Bastian Blank
2012-Jun-13 08:46 UTC
[Pkg-xen-changes] r1025 - in branches/squeeze-security/xen/debian: . patches
Author: waldi Date: Wed Jun 13 08:46:46 2012 New Revision: 1025 Log: * debian/changelog: Update. * debian/patches: Add patches for CVE-2012-0217, 2012-0218 and 2012-2934. * debian/rules.real: Install NEWS file into hypervisor package. * debian/xen-hypervisor.NEWS: Add warning about disabled CPU. Added: branches/squeeze-security/xen/debian/patches/CVE-2012-0217+2012-0218 branches/squeeze-security/xen/debian/patches/CVE-2012-2934 branches/squeeze-security/xen/debian/xen-hypervisor.NEWS Modified: branches/squeeze-security/xen/debian/changelog branches/squeeze-security/xen/debian/patches/series branches/squeeze-security/xen/debian/rules.real Modified: branches/squeeze-security/xen/debian/changelog =============================================================================--- branches/squeeze-security/xen/debian/changelog Tue May 22 08:45:29 2012 (r1024) +++ branches/squeeze-security/xen/debian/changelog Wed Jun 13 08:46:46 2012 (r1025) @@ -1,3 +1,15 @@ +xen (4.0.1-5) stable-security; urgency=low + + * Fix privilege escalation and syscall/sysenter DoS while using + non-canonical addresses by untrusted PV guests. + CVE-2012-0217 + CVE-2012-0218 + * Disable Xen on CPUs affected by AMD Erratum #121. PV guests can + cause a DoS of the host. + CVE-2012-2934 + + -- Bastian Blank <waldi at debian.org> Mon, 11 Jun 2012 18:12:37 +0000 + xen (4.0.1-4) stable-security; urgency=low * Fix overflows and missing error checks in PV kernel loader. Added: branches/squeeze-security/xen/debian/patches/CVE-2012-0217+2012-0218 =============================================================================--- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/squeeze-security/xen/debian/patches/CVE-2012-0217+2012-0218 Wed Jun 13 08:46:46 2012 (r1025) @@ -0,0 +1,96 @@ +diff -r d8fd425b60d3 xen/arch/x86/x86_64/asm-offsets.c +--- a/xen/arch/x86/x86_64/asm-offsets.c Tue May 01 14:18:46 2012 +0100 ++++ b/xen/arch/x86/x86_64/asm-offsets.c Thu May 24 11:18:47 2012 +0100 +@@ -89,6 +89,8 @@ void __dummy__(void) + arch.guest_context.trap_ctxt[TRAP_gp_fault].address); + OFFSET(VCPU_gp_fault_sel, struct vcpu, + arch.guest_context.trap_ctxt[TRAP_gp_fault].cs); ++ OFFSET(VCPU_gp_fault_flags, struct vcpu, ++ arch.guest_context.trap_ctxt[TRAP_gp_fault].flags); + OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp); + OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss); + OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags); +diff -r d8fd425b60d3 xen/arch/x86/x86_64/compat/entry.S +--- a/xen/arch/x86/x86_64/compat/entry.S Tue May 01 14:18:46 2012 +0100 ++++ b/xen/arch/x86/x86_64/compat/entry.S Thu May 24 11:18:47 2012 +0100 +@@ -227,6 +227,7 @@ 1: call compat_create_bounce_frame + ENTRY(compat_post_handle_exception) + testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx) + jz compat_test_all_events ++.Lcompat_bounce_exception: + call compat_create_bounce_frame + movb $0,TRAPBOUNCE_flags(%rdx) + jmp compat_test_all_events +@@ -243,14 +244,15 @@ ENTRY(compat_syscall) + 1: movq %rax,TRAPBOUNCE_eip(%rdx) + movw %si,TRAPBOUNCE_cs(%rdx) + movb %cl,TRAPBOUNCE_flags(%rdx) +- call compat_create_bounce_frame +- jmp compat_test_all_events ++ jmp .Lcompat_bounce_exception + 2: movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) + subl $2,UREGS_rip(%rsp) + movq VCPU_gp_fault_addr(%rbx),%rax + movzwl VCPU_gp_fault_sel(%rbx),%esi +- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl + movl $0,TRAPBOUNCE_error_code(%rdx) ++ testb $4,VCPU_gp_fault_flags(%rbx) ++ setnz %cl ++ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx + jmp 1b + + ENTRY(compat_sysenter) +diff -r d8fd425b60d3 xen/arch/x86/x86_64/entry.S +--- a/xen/arch/x86/x86_64/entry.S Tue May 01 14:18:46 2012 +0100 ++++ b/xen/arch/x86/x86_64/entry.S Thu May 24 11:18:47 2012 +0100 +@@ -51,6 +51,13 @@ restore_all_guest: + testw $TRAP_syscall,4(%rsp) + jz iret_exit_to_guest + ++ /* Don''t use SYSRET path if the return address is not canonical. */ ++ movq 8(%rsp),%rcx ++ sarq $47,%rcx ++ incl %ecx ++ cmpl $1,%ecx ++ ja .Lforce_iret ++ + addq $8,%rsp + popq %rcx # RIP + popq %r11 # CS +@@ -61,6 +68,10 @@ restore_all_guest: + sysretq + 1: sysretl + ++.Lforce_iret: ++ /* Mimic SYSRET behavior. */ ++ movq 8(%rsp),%rcx # RIP ++ movq 24(%rsp),%r11 # RFLAGS + ALIGN + /* No special register assumptions. */ + iret_exit_to_guest: +@@ -298,12 +309,14 @@ 1: movq VCPU_domain(%rbx),%rdi + movb %cl,TRAPBOUNCE_flags(%rdx) + testb $1,DOMAIN_is_32bit_pv(%rdi) + jnz compat_sysenter +- call create_bounce_frame +- jmp test_all_events ++ jmp .Lbounce_exception + 2: movl %eax,TRAPBOUNCE_error_code(%rdx) + movq VCPU_gp_fault_addr(%rbx),%rax +- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl + movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) ++ subq $2,UREGS_rip(%rsp) ++ testb $4,VCPU_gp_fault_flags(%rbx) ++ setnz %cl ++ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx + jmp 1b + + ENTRY(int80_direct_trap) +@@ -490,6 +503,7 @@ 1: movq %rsp,%rdi + jnz compat_post_handle_exception + testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx) + jz test_all_events ++.Lbounce_exception: + call create_bounce_frame + movb $0,TRAPBOUNCE_flags(%rdx) + jmp test_all_events Added: branches/squeeze-security/xen/debian/patches/CVE-2012-2934 =============================================================================--- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/squeeze-security/xen/debian/patches/CVE-2012-2934 Wed Jun 13 08:46:46 2012 (r1025) @@ -0,0 +1,46 @@ +x86-64: detect processors subject to AMD erratum #121 and refuse to boot + +Processors with this erratum are subject to a DoS attack by unprivileged +guest users. + +This is XSA-9 / CVE-2006-0744. + +Signed-off-by: Jan Beulich <JBeulich at suse.com> +Signed-off-by: Ian Campbell <ian.campbell at citrix.com> + +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -41,6 +41,9 @@ void start_svm(struct cpuinfo_x86 *c); + integer_param("cpuid_mask_ext_ecx", opt_cpuid_mask_ext_ecx); + integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx); + ++static int opt_allow_unsafe; ++boolean_param("allow_unsafe", opt_allow_unsafe); ++ + static inline void wrmsr_amd(unsigned int index, unsigned int lo, + unsigned int hi) + { +@@ -640,6 +643,11 @@ static void __devinit init_amd(struct cp + clear_bit(X86_FEATURE_MCE, c->x86_capability); + + #ifdef __x86_64__ ++ if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe) ++ panic("Xen will not boot on this CPU for security reasons.\n" ++ "Pass \"allow_unsafe\" if you''re trusting all your" ++ " (PV) guest kernels.\n"); ++ + /* AMD CPUs do not support SYSENTER outside of legacy mode. */ + clear_bit(X86_FEATURE_SEP, c->x86_capability); + #endif +--- a/xen/include/asm-x86/amd.h ++++ b/xen/include/asm-x86/amd.h +@@ -127,6 +127,9 @@ + #define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) + #define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) + ++#define AMD_ERRATUM_121 \ ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf)) ++ + #define AMD_ERRATUM_170 \ + AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf)) + Modified: branches/squeeze-security/xen/debian/patches/series =============================================================================--- branches/squeeze-security/xen/debian/patches/series Tue May 22 08:45:29 2012 (r1024) +++ branches/squeeze-security/xen/debian/patches/series Wed Jun 13 08:46:46 2012 (r1025) @@ -71,3 +71,5 @@ upstream-21461:ee088a0b5cb8-CVE-2011-1166 upstream-21482:c2adc059e931-CVE-2011-1583 upstream-21485:b85a9e58ec3a-CVE-2011-1898 +CVE-2012-0217+2012-0218 +CVE-2012-2934 Modified: branches/squeeze-security/xen/debian/rules.real =============================================================================--- branches/squeeze-security/xen/debian/rules.real Tue May 22 08:45:29 2012 (r1024) +++ branches/squeeze-security/xen/debian/rules.real Wed Jun 13 08:46:46 2012 (r1025) @@ -112,6 +112,7 @@ install-hypervisor_$(ARCH)_$(FLAVOUR): DIR=$(BUILD_DIR)/build-hypervisor_$(ARCH)_$(FLAVOUR) install-hypervisor_$(ARCH)_$(FLAVOUR): PACKAGE_NAME = xen-hypervisor-$(VERSION)-$(FLAVOUR) +install-hypervisor_$(ARCH)_$(FLAVOUR): PACKAGE_DIR = debian/$(PACKAGE_NAME) install-hypervisor_$(ARCH)_$(FLAVOUR): DH_OPTIONS = -p$(PACKAGE_NAME) install-hypervisor_$(ARCH)_$(FLAVOUR): $(STAMPS_DIR)/build-hypervisor_$(ARCH)_$(FLAVOUR) dh_testdir @@ -119,6 +120,7 @@ dh_prep dh_installdirs boot cp $(DIR)/xen/xen.gz debian/$(PACKAGE_NAME)/boot/xen-$(VERSION)-$(FLAVOUR).gz + install -D -m644 debian/xen-hypervisor.NEWS $(PACKAGE_DIR)/usr/share/doc/$(PACKAGE_NAME)/NEWS +$(MAKE_SELF) install-base install-lib-dev_$(ARCH): DIR = $(BUILD_DIR)/install-utils_$(ARCH) Added: branches/squeeze-security/xen/debian/xen-hypervisor.NEWS =============================================================================--- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/squeeze-security/xen/debian/xen-hypervisor.NEWS Wed Jun 13 08:46:46 2012 (r1025) @@ -0,0 +1,15 @@ +xen-3.0 (4.0.1-5) stable-security; urgency=low + + A security issue has been discovered that affects some older AMD + processors. Untrusted 64-bit Xen guests can cause a processor hang. + Affected processors all predate the AMD SVM extensions for hardware + virtualization. + + After this update has been applied, Xen will refuse to boot by default + if it determines it is running on a vulnerable system. You may override + this default by adding the "allow_unsafe" keyword to your hypervisor + command line. On systems using the GRUB bootloader, you can do this by + editing the /etc/default/grub file and adding the keyword to the + "export GRUB_CMDLINE_XEN=" line. + + -- Bastian Blank <waldi at debian.org> Mon, 11 Jun 2012 18:10:55 +0000