Red Hat Bugzilla – Bug 248353
CVE-2007-3732 kernel: Reset %fs early in iret_exc
Last modified: 2010-04-15 22:07:24 EDT
The iret_exc fixup path, run when iret generates an exception due to bogus
%cs:%eip or %ss:%esp on the way back to user mode, has been broken since the
%fs-percpu-current changes. The kernel's %fs needs to be restored before the
call in TRACE_IRQS_ON and before enabling interrupts, so that "current"
references work. Without this, "current" used in the window between iret_exc
and the middle of error_code where %fs is reset, would crash (or get bogus
values, perhaps exploitable in fancy ways).
Commit a10d9a71 is the fix for CVE-2007-3732. When this patch was backported to the -stable kernel, it was wrongly listed as CVE-2007-3731. And when we were dealing with CVE-2007-3731, our developer backported this patch too even though we have filed a separate bug for CVE-2007-3732, so this was fixed. What a mess, but I'm glad we cleared this up afterall.