)]}'
{
  "commit": "9174adbee4a9a49d0139f5d71969852b36720809",
  "tree": "a4d6e4d9d759394d3d9f81c03845134665b024ef",
  "parents": [
    "d55bf532d72b3cfdfe84e696ace995067324c96c"
  ],
  "author": {
    "name": "Andrew Cooper",
    "email": "andrew.cooper3@citrix.com",
    "time": "Wed Jan 16 12:00:55 2013 +0000"
  },
  "committer": {
    "name": "Konrad Rzeszutek Wilk",
    "email": "konrad.wilk@oracle.com",
    "time": "Wed Jan 16 16:17:42 2013 -0500"
  },
  "message": "xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.\n\nThis fixes CVE-2013-0190 / XSA-40\n\nThere has been an error on the xen_failsafe_callback path for failed\niret, which causes the stack pointer to be wrong when entering the\niret_exc error path.  This can result in the kernel crashing.\n\nIn the classic kernel case, the relevant code looked a little like:\n\n        popl %eax      # Error code from hypervisor\n        jz 5f\n        addl $16,%esp\n        jmp iret_exc   # Hypervisor said iret fault\n5:      addl $16,%esp\n                       # Hypervisor said segment selector fault\n\nHere, there are two identical addls on either option of a branch which\nappears to have been optimised by hoisting it above the jz, and\nconverting it to an lea, which leaves the flags register unaffected.\n\nIn the PVOPS case, the code looks like:\n\n        popl_cfi %eax         # Error from the hypervisor\n        lea 16(%esp),%esp     # Add $16 before choosing fault path\n        CFI_ADJUST_CFA_OFFSET -16\n        jz 5f\n        addl $16,%esp         # Incorrectly adjust %esp again\n        jmp iret_exc\n\nIt is possible unprivileged userspace applications to cause this\nbehaviour, for example by loading an LDT code selector, then changing\nthe code selector to be not-present.  At this point, there is a race\ncondition where it is possible for the hypervisor to return back to\nuserspace from an interrupt, fault on its own iret, and inject a\nfailsafe_callback into the kernel.\n\nThis bug has been present since the introduction of Xen PVOPS support\nin commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.\n\nSigned-off-by: Frediano Ziglio \u003cfrediano.ziglio@citrix.com\u003e\nSigned-off-by: Andrew Cooper \u003candrew.cooper3@citrix.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "88b725aa1d52463d7534882a187da4c392bf3947",
      "old_mode": 33188,
      "old_path": "arch/x86/kernel/entry_32.S",
      "new_id": "cf8639b4dcf3a731859fe4c1c9c3befff6004944",
      "new_mode": 33188,
      "new_path": "arch/x86/kernel/entry_32.S"
    }
  ]
}