3.7.2-204.fc18.gnu

3 files changed, 185 insertions, 1 deletions

diff --git a/freed-ora/current/f18/iwlegacy-fix-IBSS-cleanup.patch b/freed-ora/current/f18/iwlegacy-fix-IBSS-cleanup.patch
new file mode 100644
index 000000000..5533aed75
--- /dev/null
+++ b/freed-ora/current/f18/iwlegacy-fix-IBSS-cleanup.patch
@@ -0,0 +1,104 @@
+From 658f1bd2dd632209df00ec66349e15941ffdd83b Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Wed, 16 Jan 2013 10:28:09 +0000
+Subject: [PATCH 3.8] iwlegacy: fix IBSS cleanup
+
+We do not correctly change interface type when switching from
+IBSS mode to STA mode, that results in microcode errors. 
+
+Resolves:
+https://bugzilla.redhat.com/show_bug.cgi?id=886946
+
+Reported-by: Jaroslav Skarvada <jskarvad@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+---
+ drivers/net/wireless/iwlegacy/common.c | 35 ++++++++++++++--------------------
+ 1 file changed, 14 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c
+index 7e16d10..90b8970 100644
+--- a/drivers/net/wireless/iwlegacy/common.c
++++ b/drivers/net/wireless/iwlegacy/common.c
+@@ -3958,17 +3958,21 @@ il_connection_init_rx_config(struct il_priv *il)
+ 
+ 	memset(&il->staging, 0, sizeof(il->staging));
+ 
+-	if (!il->vif) {
++	switch (il->iw_mode) {
++	case NL80211_IFTYPE_UNSPECIFIED:
+ 		il->staging.dev_type = RXON_DEV_TYPE_ESS;
+-	} else if (il->vif->type == NL80211_IFTYPE_STATION) {
++		break;
++	case NL80211_IFTYPE_STATION:
+ 		il->staging.dev_type = RXON_DEV_TYPE_ESS;
+ 		il->staging.filter_flags = RXON_FILTER_ACCEPT_GRP_MSK;
+-	} else if (il->vif->type == NL80211_IFTYPE_ADHOC) {
++		break;
++	case NL80211_IFTYPE_ADHOC:
+ 		il->staging.dev_type = RXON_DEV_TYPE_IBSS;
+ 		il->staging.flags = RXON_FLG_SHORT_PREAMBLE_MSK;
+ 		il->staging.filter_flags =
+ 		    RXON_FILTER_BCON_AWARE_MSK | RXON_FILTER_ACCEPT_GRP_MSK;
+-	} else {
++		break;
++	default:
+ 		IL_ERR("Unsupported interface type %d\n", il->vif->type);
+ 		return;
+ 	}
+@@ -4550,8 +4554,7 @@ out:
+ EXPORT_SYMBOL(il_mac_add_interface);
+ 
+ static void
+-il_teardown_interface(struct il_priv *il, struct ieee80211_vif *vif,
+-		      bool mode_change)
++il_teardown_interface(struct il_priv *il, struct ieee80211_vif *vif)
+ {
+ 	lockdep_assert_held(&il->mutex);
+ 
+@@ -4560,9 +4563,7 @@ il_teardown_interface(struct il_priv *il, struct ieee80211_vif *vif,
+ 		il_force_scan_end(il);
+ 	}
+ 
+-	if (!mode_change)
+-		il_set_mode(il);
+-
++	il_set_mode(il);
+ }
+ 
+ void
+@@ -4575,8 +4576,8 @@ il_mac_remove_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ 
+ 	WARN_ON(il->vif != vif);
+ 	il->vif = NULL;
+-
+-	il_teardown_interface(il, vif, false);
++	il->iw_mode = NL80211_IFTYPE_UNSPECIFIED;
++	il_teardown_interface(il, vif);
+ 	memset(il->bssid, 0, ETH_ALEN);
+ 
+ 	D_MAC80211("leave\n");
+@@ -4685,18 +4686,10 @@ il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ 	}
+ 
+ 	/* success */
+-	il_teardown_interface(il, vif, true);
+ 	vif->type = newtype;
+ 	vif->p2p = false;
+-	err = il_set_mode(il);
+-	WARN_ON(err);
+-	/*
+-	 * We've switched internally, but submitting to the
+-	 * device may have failed for some reason. Mask this
+-	 * error, because otherwise mac80211 will not switch
+-	 * (and set the interface type back) and we'll be
+-	 * out of sync with it.
+-	 */
++	il->iw_mode = newtype;
++	il_teardown_interface(il, vif);
+ 	err = 0;
+ 
+ out:
+-- 
+1.8.0.2
+
diff --git a/freed-ora/current/f18/kernel.spec b/freed-ora/current/f18/kernel.spec
index 9e86dcec8..61960debc 100644
--- a/freed-ora/current/f18/kernel.spec
+++ b/freed-ora/current/f18/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 203
+%global baserelease 204
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -841,6 +841,12 @@ Patch21233: 8139cp-re-enable-interrupts-after-tx-timeout.patch
 #3.7.3 stable queue
 Patch2150: 3.7.3-stable-queue.patch
 
+#rhbz 886946
+Patch21234: iwlegacy-fix-IBSS-cleanup.patch
+
+#rhbz 896051 896038 CVE-2013-0190
+Patch21250: xen-fix-stack-corruption-in-xen_failsafe_callback.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1627,6 +1633,12 @@ ApplyPatch 8139cp-re-enable-interrupts-after-tx-timeout.patch
 #3.7.3 stable qeueu
 ApplyPatch 3.7.3-stable-queue.patch
 
+#rhbz 886948
+ApplyPatch iwlegacy-fix-IBSS-cleanup.patch
+
+#rhbz 896051 896038 CVE-2013-0190
+ApplyPatch xen-fix-stack-corruption-in-xen_failsafe_callback.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2510,6 +2522,12 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Wed Jan 16 2013 Justin M. Forbes <jforbes@redhat.com>  3.7.2-204
+- Fix for CVE-2013-0190 xen corruption with 32bit pvops (rhbz 896051 896038)
+
+* Wed Jan 16 2013 Josh Boyer <jwboyer@redhat.com>
+- Add patch from Stanislaw Gruszka to fix iwlegacy IBSS cleanup (rhbz 886946)
+
 * Tue Jan 15 2013 Justin M. Forbes <jforbes@redhat.com> 3.7.2-203
 - Turn off Intel IOMMU by default
 - Stable queue from 3.7.3 with many relevant fixes
diff --git a/freed-ora/current/f18/xen-fix-stack-corruption-in-xen_failsafe_callback.patch b/freed-ora/current/f18/xen-fix-stack-corruption-in-xen_failsafe_callback.patch
new file mode 100644
index 000000000..9d83ea0c9
--- /dev/null
+++ b/freed-ora/current/f18/xen-fix-stack-corruption-in-xen_failsafe_callback.patch
@@ -0,0 +1,62 @@
+From 38174c8c07ad638cd18285ba402b59076849dc21 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Thu, 10 Jan 2013 17:16:30 +0000
+Subject: [PATCH] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path.  This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+        popl %eax      # Error code from hypervisor
+        jz 5f
+        addl $16,%esp
+        jmp iret_exc   # Hypervisor said iret fault
+5:      addl $16,%esp
+                       # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+        popl_cfi %eax         # Error from the hypervisor
+        lea 16(%esp),%esp     # Add $16 before choosing fault path
+        CFI_ADJUST_CFA_OFFSET -16
+        jz 5f
+        addl $16,%esp         # Incorrectly adjust %esp again
+        jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present.  At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+---
+ arch/x86/kernel/entry_32.S |    1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
+index ff84d54..6ed91d9 100644
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1065,7 +1065,6 @@ ENTRY(xen_failsafe_callback)
+ 	lea 16(%esp),%esp
+ 	CFI_ADJUST_CFA_OFFSET -16
+ 	jz 5f
+-	addl $16,%esp
+ 	jmp iret_exc
+ 5:	pushl_cfi $-1 /* orig_ax = -1 => not a system call */
+ 	SAVE_ALL
+-- 
+1.7.2.5
+