From bd5d1b44eb9e9875152861cfe49983910acf3938 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Jan 21 2013 20:22:27 +0000 Subject: Linux v3.7.4 --- diff --git a/kernel.spec b/kernel.spec index 07f96cf..d8d3bf0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -777,9 +777,6 @@ Patch21233: 8139cp-re-enable-interrupts-after-tx-timeout.patch #rhbz 886946 Patch21234: iwlegacy-fix-IBSS-cleanup.patch -#rhbz 896051 896038 CVE-2013-0190 -Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch - # END OF PATCH DEFINITIONS %endif @@ -1488,9 +1485,6 @@ ApplyPatch 8139cp-re-enable-interrupts-after-tx-timeout.patch #rhbz 886948 ApplyPatch iwlegacy-fix-IBSS-cleanup.patch -#rhbz 896051 896038 CVE-2013-0190 -ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch - # END OF PATCH APPLICATIONS %endif @@ -2347,6 +2341,9 @@ fi # ||----w | # || || %changelog +* Mon Jan 21 2013 Josh Boyer - 3.7.4-201 +- Linux v3.7.4 + * Fri Jan 18 2013 Justin M. Forbes 3.7.3-201 - Linux v3.7.3 diff --git a/sources b/sources index df992bd..373e02c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz -d4aa39ec9610e9fbd7bb4f5aff2c5db8 patch-3.7.3.xz +87640faf7264639e1300829d1b292076 patch-3.7.4.xz diff --git a/xen-fix-stack-corruption-in-xen_failsafe_callback.patch b/xen-fix-stack-corruption-in-xen_failsafe_callback.patch deleted file mode 100644 index 9d83ea0..0000000 --- a/xen-fix-stack-corruption-in-xen_failsafe_callback.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 38174c8c07ad638cd18285ba402b59076849dc21 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Thu, 10 Jan 2013 17:16:30 +0000 -Subject: [PATCH] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. - -There has been an error on the xen_failsafe_callback path for failed -iret, which causes the stack pointer to be wrong when entering the -iret_exc error path. This can result in the kernel crashing. - -In the classic kernel case, the relevant code looked a little like: - - popl %eax # Error code from hypervisor - jz 5f - addl $16,%esp - jmp iret_exc # Hypervisor said iret fault -5: addl $16,%esp - # Hypervisor said segment selector fault - -Here, there are two identical addls on either option of a branch which -appears to have been optimised by hoisting it above the jz, and -converting it to an lea, which leaves the flags register unaffected. - -In the PVOPS case, the code looks like: - - popl_cfi %eax # Error from the hypervisor - lea 16(%esp),%esp # Add $16 before choosing fault path - CFI_ADJUST_CFA_OFFSET -16 - jz 5f - addl $16,%esp # Incorrectly adjust %esp again - jmp iret_exc - -It is possible unprivileged userspace applications to cause this -behaviour, for example by loading an LDT code selector, then changing -the code selector to be not-present. At this point, there is a race -condition where it is possible for the hypervisor to return back to -userspace from an interrupt, fault on its own iret, and inject a -failsafe_callback into the kernel. - -This bug has been present since the introduction of Xen PVOPS support -in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23. - -Signed-off-by: Frediano Ziglio -Signed-off-by: Andrew Cooper ---- - arch/x86/kernel/entry_32.S | 1 - - 1 files changed, 0 insertions(+), 1 deletions(-) - -diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index ff84d54..6ed91d9 100644 ---- a/arch/x86/kernel/entry_32.S -+++ b/arch/x86/kernel/entry_32.S -@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback) - lea 16(%esp),%esp - CFI_ADJUST_CFA_OFFSET -16 - jz 5f -- addl $16,%esp - jmp iret_exc - 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */ - SAVE_ALL --- -1.7.2.5 -