Bastian Blank
2012-Jun-13 08:46 UTC
[Pkg-xen-changes] r1025 - in branches/squeeze-security/xen/debian: . patches
Author: waldi
Date: Wed Jun 13 08:46:46 2012
New Revision: 1025
Log:
* debian/changelog: Update.
* debian/patches: Add patches for CVE-2012-0217, 2012-0218 and 2012-2934.
* debian/rules.real: Install NEWS file into hypervisor package.
* debian/xen-hypervisor.NEWS: Add warning about disabled CPU.
Added:
branches/squeeze-security/xen/debian/patches/CVE-2012-0217+2012-0218
branches/squeeze-security/xen/debian/patches/CVE-2012-2934
branches/squeeze-security/xen/debian/xen-hypervisor.NEWS
Modified:
branches/squeeze-security/xen/debian/changelog
branches/squeeze-security/xen/debian/patches/series
branches/squeeze-security/xen/debian/rules.real
Modified: branches/squeeze-security/xen/debian/changelog
=============================================================================---
branches/squeeze-security/xen/debian/changelog Tue May 22 08:45:29 2012 (r1024)
+++ branches/squeeze-security/xen/debian/changelog Wed Jun 13 08:46:46 2012
(r1025)
@@ -1,3 +1,15 @@
+xen (4.0.1-5) stable-security; urgency=low
+
+ * Fix privilege escalation and syscall/sysenter DoS while using
+ non-canonical addresses by untrusted PV guests.
+ CVE-2012-0217
+ CVE-2012-0218
+ * Disable Xen on CPUs affected by AMD Erratum #121. PV guests can
+ cause a DoS of the host.
+ CVE-2012-2934
+
+ -- Bastian Blank <waldi at debian.org> Mon, 11 Jun 2012 18:12:37 +0000
+
xen (4.0.1-4) stable-security; urgency=low
* Fix overflows and missing error checks in PV kernel loader.
Added: branches/squeeze-security/xen/debian/patches/CVE-2012-0217+2012-0218
=============================================================================---
/dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/squeeze-security/xen/debian/patches/CVE-2012-0217+2012-0218 Wed Jun
13 08:46:46 2012 (r1025)
@@ -0,0 +1,96 @@
+diff -r d8fd425b60d3 xen/arch/x86/x86_64/asm-offsets.c
+--- a/xen/arch/x86/x86_64/asm-offsets.c Tue May 01 14:18:46 2012 +0100
++++ b/xen/arch/x86/x86_64/asm-offsets.c Thu May 24 11:18:47 2012 +0100
+@@ -89,6 +89,8 @@ void __dummy__(void)
+ arch.guest_context.trap_ctxt[TRAP_gp_fault].address);
+ OFFSET(VCPU_gp_fault_sel, struct vcpu,
+ arch.guest_context.trap_ctxt[TRAP_gp_fault].cs);
++ OFFSET(VCPU_gp_fault_flags, struct vcpu,
++ arch.guest_context.trap_ctxt[TRAP_gp_fault].flags);
+ OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp);
+ OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss);
+ OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags);
+diff -r d8fd425b60d3 xen/arch/x86/x86_64/compat/entry.S
+--- a/xen/arch/x86/x86_64/compat/entry.S Tue May 01 14:18:46 2012 +0100
++++ b/xen/arch/x86/x86_64/compat/entry.S Thu May 24 11:18:47 2012 +0100
+@@ -227,6 +227,7 @@ 1: call compat_create_bounce_frame
+ ENTRY(compat_post_handle_exception)
+ testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+ jz compat_test_all_events
++.Lcompat_bounce_exception:
+ call compat_create_bounce_frame
+ movb $0,TRAPBOUNCE_flags(%rdx)
+ jmp compat_test_all_events
+@@ -243,14 +244,15 @@ ENTRY(compat_syscall)
+ 1: movq %rax,TRAPBOUNCE_eip(%rdx)
+ movw %si,TRAPBOUNCE_cs(%rdx)
+ movb %cl,TRAPBOUNCE_flags(%rdx)
+- call compat_create_bounce_frame
+- jmp compat_test_all_events
++ jmp .Lcompat_bounce_exception
+ 2: movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+ subl $2,UREGS_rip(%rsp)
+ movq VCPU_gp_fault_addr(%rbx),%rax
+ movzwl VCPU_gp_fault_sel(%rbx),%esi
+- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+ movl $0,TRAPBOUNCE_error_code(%rdx)
++ testb $4,VCPU_gp_fault_flags(%rbx)
++ setnz %cl
++ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
+ jmp 1b
+
+ ENTRY(compat_sysenter)
+diff -r d8fd425b60d3 xen/arch/x86/x86_64/entry.S
+--- a/xen/arch/x86/x86_64/entry.S Tue May 01 14:18:46 2012 +0100
++++ b/xen/arch/x86/x86_64/entry.S Thu May 24 11:18:47 2012 +0100
+@@ -51,6 +51,13 @@ restore_all_guest:
+ testw $TRAP_syscall,4(%rsp)
+ jz iret_exit_to_guest
+
++ /* Don''t use SYSRET path if the return address is not
canonical. */
++ movq 8(%rsp),%rcx
++ sarq $47,%rcx
++ incl %ecx
++ cmpl $1,%ecx
++ ja .Lforce_iret
++
+ addq $8,%rsp
+ popq %rcx # RIP
+ popq %r11 # CS
+@@ -61,6 +68,10 @@ restore_all_guest:
+ sysretq
+ 1: sysretl
+
++.Lforce_iret:
++ /* Mimic SYSRET behavior. */
++ movq 8(%rsp),%rcx # RIP
++ movq 24(%rsp),%r11 # RFLAGS
+ ALIGN
+ /* No special register assumptions. */
+ iret_exit_to_guest:
+@@ -298,12 +309,14 @@ 1: movq VCPU_domain(%rbx),%rdi
+ movb %cl,TRAPBOUNCE_flags(%rdx)
+ testb $1,DOMAIN_is_32bit_pv(%rdi)
+ jnz compat_sysenter
+- call create_bounce_frame
+- jmp test_all_events
++ jmp .Lbounce_exception
+ 2: movl %eax,TRAPBOUNCE_error_code(%rdx)
+ movq VCPU_gp_fault_addr(%rbx),%rax
+- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
++ subq $2,UREGS_rip(%rsp)
++ testb $4,VCPU_gp_fault_flags(%rbx)
++ setnz %cl
++ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
+ jmp 1b
+
+ ENTRY(int80_direct_trap)
+@@ -490,6 +503,7 @@ 1: movq %rsp,%rdi
+ jnz compat_post_handle_exception
+ testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+ jz test_all_events
++.Lbounce_exception:
+ call create_bounce_frame
+ movb $0,TRAPBOUNCE_flags(%rdx)
+ jmp test_all_events
Added: branches/squeeze-security/xen/debian/patches/CVE-2012-2934
=============================================================================---
/dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/squeeze-security/xen/debian/patches/CVE-2012-2934 Wed Jun 13
08:46:46 2012 (r1025)
@@ -0,0 +1,46 @@
+x86-64: detect processors subject to AMD erratum #121 and refuse to boot
+
+Processors with this erratum are subject to a DoS attack by unprivileged
+guest users.
+
+This is XSA-9 / CVE-2006-0744.
+
+Signed-off-by: Jan Beulich <JBeulich at suse.com>
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+
+--- a/xen/arch/x86/cpu/amd.c
++++ b/xen/arch/x86/cpu/amd.c
+@@ -41,6 +41,9 @@ void start_svm(struct cpuinfo_x86 *c);
+ integer_param("cpuid_mask_ext_ecx", opt_cpuid_mask_ext_ecx);
+ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx);
+
++static int opt_allow_unsafe;
++boolean_param("allow_unsafe", opt_allow_unsafe);
++
+ static inline void wrmsr_amd(unsigned int index, unsigned int lo,
+ unsigned int hi)
+ {
+@@ -640,6 +643,11 @@ static void __devinit init_amd(struct cp
+ clear_bit(X86_FEATURE_MCE, c->x86_capability);
+
+ #ifdef __x86_64__
++ if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
++ panic("Xen will not boot on this CPU for security reasons.\n"
++ "Pass \"allow_unsafe\" if you''re trusting all
your"
++ " (PV) guest kernels.\n");
++
+ /* AMD CPUs do not support SYSENTER outside of legacy mode. */
+ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ #endif
+--- a/xen/include/asm-x86/amd.h
++++ b/xen/include/asm-x86/amd.h
+@@ -127,6 +127,9 @@
+ #define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff)
+ #define AMD_MODEL_RANGE_END(range) ((range) & 0xfff)
+
++#define AMD_ERRATUM_121 \
++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf))
++
+ #define AMD_ERRATUM_170 \
+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf))
+
Modified: branches/squeeze-security/xen/debian/patches/series
=============================================================================---
branches/squeeze-security/xen/debian/patches/series Tue May 22 08:45:29 2012
(r1024)
+++ branches/squeeze-security/xen/debian/patches/series Wed Jun 13 08:46:46 2012
(r1025)
@@ -71,3 +71,5 @@
upstream-21461:ee088a0b5cb8-CVE-2011-1166
upstream-21482:c2adc059e931-CVE-2011-1583
upstream-21485:b85a9e58ec3a-CVE-2011-1898
+CVE-2012-0217+2012-0218
+CVE-2012-2934
Modified: branches/squeeze-security/xen/debian/rules.real
=============================================================================---
branches/squeeze-security/xen/debian/rules.real Tue May 22 08:45:29 2012 (r1024)
+++ branches/squeeze-security/xen/debian/rules.real Wed Jun 13 08:46:46 2012
(r1025)
@@ -112,6 +112,7 @@
install-hypervisor_$(ARCH)_$(FLAVOUR):
DIR=$(BUILD_DIR)/build-hypervisor_$(ARCH)_$(FLAVOUR)
install-hypervisor_$(ARCH)_$(FLAVOUR): PACKAGE_NAME =
xen-hypervisor-$(VERSION)-$(FLAVOUR)
+install-hypervisor_$(ARCH)_$(FLAVOUR): PACKAGE_DIR = debian/$(PACKAGE_NAME)
install-hypervisor_$(ARCH)_$(FLAVOUR): DH_OPTIONS = -p$(PACKAGE_NAME)
install-hypervisor_$(ARCH)_$(FLAVOUR):
$(STAMPS_DIR)/build-hypervisor_$(ARCH)_$(FLAVOUR)
dh_testdir
@@ -119,6 +120,7 @@
dh_prep
dh_installdirs boot
cp $(DIR)/xen/xen.gz debian/$(PACKAGE_NAME)/boot/xen-$(VERSION)-$(FLAVOUR).gz
+ install -D -m644 debian/xen-hypervisor.NEWS
$(PACKAGE_DIR)/usr/share/doc/$(PACKAGE_NAME)/NEWS
+$(MAKE_SELF) install-base
install-lib-dev_$(ARCH): DIR = $(BUILD_DIR)/install-utils_$(ARCH)
Added: branches/squeeze-security/xen/debian/xen-hypervisor.NEWS
=============================================================================---
/dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/squeeze-security/xen/debian/xen-hypervisor.NEWS Wed Jun 13 08:46:46
2012 (r1025)
@@ -0,0 +1,15 @@
+xen-3.0 (4.0.1-5) stable-security; urgency=low
+
+ A security issue has been discovered that affects some older AMD
+ processors. Untrusted 64-bit Xen guests can cause a processor hang.
+ Affected processors all predate the AMD SVM extensions for hardware
+ virtualization.
+
+ After this update has been applied, Xen will refuse to boot by default
+ if it determines it is running on a vulnerable system. You may override
+ this default by adding the "allow_unsafe" keyword to your
hypervisor
+ command line. On systems using the GRUB bootloader, you can do this by
+ editing the /etc/default/grub file and adding the keyword to the
+ "export GRUB_CMDLINE_XEN=" line.
+
+ -- Bastian Blank <waldi at debian.org> Mon, 11 Jun 2012 18:10:55 +0000