From: Jarod Wilson <jwilson@redhat.com> Date: Mon, 31 Mar 2008 13:37:36 -0400 Subject: [x86_64] fix unprivileged crash on %cs corruption Message-id: 200803311337.37034.jwilson@redhat.com O-Subject: [RHEL5.2 PATCH] fix unprivileged crash on x86_64 %cs corruption Bugzilla: 439788 Bugzilla #439788 https://bugzilla.redhat.com/show_bug.cgi?id=439788 (bug 431430 is the master bug w/more details) Description ----------- Specially crafted code can crash a machine from a non-root account. Steps to Reproduce: 1. wget http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/x86_64-cs.c?cvsroot=systemtap 2. gcc -o x86_64-cs x86_64-cs.c -Wall -ggdb2 -D_GNU_SOURCE 3. ./x86_64-cs Test status ----------- Without patch, machine crashes (stack trace in bug 431430). With patch, machine doesn't crash. Upstream status --------------- Backport credit goes to Roland McGrath, who also authored the upstream fix for the same issue: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a57dae3aa4d00a000b5bac4238025438204c78b2 At least, I believe that's it... Due to the addition of paravirt-ops code upstream, the upstream fix looks considerably different, but this patch does the trick for RHEL5 (and should for RHEL4 as well, another posting coming soon...). diff --git a/arch/x86_64/kernel/entry.S b/arch/x86_64/kernel/entry.S index e7860d1..a49bb32 100644 --- a/arch/x86_64/kernel/entry.S +++ b/arch/x86_64/kernel/entry.S @@ -778,7 +778,7 @@ paranoid_swapgs\trace: swapgs paranoid_restore\trace: RESTORE_ALL 8 - iretq + jmp iret_label paranoid_userspace\trace: GET_THREAD_INFO(%rcx) movl threadinfo_flags(%rcx),%ebx