Bug 144658
Summary: | CAN-2005-0091 4g4g PROT_NONE fix (CAN-2005-0092) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Tim Burke <tburke> |
Component: | kernel | Assignee: | Ingo Molnar <mingo> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | davej, jbaron, riel |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-02-18 17:21:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 144195 |
Description
Tim Burke
2005-01-10 13:58:42 UTC
this is another 4:4 fix against the latest rhel4 tree. it is a fix for a probably DoS-able x86 corner-case segmentation scenario that 4:4 doesnt take into account: when we return to userspace and fault on the way back (on weird segments) then the exception handler routine has to be within a special 'marked', or else we stay in kernel mode (and crash). In theory this could also be exploited. i've tested it on x86 (the only platform affected) ontop of the latest rhel4 kernel, and it builds/boots fine and the syscall exploit doesnt work anymore. i have tested the 3:1 split too. Furtermore i have the checked the disassembly of the kernel image pre-patch vs. post-patch, to make sure that the patch has no effect on 3:1. (it has no effect since the __RESTORE_ALL_USER macro is only used by the 4:4 code.) Ingo --- linux/arch/i386/kernel/entry.S.orig +++ linux/arch/i386/kernel/entry.S @@ -167,7 +167,7 @@ int80_ret_start_marker: \ movl %edx, %esp; \ movl %ecx, %cr3; \ \ - __RESTORE_ALL; \ + __RESTORE_ALL_USER; \ int80_ret_end_marker: \ 2: @@ -204,14 +204,19 @@ int80_ret_end_marker: \ #define __RESTORE_REGS \ __RESTORE_INT_REGS; \ + popl %ds; \ + popl %es; + +#define __RESTORE_REGS_USER \ + __RESTORE_INT_REGS; \ 111: popl %ds; \ 222: popl %es; \ -.section .fixup,"ax"; \ + jmp 666f; \ 444: movl $0,(%esp); \ jmp 111b; \ 555: movl $0,(%esp); \ jmp 222b; \ -.previous; \ +666: \ .section __ex_table,"a";\ .align 4; \ .long 111b,444b;\ @@ -220,6 +225,13 @@ int80_ret_end_marker: \ #define __RESTORE_ALL \ __RESTORE_REGS \ + __RESTORE_IRET + +#define __RESTORE_ALL_USER \ + __RESTORE_REGS_USER \ + __RESTORE_IRET + +#define __RESTORE_IRET \ addl $4, %esp; \ 333: iret; \ .section .fixup,"ax"; \ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-092.html |