diff options
| author | Mario Preksavec <mario@slackware.hr> | 2017-01-08 17:51:53 +0100 |
|---|---|---|
| committer | David Spencer <idlemoor@slackbuilds.org> | 2017-01-09 20:17:34 +0000 |
| commit | fc59ea21bafe53eb7e633d6468bfa2a75bd54976 (patch) | |
| tree | e1ce20c267d0afc939ace862d4996190b9e1fab1 /system/xen/xsa/xsa204-4.8.patch | |
| parent | 9b2ee6f34d5c6b4a0e47f309defb29177de28771 (diff) | |
| download | slackbuilds-fc59ea21bafe53eb7e633d6468bfa2a75bd54976.tar.gz | |
system/xen: Updated for version 4.8.0.
Signed-off-by: Mario Preksavec <mario@slackware.hr>
Diffstat (limited to 'system/xen/xsa/xsa204-4.8.patch')
| -rw-r--r-- | system/xen/xsa/xsa204-4.8.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa204-4.8.patch b/system/xen/xsa/xsa204-4.8.patch new file mode 100644 index 0000000000..360296b2bc --- /dev/null +++ b/system/xen/xsa/xsa204-4.8.patch @@ -0,0 +1,57 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Sun, 18 Dec 2016 15:42:59 +0000 +Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL + +A singlestep #DB is determined by the resulting eflags value from the +execution of SYSCALL, not the original eflags value. + +By using the original eflags value, we negate the guest kernels attempt to +protect itself from a privilege escalation by masking TF. + +Have the SYSCALL emulation recalculate tf after the instruction is complete. + +This is XSA-204 + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +--- + xen/arch/x86/x86_emulate/x86_emulate.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c +index d82e85d..ff952a9 100644 +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -4561,6 +4561,23 @@ x86_emulate( + (rc = ops->write_segment(x86_seg_ss, &sreg, ctxt)) ) + goto done; + ++ /* ++ * SYSCALL (unlike most instructions) evaluates its singlestep action ++ * based on the resulting EFLG_TF, not the starting EFLG_TF. ++ * ++ * As the #DB is raised after the CPL change and before the OS can ++ * switch stack, it is a large risk for privilege escalation. ++ * ++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any ++ * vulnerability. Running the #DB handler on an IST stack is also a ++ * mitigation. ++ * ++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only ++ * mitigation is to use a task gate for handling #DB (or to not use ++ * enable EFER.SCE to start with). ++ */ ++ tf = _regs.eflags & EFLG_TF; ++ + break; + } + +@@ -5412,7 +5429,7 @@ x86_emulate( + + *ctxt->regs = _regs; + +- /* Inject #DB if single-step tracing was enabled at instruction start. */ ++ /* Should a singlestep #DB be raised? */ + if ( tf && (rc == X86EMUL_OKAY) && ops->inject_hw_exception ) + rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; + |