Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 248243 Details for
Bug 337645
Kernel: IA32 Syscall Entry Point Privilege Escalation (CVE-2010-3301)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix CVE-2010-3301 on the current stable kernel
linux-2.6.32-hardened-r9-cve-2010-3301.patch (text/plain), 3.03 KB, created by
Israel G. Lugo
on 2010-09-21 03:16:15 UTC
(
hide
)
Description:
Fix CVE-2010-3301 on the current stable kernel
Filename:
MIME Type:
Creator:
Israel G. Lugo
Created:
2010-09-21 03:16:15 UTC
Size:
3.03 KB
patch
obsolete
>Fix CVE-2010-3301 on Gentoo Hardened. > >Adapted from the fix in vanilla kernel for 2.6.32-hardened-r9 >by Israel G. Lugo <israel.lugo@lugosys.com> > >--- a/arch/x86/ia32/ia32entry.S 2010-07-25 05:11:36.000000000 +0100 >+++ b/arch/x86/ia32/ia32entry.S 2010-09-20 19:31:24.000000000 +0100 >@@ -51,7 +51,12 @@ > /* > * Reload arg registers from stack in case ptrace changed them. > * We don't reload %eax because syscall_trace_enter() returned >- * the value it wants us to use in the table lookup. >+ * the %rax value we should see. Instead, we just truncate that >+ * value to 32 bits again as we did on entry from user mode. >+ * If it's a new value set by user_regset during entry tracing, >+ * this matches the normal truncation of the user-mode value. >+ * If it's -1 to make us punt the syscall, then (u32)-1 is still >+ * an appropriately invalid value. > */ > .macro LOAD_ARGS32 offset, _r9=0 > .if \_r9 >@@ -61,6 +66,7 @@ > movl \offset+48(%rsp),%edx > movl \offset+56(%rsp),%esi > movl \offset+64(%rsp),%edi >+ movl %eax,%eax /* zero extension */ > .endm > > .macro CFI_STARTPROC32 simple >@@ -165,7 +171,7 @@ > testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) > CFI_REMEMBER_STATE > jnz sysenter_tracesys >- cmpl $(IA32_NR_syscalls-1),%eax >+ cmpq $(IA32_NR_syscalls-1),%rax > ja ia32_badsys > sysenter_do_call: > IA32_ARG_FIXUP >@@ -212,7 +218,7 @@ > movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ > call audit_syscall_entry > movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ >- cmpl $(IA32_NR_syscalls-1),%eax >+ cmpq $(IA32_NR_syscalls-1),%rax > ja ia32_badsys > movl %ebx,%edi /* reload 1st syscall arg */ > movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */ >@@ -265,7 +271,7 @@ > call syscall_trace_enter > LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ > RESTORE_REST >- cmpl $(IA32_NR_syscalls-1),%eax >+ cmpq $(IA32_NR_syscalls-1),%rax > ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ > jmp sysenter_do_call > CFI_ENDPROC >@@ -342,7 +348,7 @@ > testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) > CFI_REMEMBER_STATE > jnz cstar_tracesys >- cmpl $IA32_NR_syscalls-1,%eax >+ cmpq $IA32_NR_syscalls-1,%rax > ja ia32_badsys > cstar_do_call: > IA32_ARG_FIXUP 1 >@@ -400,7 +406,7 @@ > LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */ > RESTORE_REST > xchgl %ebp,%r9d >- cmpl $(IA32_NR_syscalls-1),%eax >+ cmpq $(IA32_NR_syscalls-1),%rax > ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ > jmp cstar_do_call > END(ia32_cstar_target) >@@ -463,7 +469,7 @@ > orl $TS_COMPAT,TI_status(%r10) > testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) > jnz ia32_tracesys >- cmpl $(IA32_NR_syscalls-1),%eax >+ cmpq $(IA32_NR_syscalls-1),%rax > ja ia32_badsys > ia32_do_call: > IA32_ARG_FIXUP >@@ -482,7 +488,7 @@ > call syscall_trace_enter > LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ > RESTORE_REST >- cmpl $(IA32_NR_syscalls-1),%eax >+ cmpq $(IA32_NR_syscalls-1),%rax > ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ > jmp ia32_do_call > END(ia32_syscall)
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 337645
: 248243