xen/57d1563d-x86-32on64-don-t-allow-recursive-page-tables-from-L3.patch

References: bsc#995785 CVE-2016-7092 XSA-185

# Commit c844d637d92a75854ea5c8d4e5ca34302a9f623c
# Date 2016-09-08 14:14:53 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/32on64: don't allow recursive page tables from L3

L3 entries are special in PAE mode, and hence can't reasonably be used
for setting up recursive (and hence linear) page table mappings. Since
abuse is possible when the guest in fact gets run on 4-level page
tables, this needs to be excluded explicitly.

This is XSA-185 / CVE-2016-7092.

Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
Reported-by: "栾尚聪(好风)" <shangcong.lsc@alibaba-inc.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -1123,7 +1123,9 @@ get_page_from_l3e(
 
     rc = get_page_and_type_from_pagenr(
         l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
-    if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
+    if ( unlikely(rc == -EINVAL) &&
+         !is_pv_32bit_domain(d) &&
+         get_l3_linear_pagetable(l3e, pfn, d) )
         rc = 0;
 
     return rc;
- bsc#995785 - VUL-0: CVE-2016-7092: xen: x86: Disallow L3 recursive pagetable for 32-bit PV guests (XSA-185) 57d1563d-x86-32on64-don-t-allow-recursive-page-tables-from-L3.patch - bsc#995789 - VUL-0: CVE-2016-7093: xen: x86: Mishandling of instruction pointer truncation during emulation (XSA-186) 57d15679-x86-emulate-Correct-boundary-interactions-of-emulated-insns.patch 57d18642-hvm-fep-Allow-test-insns-crossing-1-0-boundary.patch - bsc#995792 - VUL-0: CVE-2016-7094: xen: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187) 57d1569a-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch 57d18642-x86-segment-Bounds-check-accesses-to-emulation-ctxt-seg_reg.patch - bsc#991934 - xen hypervisor crash in csched_acct 57c96df3-credit1-fix-a-race-when-picking-initial-pCPU.patch - Upstream patches from Jan 57c4412b-x86-HVM-add-guarding-logic-for-VMX-specific-code.patch 57c57f73-libxc-correct-max_pfn-calculation-for-saving-domain.patch 57c805bf-x86-levelling-restrict-non-architectural-OSXSAVE-handling.patch 57c805c1-x86-levelling-pass-vcpu-to-ctxt_switch_levelling.patch 57c805c3-x86-levelling-provide-architectural-OSXSAVE-handling.patch 57c82be2-x86-32on64-adjust-call-gate-emulation.patch 57c96e2c-x86-correct-PT_NOTE-file-position.patch 57cfed43-VMX-correct-feature-checks-for-MPX-and-XSAVES.patch - bsc#989679 - [pvusb feature] USB device not found when 'virsh detach-device guest usb.xml' 57c93e52-fix-error-in-libxl_device_usbdev_list.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=450 2016-09-12 20:08:38 +02:00			`References: bsc#995785 CVE-2016-7092 XSA-185`

			`# Commit c844d637d92a75854ea5c8d4e5ca34302a9f623c`
			`# Date 2016-09-08 14:14:53 +0200`
			`# Author Jan Beulich <jbeulich@suse.com>`
			`# Committer Jan Beulich <jbeulich@suse.com>`
			`x86/32on64: don't allow recursive page tables from L3`

			`L3 entries are special in PAE mode, and hence can't reasonably be used`
			`for setting up recursive (and hence linear) page table mappings. Since`
			`abuse is possible when the guest in fact gets run on 4-level page`
			`tables, this needs to be excluded explicitly.`

			`This is XSA-185 / CVE-2016-7092.`

			`Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>`
			`Reported-by: "栾尚聪(好风)" <shangcong.lsc@alibaba-inc.com>`
			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>`

			`--- a/xen/arch/x86/mm.c`
			`+++ b/xen/arch/x86/mm.c`
			`@@ -1123,7 +1123,9 @@ get_page_from_l3e(`

			`rc = get_page_and_type_from_pagenr(`
			`l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);`
			`- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )`
			`+ if ( unlikely(rc == -EINVAL) &&`
			`+ !is_pv_32bit_domain(d) &&`
			`+ get_l3_linear_pagetable(l3e, pfn, d) )`
			`rc = 0;`

			`return rc;`