entry path + (Xen). + See CVE-2007-4573 + 50001_make-install.patch Handle make install in a semi-sane way that plays nice with split domU/dom0 kernels. diff --git a/trunk/2.6.20/30037_amd64-zero-extend-32bit-ptrace-xen.patch b/trunk/2.6.20/30037_amd64-zero-extend-32bit-ptrace-xen.patch new file mode 100644 index 0000000..25e56d3 --- /dev/null +++ b/trunk/2.6.20/30037_amd64-zero-extend-32bit-ptrace-xen.patch @@ -0,0 +1,50 @@ +Adjusted to apply to Debian's 2.6.18 Xen + +--- linux-source-2.6.18.orig/arch/x86_64/ia32/ia32entry-xen.S 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/arch/x86_64/ia32/ia32entry-xen.S 2007-09-25 00:10:16.089100799 -0600 +@@ -38,6 +38,18 @@ + #define __sti sti + #endif + ++ .macro LOAD_ARGS32 offset ++ movl \offset(%rsp),%r11d ++ movl \offset+8(%rsp),%r10d ++ movl \offset+16(%rsp),%r9d ++ movl \offset+24(%rsp),%r8d ++ movl \offset+40(%rsp),%ecx ++ movl \offset+48(%rsp),%edx ++ movl \offset+56(%rsp),%esi ++ movl \offset+64(%rsp),%edi ++ movl \offset+72(%rsp),%eax ++ .endm ++ + .macro CFI_STARTPROC32 simple + CFI_STARTPROC \simple + CFI_UNDEFINED r8 +@@ -151,7 +163,7 @@ sysenter_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + movl %ebp, %ebp + /* no need to do an access_ok check here because rbp has been +@@ -253,7 +265,7 @@ cstar_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + movl RSP-ARGOFFSET(%rsp), %r8d + /* no need to do an access_ok check here because r8 has been +@@ -330,7 +342,7 @@ ia32_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi /* &pt_regs -> arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + jmp ia32_do_syscall + END(ia32_syscall) |