)]}'
{
  "commit": "13d2b4d11d69a92574a55bfd985cfb0ca77aebdc",
  "tree": "dd76ca17a3c81373ebe8a90429ff8efb1ae0b7e8",
  "parents": [
    "68ba45ff389295ddccbb976b8881de7c46140e00"
  ],
  "author": {
    "name": "Jan Beulich",
    "email": "JBeulich@suse.com",
    "time": "Thu Jan 24 13:11:10 2013 +0000"
  },
  "committer": {
    "name": "Konrad Rzeszutek Wilk",
    "email": "konrad.wilk@oracle.com",
    "time": "Wed Feb 13 15:40:30 2013 -0500"
  },
  "message": "x86/xen: don\u0027t assume %ds is usable in xen_iret for 32-bit PVOPS.\n\nThis fixes CVE-2013-0228 / XSA-42\n\nDrew Jones while working on CVE-2013-0190 found that that unprivileged guest user\nin 32bit PV guest can use to crash the \u003e guest with the panic like this:\n\n-------------\ngeneral protection fault: 0000 [#1] SMP\nlast sysfs file: /sys/devices/vbd-51712/block/xvda/dev\nModules linked in: sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4\niptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6\nxt_state nf_conntrack ip6table_filter ip6_tables ipv6 xen_netfront ext4\nmbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last\nunloaded: scsi_wait_scan]\n\nPid: 1250, comm: r Not tainted 2.6.32-356.el6.i686 #1\nEIP: 0061:[\u003cc0407462\u003e] EFLAGS: 00010086 CPU: 0\nEIP is at xen_iret+0x12/0x2b\nEAX: eb8d0000 EBX: 00000001 ECX: 08049860 EDX: 00000010\nESI: 00000000 EDI: 003d0f00 EBP: b77f8388 ESP: eb8d1fe0\n DS: 0000 ES: 007b FS: 0000 GS: 00e0 SS: 0069\nProcess r (pid: 1250, ti\u003deb8d0000 task\u003dc2953550 task.ti\u003deb8d0000)\nStack:\n 00000000 0027f416 00000073 00000206 b77f8364 0000007b 00000000 00000000\nCall Trace:\nCode: c3 8b 44 24 18 81 4c 24 38 00 02 00 00 8d 64 24 30 e9 03 00 00 00\n8d 76 00 f7 44 24 08 00 00 02 80 75 33 50 b8 00 e0 ff ff 21 e0 \u003c8b\u003e 40\n10 8b 04 85 a0 f6 ab c0 8b 80 0c b0 b3 c0 f6 44 24 0d 02\nEIP: [\u003cc0407462\u003e] xen_iret+0x12/0x2b SS:ESP 0069:eb8d1fe0\ngeneral protection fault: 0000 [#2]\n---[ end trace ab0d29a492dcd330 ]---\nKernel panic - not syncing: Fatal exception\nPid: 1250, comm: r Tainted: G      D    ---------------\n2.6.32-356.el6.i686 #1\nCall Trace:\n [\u003cc08476df\u003e] ? panic+0x6e/0x122\n [\u003cc084b63c\u003e] ? oops_end+0xbc/0xd0\n [\u003cc084b260\u003e] ? do_general_protection+0x0/0x210\n [\u003cc084a9b7\u003e] ? error_code+0x73/\n-------------\n\nPetr says: \"\n I\u0027ve analysed the bug and I think that xen_iret() cannot cope with\n mangled DS, in this case zeroed out (null selector/descriptor) by either\n xen_failsafe_callback() or RESTORE_REGS because the corresponding LDT\n entry was invalidated by the reproducer. \"\n\nJan took a look at the preliminary patch and came up a fix that solves\nthis problem:\n\n\"This code gets called after all registers other than those handled by\nIRET got already restored, hence a null selector in %ds or a non-null\none that got loaded from a code or read-only data descriptor would\ncause a kernel mode fault (with the potential of crashing the kernel\nas a whole, if panic_on_oops is set).\"\n\nThe way to fix this is to realize that the we can only relay on the\nregisters that IRET restores. The two that are guaranteed are the\n%cs and %ss as they are always fixed GDT selectors. Also they are\ninaccessible from user mode - so they cannot be altered. This is\nthe approach taken in this patch.\n\nAnother alternative option suggested by Jan would be to relay on\nthe subtle realization that using the %ebp or %esp relative references uses\nthe %ss segment.  In which case we could switch from using %eax to %ebp and\nwould not need the %ss over-rides. That would also require one extra\ninstruction to compensate for the one place where the register is used\nas scaled index. However Andrew pointed out that is too subtle and if\nfurther work was to be done in this code-path it could escape folks attention\nand lead to accidents.\n\nReviewed-by: Petr Matousek \u003cpmatouse@redhat.com\u003e\nReported-by: Petr Matousek \u003cpmatouse@redhat.com\u003e\nReviewed-by: Andrew Cooper \u003candrew.cooper3@citrix.com\u003e\nSigned-off-by: Jan Beulich \u003cjbeulich@suse.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "f9643fc50de571636347a1e0510d45f916728967",
      "old_mode": 33188,
      "old_path": "arch/x86/xen/xen-asm_32.S",
      "new_id": "33ca6e42a4caabb412350563a1f8349fd77b7789",
      "new_mode": 33188,
      "new_path": "arch/x86/xen/xen-asm_32.S"
    }
  ]
}