x86/64: Fix security vulnerability CVE-2006-5755.

Properly save/restore EFLAGS on context switch, to avoid leakage of NT
flag causing crash on IRET.

This is a port of the upstream patch to Xen-specific source files.

Signed-off-by: Keir Fraser <keir@xensource.com>

diff --git a/arch/x86_64/kernel/entry-xen.S b/arch/x86_64/kernel/entry-xen.S
index f9e16e3f7838f6be8d4b2048eb77769cd26c00f9..1df03c1c7b7a407b17ad1b834775034d1ec850ff 100644 (file)
--- a/arch/x86_64/kernel/entry-xen.S
+++ b/arch/x86_64/kernel/entry-xen.S
@@ -180,6 +180,10 @@ NMI_MASK = 0x80000000
 /* rdi:        prev */ 
 ENTRY(ret_from_fork)
        CFI_DEFAULT_STACK
+       push kernel_eflags(%rip)
+       CFI_ADJUST_CFA_OFFSET 4
+       popf                            # reset kernel eflags
+       CFI_ADJUST_CFA_OFFSET -4
        call schedule_tail
        GET_THREAD_INFO(%rcx)
        testl $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP),threadinfo_flags(%rcx)

diff --git a/arch/x86_64/kernel/setup64-xen.c b/arch/x86_64/kernel/setup64-xen.c
index a33588bff62808408ee7eea61639b8a83dc716e7..83041ab38bb800a7a1e4c612b8a3c5d59cfbc695 100644 (file)
--- a/arch/x86_64/kernel/setup64-xen.c
+++ b/arch/x86_64/kernel/setup64-xen.c
@@ -234,6 +234,8 @@ void __cpuinit check_efer(void)
         }       
 }
 
+unsigned long kernel_eflags;
+
 /*
  * cpu_init() initializes state that is per-CPU. Some data is already
  * initialized (naturally) in the bootstrap process, such as the GDT
@@ -358,4 +360,6 @@ void __cpuinit cpu_init (void)
        set_debugreg(0UL, 7);
 
        fpu_init(); 
+
+       raw_local_save_flags(kernel_eflags);
 }

diff --git a/include/asm-x86_64/mach-xen/asm/system.h b/include/asm-x86_64/mach-xen/asm/system.h
index 0568010956a0bc144ac188be0f2f28133b081d93..ea5f13283d622e041c779de2ef7249aeb1f1c16a 100644 (file)
--- a/include/asm-x86_64/mach-xen/asm/system.h
+++ b/include/asm-x86_64/mach-xen/asm/system.h
@@ -24,8 +24,8 @@
 #define __RESTORE(reg,offset) "movq (14-" #offset ")*8(%%rsp),%%" #reg "\n\t"
 
 /* frame pointer must be last for get_wchan */
-#define SAVE_CONTEXT    "pushq %%rbp ; movq %%rsi,%%rbp\n\t"
-#define RESTORE_CONTEXT "movq %%rbp,%%rsi ; popq %%rbp\n\t"
+#define SAVE_CONTEXT    "pushf ; pushq %%rbp ; movq %%rsi,%%rbp\n\t"
+#define RESTORE_CONTEXT "movq %%rbp,%%rsi ; popq %%rbp ; popf\n\t"
 
 #define __EXTRA_CLOBBER  \
        ,"rcx","rbx","rdx","r8","r9","r10","r11","r12","r13","r14","r15"