Re: [SECURITY] [DSA 1378-1] New Linux 2.6.18 packages fix severalvulnerabilities

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1378-1] New Linux 2.6.18 packages fix severalvulnerabilities
From: Ralf Hemmenstädt <ralf.h@debian.hostserver.de>
Date: Mon, 1 Oct 2007 19:54:09 +0200
Message-id: <[🔎] 200710011954.09243.ralf.h@debian.hostserver.de>

As Tim Wickberg already mentioned last week the local root exploit 
due to CVE-2007-4573 still works for the updated Xen kernel 
packages.

This is because of the fact xen does not use ia32entry.S but 
ia32entry-xen.S which is located in linux-2.6-xen-sparse.

I have attached the patch to fix CVE-2007-4573 for Xen-x86_64


- Ralf

--- ./linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S.orig	2007-09-29 17:23:32.564813967 +0200
+++ ./linux-2.6-xen-sparse/arch/x86_64/ia32/ia32entry-xen.S	2007-09-29 17:27:48.261866088 +0200
@@ -37,6 +37,19 @@
 	movq	%rax,R8(%rsp)
 	.endm
 
+        .macro LOAD_ARGS32 offset
+        movl \offset(%rsp),%r11d
+        movl \offset+8(%rsp),%r10d
+        movl \offset+16(%rsp),%r9d
+        movl \offset+24(%rsp),%r8d
+        movl \offset+40(%rsp),%ecx
+        movl \offset+48(%rsp),%edx
+        movl \offset+56(%rsp),%esi
+        movl \offset+64(%rsp),%edi
+        movl \offset+72(%rsp),%eax
+        .endm
+ 
+
 #if defined (__XEN_X86_64)
 #include "../kernel/xen_entry.S"
 		
@@ -162,7 +175,7 @@
 	movq	$-ENOSYS,RAX(%rsp)	/* really needed? */
 	movq	%rsp,%rdi        /* &pt_regs -> arg1 */
 	call	syscall_trace_enter
-	LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed it */
+	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
 	RESTORE_REST
 	movl	%ebp, %ebp
 	/* no need to do an access_ok check here because rbp has been
@@ -259,7 +272,7 @@
 	movq $-ENOSYS,RAX(%rsp)	/* really needed? */
 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
 	call syscall_trace_enter
-	LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed it */
+	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
 	RESTORE_REST
 	movl RSP-ARGOFFSET(%rsp), %r8d
 	/* no need to do an access_ok check here because r8 has been
@@ -336,7 +349,7 @@
 	movq $-ENOSYS,RAX(%rsp)	/* really needed? */
 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
 	call syscall_trace_enter
-	LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed it */
+	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
 	RESTORE_REST
 	jmp ia32_do_syscall

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1378-1] New Linux 2.6.18 packages fix severalvulnerabilities
  - From: dann frazier <dannf@dannf.org>

Next by Date: Re: [SECURITY] [DSA 1378-1] New Linux 2.6.18 packages fix severalvulnerabilities
Next by thread: Re: [SECURITY] [DSA 1378-1] New Linux 2.6.18 packages fix severalvulnerabilities
Index(es):
- Date
- Thread