projects / pve-kernel.git / blame
| Commit | Line | Data |
|---|---|---|
| 321d628a FG |
1 | From 2b0794bbebac81a539dfd405273d61a8a16531d2 Mon Sep 17 00:00:00 2001 |
| 2 | From: Andy Lutomirski <luto@kernel.org> | |
| 3 | Date: Mon, 14 Aug 2017 22:36:19 -0700 | |
| e4cdf2a5 | 4 | Subject: [PATCH 024/241] x86/xen/64: Fix the reported SS and CS in SYSCALL |
| 321d628a FG |
5 | MIME-Version: 1.0 |
| 6 | Content-Type: text/plain; charset=UTF-8 | |
| 7 | Content-Transfer-Encoding: 8bit | |
| 8 | ||
| 9 | CVE-2017-5754 | |
| 10 | ||
| 11 | When I cleaned up the Xen SYSCALL entries, I inadvertently changed | |
| 12 | the reported segment registers. Before my patch, regs->ss was | |
| 13 | __USER(32)_DS and regs->cs was __USER(32)_CS. After the patch, they | |
| 14 | are FLAT_USER_CS/DS(32). | |
| 15 | ||
| 16 | This had a couple unfortunate effects. It confused the | |
| 17 | opportunistic fast return logic. It also significantly increased | |
| 18 | the risk of triggering a nasty glibc bug: | |
| 19 | ||
| 20 | https://sourceware.org/bugzilla/show_bug.cgi?id=21269 | |
| 21 | ||
| 22 | Update the Xen entry code to change it back. | |
| 23 | ||
| 24 | Reported-by: Brian Gerst <brgerst@gmail.com> | |
| 25 | Signed-off-by: Andy Lutomirski <luto@kernel.org> | |
| 26 | Cc: Andrew Cooper <andrew.cooper3@citrix.com> | |
| 27 | Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> | |
| 28 | Cc: Borislav Petkov <bp@alien8.de> | |
| 29 | Cc: Juergen Gross <jgross@suse.com> | |
| 30 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
| 31 | Cc: Peter Zijlstra <peterz@infradead.org> | |
| 32 | Cc: Thomas Gleixner <tglx@linutronix.de> | |
| 33 | Cc: xen-devel@lists.xenproject.org | |
| 34 | Fixes: 8a9949bc71a7 ("x86/xen/64: Rearrange the SYSCALL entries") | |
| 35 | Link: http://lkml.kernel.org/r/daba8351ea2764bb30272296ab9ce08a81bd8264.1502775273.git.luto@kernel.org | |
| 36 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
| 37 | (cherry picked from commit fa2016a8e7d846b306e431646d250500e1da0c33) | |
| 38 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
| 39 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
| 40 | (cherry picked from commit 69a6ef3aeb274efe86fd74771830354f303ccc2f) | |
| 41 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
| 42 | --- | |
| 43 | arch/x86/xen/xen-asm_64.S | 18 ++++++++++++++++++ | |
| 44 | 1 file changed, 18 insertions(+) | |
| 45 | ||
| 46 | diff --git a/arch/x86/xen/xen-asm_64.S b/arch/x86/xen/xen-asm_64.S | |
| 47 | index a8a4f4c460a6..c5fee2680abc 100644 | |
| 48 | --- a/arch/x86/xen/xen-asm_64.S | |
| 49 | +++ b/arch/x86/xen/xen-asm_64.S | |
| 50 | @@ -88,6 +88,15 @@ RELOC(xen_sysret64, 1b+1) | |
| 51 | ENTRY(xen_syscall_target) | |
| 52 | popq %rcx | |
| 53 | popq %r11 | |
| 54 | + | |
| 55 | + /* | |
| 56 | + * Neither Xen nor the kernel really knows what the old SS and | |
| 57 | + * CS were. The kernel expects __USER_DS and __USER_CS, so | |
| 58 | + * report those values even though Xen will guess its own values. | |
| 59 | + */ | |
| 60 | + movq $__USER_DS, 4*8(%rsp) | |
| 61 | + movq $__USER_CS, 1*8(%rsp) | |
| 62 | + | |
| 63 | jmp entry_SYSCALL_64_after_hwframe | |
| 64 | ENDPROC(xen_syscall_target) | |
| 65 | ||
| 66 | @@ -97,6 +106,15 @@ ENDPROC(xen_syscall_target) | |
| 67 | ENTRY(xen_syscall32_target) | |
| 68 | popq %rcx | |
| 69 | popq %r11 | |
| 70 | + | |
| 71 | + /* | |
| 72 | + * Neither Xen nor the kernel really knows what the old SS and | |
| 73 | + * CS were. The kernel expects __USER32_DS and __USER32_CS, so | |
| 74 | + * report those values even though Xen will guess its own values. | |
| 75 | + */ | |
| 76 | + movq $__USER32_DS, 4*8(%rsp) | |
| 77 | + movq $__USER32_CS, 1*8(%rsp) | |
| 78 | + | |
| 79 | jmp entry_SYSCALL_compat_after_hwframe | |
| 80 | ENDPROC(xen_syscall32_target) | |
| 81 | ||
| 82 | -- | |
| 83 | 2.14.2 | |
| 84 |