Attachment 248243 Details for Bug 337645 – Fix CVE-2010-3301 on the current stable kernel

[patch] Fix CVE-2010-3301 on the current stable kernel

linux-2.6.32-hardened-r9-cve-2010-3301.patch (text/plain), 3.03 KB, created by Israel G. Lugo on 2010-09-21 03:16:15 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Israel G. Lugo

Created: 2010-09-21 03:16:15 UTC

Size: 3.03 KB

patch

obsolete

>Fix CVE-2010-3301 on Gentoo Hardened.
>
>Adapted from the fix in vanilla kernel for 2.6.32-hardened-r9
>by Israel G. Lugo <israel.lugo@lugosys.com>
>
>--- a/arch/x86/ia32/ia32entry.S	2010-07-25 05:11:36.000000000 +0100
>+++ b/arch/x86/ia32/ia32entry.S	2010-09-20 19:31:24.000000000 +0100
>@@ -51,7 +51,12 @@
> 	/*
> 	 * Reload arg registers from stack in case ptrace changed them.
> 	 * We don't reload %eax because syscall_trace_enter() returned
>-	 * the value it wants us to use in the table lookup.
>+	 * the %rax value we should see.  Instead, we just truncate that
>+	 * value to 32 bits again as we did on entry from user mode.
>+	 * If it's a new value set by user_regset during entry tracing,
>+	 * this matches the normal truncation of the user-mode value.
>+	 * If it's -1 to make us punt the syscall, then (u32)-1 is still
>+	 * an appropriately invalid value.
> 	 */
> 	.macro LOAD_ARGS32 offset, _r9=0
> 	.if \_r9
>@@ -61,6 +66,7 @@
> 	movl \offset+48(%rsp),%edx
> 	movl \offset+56(%rsp),%esi
> 	movl \offset+64(%rsp),%edi
>+	movl %eax,%eax			/* zero extension */
> 	.endm
> 	
> 	.macro CFI_STARTPROC32 simple
>@@ -165,7 +171,7 @@
> 	testl  $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
> 	CFI_REMEMBER_STATE
> 	jnz  sysenter_tracesys
>-	cmpl	$(IA32_NR_syscalls-1),%eax
>+	cmpq	$(IA32_NR_syscalls-1),%rax
> 	ja	ia32_badsys
> sysenter_do_call:
> 	IA32_ARG_FIXUP
>@@ -212,7 +218,7 @@
> 	movl $AUDIT_ARCH_I386,%edi	/* 1st arg: audit arch */
> 	call audit_syscall_entry
> 	movl RAX-ARGOFFSET(%rsp),%eax	/* reload syscall number */
>-	cmpl $(IA32_NR_syscalls-1),%eax
>+	cmpq $(IA32_NR_syscalls-1),%rax
> 	ja ia32_badsys
> 	movl %ebx,%edi			/* reload 1st syscall arg */
> 	movl RCX-ARGOFFSET(%rsp),%esi	/* reload 2nd syscall arg */
>@@ -265,7 +271,7 @@
> 	call	syscall_trace_enter
> 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
> 	RESTORE_REST
>-	cmpl	$(IA32_NR_syscalls-1),%eax
>+	cmpq	$(IA32_NR_syscalls-1),%rax
> 	ja	int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
> 	jmp	sysenter_do_call
> 	CFI_ENDPROC
>@@ -342,7 +348,7 @@
> 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
> 	CFI_REMEMBER_STATE
> 	jnz   cstar_tracesys
>-	cmpl $IA32_NR_syscalls-1,%eax
>+	cmpq $IA32_NR_syscalls-1,%rax
> 	ja  ia32_badsys
> cstar_do_call:
> 	IA32_ARG_FIXUP 1
>@@ -400,7 +406,7 @@
> 	LOAD_ARGS32 ARGOFFSET, 1  /* reload args from stack in case ptrace changed it */
> 	RESTORE_REST
> 	xchgl %ebp,%r9d
>-	cmpl $(IA32_NR_syscalls-1),%eax
>+	cmpq $(IA32_NR_syscalls-1),%rax
> 	ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
> 	jmp cstar_do_call
> END(ia32_cstar_target)
>@@ -463,7 +469,7 @@
> 	orl   $TS_COMPAT,TI_status(%r10)
> 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
> 	jnz ia32_tracesys
>-	cmpl $(IA32_NR_syscalls-1),%eax
>+	cmpq $(IA32_NR_syscalls-1),%rax
> 	ja ia32_badsys
> ia32_do_call:
> 	IA32_ARG_FIXUP
>@@ -482,7 +488,7 @@
> 	call syscall_trace_enter
> 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
> 	RESTORE_REST
>-	cmpl $(IA32_NR_syscalls-1),%eax
>+	cmpq $(IA32_NR_syscalls-1),%rax
> 	ja  int_ret_from_sys_call	/* ia32_tracesys has set RAX(%rsp) */
> 	jmp ia32_do_call
> END(ia32_syscall)

Actions: View | Diff

Attachments on bug 337645: 248243