1. 14 2月, 2013 3 次提交
  2. 04 2月, 2013 11 次提交
  3. 21 1月, 2013 1 次提交
  4. 17 1月, 2013 1 次提交
    • A
      xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. · 9174adbe
      Andrew Cooper 提交于
      This fixes CVE-2013-0190 / XSA-40
      
      There has been an error on the xen_failsafe_callback path for failed
      iret, which causes the stack pointer to be wrong when entering the
      iret_exc error path.  This can result in the kernel crashing.
      
      In the classic kernel case, the relevant code looked a little like:
      
              popl %eax      # Error code from hypervisor
              jz 5f
              addl $16,%esp
              jmp iret_exc   # Hypervisor said iret fault
      5:      addl $16,%esp
                             # Hypervisor said segment selector fault
      
      Here, there are two identical addls on either option of a branch which
      appears to have been optimised by hoisting it above the jz, and
      converting it to an lea, which leaves the flags register unaffected.
      
      In the PVOPS case, the code looks like:
      
              popl_cfi %eax         # Error from the hypervisor
              lea 16(%esp),%esp     # Add $16 before choosing fault path
              CFI_ADJUST_CFA_OFFSET -16
              jz 5f
              addl $16,%esp         # Incorrectly adjust %esp again
              jmp iret_exc
      
      It is possible unprivileged userspace applications to cause this
      behaviour, for example by loading an LDT code selector, then changing
      the code selector to be not-present.  At this point, there is a race
      condition where it is possible for the hypervisor to return back to
      userspace from an interrupt, fault on its own iret, and inject a
      failsafe_callback into the kernel.
      
      This bug has been present since the introduction of Xen PVOPS support
      in commit 5ead97c8 (xen: Core Xen implementation), in 2.6.23.
      Signed-off-by: NFrediano Ziglio <frediano.ziglio@citrix.com>
      Signed-off-by: NAndrew Cooper <andrew.cooper3@citrix.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      9174adbe
  5. 16 1月, 2013 4 次提交
  6. 14 1月, 2013 6 次提交
  7. 13 1月, 2013 3 次提交
  8. 12 1月, 2013 3 次提交
  9. 11 1月, 2013 3 次提交
  10. 10 1月, 2013 3 次提交
  11. 08 1月, 2013 2 次提交
    • M
      KVM: x86: use dynamic percpu allocations for shared msrs area · 013f6a5d
      Marcelo Tosatti 提交于
      Use dynamic percpu allocations for the shared msrs structure,
      to avoid using the limited reserved percpu space.
      Reviewed-by: NGleb Natapov <gleb@redhat.com>
      Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
      013f6a5d
    • M
      ALSA: pxa27x: fix ac97 warm reset · 3b4bc7bc
      Mike Dunn 提交于
      This patch fixes some code that implements a work-around to a hardware bug in
      the ac97 controller on the pxa27x.  A bug in the controller's warm reset
      functionality requires that the mfp used by the controller as the AC97_nRESET
      line be temporarily reconfigured as a generic output gpio (AF0) and manually
      held high for the duration of the warm reset cycle.  This is what was done in
      the original code, but it was broken long ago by commit fb1bf8cd
          ([ARM] pxa: introduce processor specific pxa27x_assert_ac97reset())
      which changed the mfp to a GPIO input instead of a high output.
      
      The fix requires the ac97 controller to obtain the gpio via gpio_request_one(),
      with arguments that configure the gpio as an output initially driven high.
      
      Tested on a palm treo 680 machine.  Reportedly, this broken code only prevents a
      warm reset on hardware that lacks a pull-up on the line, which appears to be the
      case for me.
      Signed-off-by: NMike Dunn <mikedunn@newsguy.com>
      Signed-off-by: NIgor Grinberg <grinberg@compulab.co.il>
      Signed-off-by: NMark Brown <broonie@opensource.wolfsonmicro.com>
      Cc: stable@vger.kernel.org
      3b4bc7bc