add 2.6.16.5

svn path=/dists/sid/linux-2.6/; revision=6406

3 files changed, 70 insertions, 2 deletions

diff --git a/debian/changelog b/debian/changelog
index e8a7626055ae..edf5b160f2b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,7 +12,12 @@ linux-2.6 (2.6.16-7) UNRELEASED; urgency=low
   * [powerpc] Transitioned mkvmlinuz support patch to the 2.6.16 ARCH=powerpc
     tree. PReP is broken in 2.6.16 though.
 
- -- Sven Luther <luther@debian.org>  Wed, 12 Apr 2006 19:46:30 +0000
+  [ maximilian attems ]
+  * Add stable release 2.6.16.5:
+   - x86_64: Clean up execve
+   - x86_64: When user could have changed RIP always force IRET (CVE-2006-0744)
+
+ -- maximilian attems <maks@sternwelten.at>  Thu, 13 Apr 2006 11:05:24 +0200
 
 linux-2.6 (2.6.16-6) unstable; urgency=medium
 
diff --git a/debian/patches/2.6.16.5 b/debian/patches/2.6.16.5
new file mode 100644
index 000000000000..78d0633c0f07
--- /dev/null
+++ b/debian/patches/2.6.16.5
@@ -0,0 +1,63 @@
+diff --git a/arch/x86_64/kernel/entry.S b/arch/x86_64/kernel/entry.S
+index 7c10e90..ab6e44d 100644
+--- a/arch/x86_64/kernel/entry.S
++++ b/arch/x86_64/kernel/entry.S
+@@ -180,6 +180,10 @@ rff_trace:
+  *
+  * XXX	if we had a free scratch register we could save the RSP into the stack frame
+  *      and report it properly in ps. Unfortunately we haven't.
++ *
++ * When user can change the frames always force IRET. That is because
++ * it deals with uncanonical addresses better. SYSRET has trouble
++ * with them due to bugs in both AMD and Intel CPUs.
+  */ 			 		
+ 
+ ENTRY(system_call)
+@@ -254,7 +258,10 @@ sysret_signal:
+ 	xorl %esi,%esi # oldset -> arg2
+ 	call ptregscall_common
+ 1:	movl $_TIF_NEED_RESCHED,%edi
+-	jmp sysret_check
++	/* Use IRET because user could have changed frame. This
++	   works because ptregscall_common has called FIXUP_TOP_OF_STACK. */
++	cli
++	jmp int_with_check
+ 	
+ badsys:
+ 	movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
+@@ -280,7 +287,8 @@ tracesys:			 
+ 	call syscall_trace_leave
+ 	RESTORE_TOP_OF_STACK %rbx
+ 	RESTORE_REST
+-	jmp ret_from_sys_call
++	/* Use IRET because user could have changed frame */
++	jmp int_ret_from_sys_call
+ 	CFI_ENDPROC
+ 		
+ /* 
+@@ -408,25 +416,9 @@ ENTRY(stub_execve)
+ 	CFI_ADJUST_CFA_OFFSET -8
+ 	CFI_REGISTER rip, r11
+ 	SAVE_REST
+-	movq %r11, %r15
+-	CFI_REGISTER rip, r15
+ 	FIXUP_TOP_OF_STACK %r11
+ 	call sys_execve
+-	GET_THREAD_INFO(%rcx)
+-	bt $TIF_IA32,threadinfo_flags(%rcx)
+-	CFI_REMEMBER_STATE
+-	jc exec_32bit
+ 	RESTORE_TOP_OF_STACK %r11
+-	movq %r15, %r11
+-	CFI_REGISTER rip, r11
+-	RESTORE_REST
+-	pushq %r11
+-	CFI_ADJUST_CFA_OFFSET 8
+-	CFI_REL_OFFSET rip, 0
+-	ret
+-
+-exec_32bit:
+-	CFI_RESTORE_STATE
+ 	movq %rax,RAX(%rsp)
+ 	RESTORE_REST
+ 	jmp int_ret_from_sys_call
diff --git a/debian/patches/series/7 b/debian/patches/series/7
index a0845a64a756..ee82a76a582e 100644
--- a/debian/patches/series/7
+++ b/debian/patches/series/7
@@ -1,4 +1,4 @@
 + 2.6.16.3
 + 2.6.16.4
 + powerpc-mkvmlinuz-support-2.patch
-
++ 2.6.16.5