diff --git a/xen.changes b/xen.changes index c23fc60..0455625 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Sep 10 09:54:34 MDT 2024 - carnold@suse.com + +- bsc#1230366 - VUL-0: CVE-2024-45817: xen: x86: Deadlock in + vlapic_error() (XSA-462) + xsa462.patch + ------------------------------------------------------------------- Wed Aug 14 11:33:39 MDT 2024 - carnold@suse.com diff --git a/xen.spec b/xen.spec index 1fa2ea5..5b8ae1f 100644 --- a/xen.spec +++ b/xen.spec @@ -119,7 +119,7 @@ BuildRequires: pesign-obs-integration %endif Provides: installhint(reboot-needed) -Version: 4.18.3_02 +Version: 4.18.3_04 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0-only @@ -156,6 +156,7 @@ Source99: baselibs.conf # Upstream patches Patch1: 6617d62c-x86-hvm-Misra-Rule-19-1-regression.patch # EMBARGOED security fixes +Patch100: xsa462.patch # libxc Patch301: libxc-bitmap-long.patch Patch302: libxc-sr-xl-migration-debug.patch diff --git a/xsa462.patch b/xsa462.patch new file mode 100644 index 0000000..99f6618 --- /dev/null +++ b/xsa462.patch @@ -0,0 +1,45 @@ +From: Jan Beulich +Subject: x86/vLAPIC: prevent undue recursion of vlapic_error() + +With the error vector set to an illegal value, the function invoking +vlapic_set_irq() would bring execution back here, with the non-recursive +lock already held. Avoid the call in this case, merely further updating +ESR (if necessary). + +This is XSA-462. + +Fixes: 5f32d186a8b1 ("x86/vlapic: don't silently accept bad vectors") +Reported-by: Federico Serafini +Reported-by: Andrew Cooper +Signed-off-by: Jan Beulich +Signed-off-by: Andrew Cooper +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/hvm/vlapic.c ++++ b/xen/arch/x86/hvm/vlapic.c +@@ -113,9 +113,24 @@ static void vlapic_error(struct vlapic * + if ( (esr & errmask) != errmask ) + { + uint32_t lvterr = vlapic_get_reg(vlapic, APIC_LVTERR); ++ bool inj = false; + +- vlapic_set_reg(vlapic, APIC_ESR, esr | errmask); + if ( !(lvterr & APIC_LVT_MASKED) ) ++ { ++ /* ++ * If LVTERR is unmasked and has an illegal vector, vlapic_set_irq() ++ * will end up back here. Break the cycle by only injecting LVTERR ++ * if it will succeed, and folding in RECVILL otherwise. ++ */ ++ if ( (lvterr & APIC_VECTOR_MASK) >= 16 ) ++ inj = true; ++ else ++ errmask |= APIC_ESR_RECVILL; ++ } ++ ++ vlapic_set_reg(vlapic, APIC_ESR, esr | errmask); ++ ++ if ( inj ) + vlapic_set_irq(vlapic, lvterr & APIC_VECTOR_MASK, 0); + } + spin_unlock_irqrestore(&vlapic->esr_lock, flags);