Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
alpine
aports
Commits
7b8a1582
Commit
7b8a1582
authored
Jan 23, 2013
by
Natanael Copa
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
main/linux-grsec: merge in stable fixes
parent
46eeabf3
Changes
4
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
99539 additions
and
61 deletions
+99539
-61
main/linux-grsec/APKBUILD
main/linux-grsec/APKBUILD
+5
-5
main/linux-grsec/grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
...inux-grsec/grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
+91005
-0
main/linux-grsec/patch-3.6.11-al1.patch
main/linux-grsec/patch-3.6.11-al1.patch
+8529
-0
main/linux-grsec/xsa40.patch
main/linux-grsec/xsa40.patch
+0
-56
No files found.
main/linux-grsec/APKBUILD
View file @
7b8a1582
...
...
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname
=
linux-
${
_flavor
}
pkgver
=
3.6.11
_kernver
=
3.6
pkgrel
=
5
pkgrel
=
6
pkgdesc
=
"Linux kernel with grsecurity"
url
=
http://grsecurity.net
depends
=
"mkinitfs linux-firmware"
...
...
@@ -14,11 +14,11 @@ _config=${config:-kernelconfig.${CARCH}}
install
=
source
=
"http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-
$_kernver
.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-
$pkgver
.xz
grsecurity-2.9.1-3.6.11-unofficial-1.patch
patch-3.6.11-al1.patch
grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
0004-arp-flush-arp-cache-on-device-change.patch
r8169-num-rx-desc.patch
xsa40.patch
ipv4-remove-output-route-check-in-ipv4_mtu.patch
0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch
...
...
@@ -144,10 +144,10 @@ dev() {
md5sums
=
"1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz
bd4bba74093405887d521309a74c19e9 patch-3.6.11.xz
dce5c43ac3b5d8e35e245b35e90e1837 grsecurity-2.9.1-3.6.11-unofficial-1.patch
90efc91d59e9cfde50de2031a798e62b patch-3.6.11-al1.patch
3838e6334ed957fd73e793e1816fe66c grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
daf2cbb558588c49c138fe9ca2482b64 r8169-num-rx-desc.patch
d9de28f8a74fe0347866705b4bd6db85 xsa40.patch
d9b4a528e722d10ba53034ebd440c31b ipv4-remove-output-route-check-in-ipv4_mtu.patch
63468b44e34fa19237e0a2a1f6737b14 0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch
373db5888708938c6b1baed6da781fcb kernelconfig.x86
...
...
main/linux-grsec/grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
0 → 100644
View file @
7b8a1582
This diff is collapsed.
Click to expand it.
main/linux-grsec/patch-3.6.11-al1.patch
0 → 100644
View file @
7b8a1582
This diff is collapsed.
Click to expand it.
main/linux-grsec/xsa40.patch
deleted
100644 → 0
View file @
46eeabf3
Xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
This fixes CVE-2013-0190 / XSA-40
There has been an error on the xen_failsafe_callback path for failed
iret, which causes the stack pointer to be wrong when entering the
iret_exc error path. This can result in the kernel crashing.
In the classic kernel case, the relevant code looked a little like:
popl %eax # Error code from hypervisor
jz 5f
addl $16,%esp
jmp iret_exc # Hypervisor said iret fault
5: addl $16,%esp
# Hypervisor said segment selector fault
Here, there are two identical addls on either option of a branch which
appears to have been optimised by hoisting it above the jz, and
converting it to an lea, which leaves the flags register unaffected.
In the PVOPS case, the code looks like:
popl_cfi %eax # Error from the hypervisor
lea 16(%esp),%esp # Add $16 before choosing fault path
CFI_ADJUST_CFA_OFFSET -16
jz 5f
addl $16,%esp # Incorrectly adjust %esp again
jmp iret_exc
It is possible unprivileged userspace applications to cause this
behaviour, for example by loading an LDT code selector, then changing
the code selector to be not-present. At this point, there is a race
condition where it is possible for the hypervisor to return back to
userspace from an interrupt, fault on its own iret, and inject a
failsafe_callback into the kernel.
This bug has been present since the introduction of Xen PVOPS support
in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index ff84d54..6ed91d9 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1065,7 +1065,6 @@
ENTRY(xen_failsafe_callback)
lea 16(%esp),%esp
CFI_ADJUST_CFA_OFFSET -16
jz 5f
- addl $16,%esp
jmp iret_exc
5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */
SAVE_ALL
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment