| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Feb 2013 10:18:54 +0000 From: Frediano Ziglio <frediano.ziglio@...rix.com> To: "herton.krzesinski@...onical.com" <herton.krzesinski@...onical.com> CC: Frediano Ziglio <frediano.ziglio@...rix.com>, Andrew Cooper <Andrew.Cooper3@...rix.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "stable@...r.kernel.org" <stable@...r.kernel.org>, "kernel-team@...ts.ubuntu.com" <kernel-team@...ts.ubuntu.com>, "konrad.wilk@...cle.com" <konrad.wilk@...cle.com> Subject: Re: [PATCH 11/93] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. At stated before I'm the author of this patch. Please change the From: to From: Frediano Ziglio <frediano.ziglio@...rix.com> Frediano On Tue, 2013-02-05 at 20:06 -0200, Herton Ronaldo Krzesinski wrote: > 3.5.7.5 -stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Andrew Cooper <andrew.cooper3@...rix.com> > > commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream. > > This fixes CVE-2013-0190 / XSA-40 > > There has been an error on the xen_failsafe_callback path for failed > iret, which causes the stack pointer to be wrong when entering the > iret_exc error path. This can result in the kernel crashing. > > In the classic kernel case, the relevant code looked a little like: > > popl %eax # Error code from hypervisor > jz 5f > addl $16,%esp > jmp iret_exc # Hypervisor said iret fault > 5: addl $16,%esp > # Hypervisor said segment selector fault > > Here, there are two identical addls on either option of a branch which > appears to have been optimised by hoisting it above the jz, and > converting it to an lea, which leaves the flags register unaffected. > > In the PVOPS case, the code looks like: > > popl_cfi %eax # Error from the hypervisor > lea 16(%esp),%esp # Add $16 before choosing fault path > CFI_ADJUST_CFA_OFFSET -16 > jz 5f > addl $16,%esp # Incorrectly adjust %esp again > jmp iret_exc > > It is possible unprivileged userspace applications to cause this > behaviour, for example by loading an LDT code selector, then changing > the code selector to be not-present. At this point, there is a race > condition where it is possible for the hypervisor to return back to > userspace from an interrupt, fault on its own iret, and inject a > failsafe_callback into the kernel. > > This bug has been present since the introduction of Xen PVOPS support > in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23. > > Signed-off-by: Frediano Ziglio <frediano.ziglio@...rix.com> > Signed-off-by: Andrew Cooper <andrew.cooper3@...rix.com> > Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@...cle.com> > Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@...onical.com> > --- > arch/x86/kernel/entry_32.S | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S > index 8f8e8ee..2a6919e 100644 > --- a/arch/x86/kernel/entry_32.S > +++ b/arch/x86/kernel/entry_32.S > @@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback) > lea 16(%esp),%esp > CFI_ADJUST_CFA_OFFSET -16 > jz 5f > - addl $16,%esp > jmp iret_exc > 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */ > SAVE_ALL
Powered by blists - more mailing lists