Re: [SECURITY] [DSA 1378-1] New Linux 2.6.18 packages fix severalvulnerabilities
As Tim Wickberg already mentioned last week the local root exploit
due to CVE-2007-4573 still works for the updated Xen kernel
packages.
This is because of the fact xen does not use ia32entry.S but
ia32entry-xen.S which is located in linux-2.6-xen-sparse.
I have attached the patch to fix CVE-2007-4573 for Xen-x86_64
- Ralf
--- ./linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S.orig 2007-09-29 17:23:32.564813967 +0200
+++ ./linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S 2007-09-29 17:27:48.261866088 +0200
@@ -37,6 +37,19 @@
movq %rax,R8(%rsp)
.endm
+ .macro LOAD_ARGS32 offset
+ movl \offset(%rsp),%r11d
+ movl \offset+8(%rsp),%r10d
+ movl \offset+16(%rsp),%r9d
+ movl \offset+24(%rsp),%r8d
+ movl \offset+40(%rsp),%ecx
+ movl \offset+48(%rsp),%edx
+ movl \offset+56(%rsp),%esi
+ movl \offset+64(%rsp),%edi
+ movl \offset+72(%rsp),%eax
+ .endm
+
+
#if defined (__XEN_X86_64)
#include "../kernel/xen_entry.S"
@@ -162,7 +175,7 @@
movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
movl %ebp, %ebp
/* no need to do an access_ok check here because rbp has been
@@ -259,7 +272,7 @@
movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
movl RSP-ARGOFFSET(%rsp), %r8d
/* no need to do an access_ok check here because r8 has been
@@ -336,7 +349,7 @@
movq $-ENOSYS,RAX(%rsp) /* really needed? */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */
+ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
jmp ia32_do_syscall
Reply to: