diff options
author | maximilian attems <maks@stro.at> | 2006-04-13 09:13:44 +0000 |
---|---|---|
committer | maximilian attems <maks@stro.at> | 2006-04-13 09:13:44 +0000 |
commit | ad4507cd9c6882cabd701c7fcf2490f87078d7a6 (patch) | |
tree | 370aad3472feb3e20379ad108d3077dc51e151c6 | |
parent | 99eb9931e9e2f1738c3a7a0c39440c716e593a1c (diff) | |
download | kernel_replicant_linux-ad4507cd9c6882cabd701c7fcf2490f87078d7a6.tar.gz kernel_replicant_linux-ad4507cd9c6882cabd701c7fcf2490f87078d7a6.tar.bz2 kernel_replicant_linux-ad4507cd9c6882cabd701c7fcf2490f87078d7a6.zip |
add 2.6.16.5
svn path=/dists/sid/linux-2.6/; revision=6406
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/2.6.16.5 | 63 | ||||
-rw-r--r-- | debian/patches/series/7 | 2 |
3 files changed, 70 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index e8a7626055ae..edf5b160f2b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,7 +12,12 @@ linux-2.6 (2.6.16-7) UNRELEASED; urgency=low * [powerpc] Transitioned mkvmlinuz support patch to the 2.6.16 ARCH=powerpc tree. PReP is broken in 2.6.16 though. - -- Sven Luther <luther@debian.org> Wed, 12 Apr 2006 19:46:30 +0000 + [ maximilian attems ] + * Add stable release 2.6.16.5: + - x86_64: Clean up execve + - x86_64: When user could have changed RIP always force IRET (CVE-2006-0744) + + -- maximilian attems <maks@sternwelten.at> Thu, 13 Apr 2006 11:05:24 +0200 linux-2.6 (2.6.16-6) unstable; urgency=medium diff --git a/debian/patches/2.6.16.5 b/debian/patches/2.6.16.5 new file mode 100644 index 000000000000..78d0633c0f07 --- /dev/null +++ b/debian/patches/2.6.16.5 @@ -0,0 +1,63 @@ +diff --git a/arch/x86_64/kernel/entry.S b/arch/x86_64/kernel/entry.S +index 7c10e90..ab6e44d 100644 +--- a/arch/x86_64/kernel/entry.S ++++ b/arch/x86_64/kernel/entry.S +@@ -180,6 +180,10 @@ rff_trace: + * + * XXX if we had a free scratch register we could save the RSP into the stack frame + * and report it properly in ps. Unfortunately we haven't. ++ * ++ * When user can change the frames always force IRET. That is because ++ * it deals with uncanonical addresses better. SYSRET has trouble ++ * with them due to bugs in both AMD and Intel CPUs. + */ + + ENTRY(system_call) +@@ -254,7 +258,10 @@ sysret_signal: + xorl %esi,%esi # oldset -> arg2 + call ptregscall_common + 1: movl $_TIF_NEED_RESCHED,%edi +- jmp sysret_check ++ /* Use IRET because user could have changed frame. This ++ works because ptregscall_common has called FIXUP_TOP_OF_STACK. */ ++ cli ++ jmp int_with_check + + badsys: + movq $-ENOSYS,RAX-ARGOFFSET(%rsp) +@@ -280,7 +287,8 @@ tracesys: + call syscall_trace_leave + RESTORE_TOP_OF_STACK %rbx + RESTORE_REST +- jmp ret_from_sys_call ++ /* Use IRET because user could have changed frame */ ++ jmp int_ret_from_sys_call + CFI_ENDPROC + + /* +@@ -408,25 +416,9 @@ ENTRY(stub_execve) + CFI_ADJUST_CFA_OFFSET -8 + CFI_REGISTER rip, r11 + SAVE_REST +- movq %r11, %r15 +- CFI_REGISTER rip, r15 + FIXUP_TOP_OF_STACK %r11 + call sys_execve +- GET_THREAD_INFO(%rcx) +- bt $TIF_IA32,threadinfo_flags(%rcx) +- CFI_REMEMBER_STATE +- jc exec_32bit + RESTORE_TOP_OF_STACK %r11 +- movq %r15, %r11 +- CFI_REGISTER rip, r11 +- RESTORE_REST +- pushq %r11 +- CFI_ADJUST_CFA_OFFSET 8 +- CFI_REL_OFFSET rip, 0 +- ret +- +-exec_32bit: +- CFI_RESTORE_STATE + movq %rax,RAX(%rsp) + RESTORE_REST + jmp int_ret_from_sys_call diff --git a/debian/patches/series/7 b/debian/patches/series/7 index a0845a64a756..ee82a76a582e 100644 --- a/debian/patches/series/7 +++ b/debian/patches/series/7 @@ -1,4 +1,4 @@ + 2.6.16.3 + 2.6.16.4 + powerpc-mkvmlinuz-support-2.patch - ++ 2.6.16.5 |