aboutsummaryrefslogtreecommitdiffstats
path: root/emulators
diff options
context:
space:
mode:
authorroyger <royger@FreeBSD.org>2016-12-20 00:34:04 +0800
committerroyger <royger@FreeBSD.org>2016-12-20 00:34:04 +0800
commit0ba552b9dbf34db50fe69440958c24174e54587a (patch)
tree2ee539d5b6b84ac94f6ab30faeaed1e13722071a /emulators
parent474eb4b0e81162db33d47072487adda8e65d5f55 (diff)
downloadfreebsd-ports-gnome-0ba552b9dbf34db50fe69440958c24174e54587a.tar.gz
freebsd-ports-gnome-0ba552b9dbf34db50fe69440958c24174e54587a.tar.zst
freebsd-ports-gnome-0ba552b9dbf34db50fe69440958c24174e54587a.zip
xen-kernel: add fix for XSA-204
Approved by: bapt MFH: 2016Q4 Sponsored by: Citrix Systems R&D
Diffstat (limited to 'emulators')
-rw-r--r--emulators/xen-kernel/Makefile5
-rw-r--r--emulators/xen-kernel/files/xsa204-4.7.patch69
2 files changed, 72 insertions, 2 deletions
diff --git a/emulators/xen-kernel/Makefile b/emulators/xen-kernel/Makefile
index 196b66bf224a..68b92ac07625 100644
--- a/emulators/xen-kernel/Makefile
+++ b/emulators/xen-kernel/Makefile
@@ -3,7 +3,7 @@
PORTNAME= xen
PKGNAMESUFFIX= -kernel
PORTVERSION= 4.7.1
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= emulators
MASTER_SITES= http://downloads.xenproject.org/release/xen/${PORTVERSION}/
@@ -45,7 +45,8 @@ EXTRA_PATCHES= ${FILESDIR}/0001-xen-logdirty-prevent-preemption-if-finished.patc
${FILESDIR}/xsa193-4.7.patch \
${FILESDIR}/xsa194.patch \
${FILESDIR}/xsa195.patch \
- ${FILESDIR}/xsa200-4.7.patch
+ ${FILESDIR}/xsa200-4.7.patch \
+ ${FILESDIR}/xsa204-4.7.patch
.include <bsd.port.options.mk>
diff --git a/emulators/xen-kernel/files/xsa204-4.7.patch b/emulators/xen-kernel/files/xsa204-4.7.patch
new file mode 100644
index 000000000000..ea41789a4b88
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa204-4.7.patch
@@ -0,0 +1,69 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index bca7045..abe442e 100644
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1582,6 +1582,7 @@ x86_emulate(
+ union vex vex = {};
+ unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+ bool_t lock_prefix = 0;
++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+ int override_seg = -1, rc = X86EMUL_OKAY;
+ struct operand src = { .reg = REG_POISON };
+ struct operand dst = { .reg = REG_POISON };
+@@ -3910,9 +3911,8 @@ x86_emulate(
+ }
+
+ no_writeback:
+- /* Inject #DB if single-step tracing was enabled at instruction start. */
+- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+- (ops->inject_hw_exception != NULL) )
++ /* Should a singlestep #DB be raised? */
++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+ rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+
+ /* Commit shadow register state. */
+@@ -4143,6 +4143,23 @@ x86_emulate(
+ (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+ goto done;
+
++ /*
++ * SYSCALL (unlike most instructions) evaluates its singlestep action
++ * based on the resulting EFLG_TF, not the starting EFLG_TF.
++ *
++ * As the #DB is raised after the CPL change and before the OS can
++ * switch stack, it is a large risk for privilege escalation.
++ *
++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++ * vulnerability. Running the #DB handler on an IST stack is also a
++ * mitigation.
++ *
++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only
++ * mitigation is to use a task gate for handling #DB (or to not use
++ * enable EFER.SCE to start with).
++ */
++ tf = !!(_regs.eflags & EFLG_TF);
++
+ break;
+ }
+