xen/57d1569a-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch

References: bsc#995792 CVE-2016-7094 XSA-187

# Commit a9f3b3bad17d91e2067fc00d51b0302349570d08
# Date 2016-09-08 14:16:26 +0200
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]

hvm_get_seg_reg() does not perform a range check on its input segment, calls
hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].

x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
in {vmx,svm}_get_segment_register().

HVM guests running with shadow paging can end up performing a virtual to
linear translation with x86_seg_none.  This is used for addresses which are
already linear.  However, none of this is a legitimate pagetable update, so
fail the emulation in such a case.

This is XSA-187 / CVE-2016-7094.

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>

--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(
     struct sh_emulate_ctxt *sh_ctxt,
     unsigned long *paddr)
 {
-    struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
+    struct segment_register *reg;
     int okay;
 
+    /*
+     * Can arrive here with non-user segments.  However, no such cirucmstance
+     * is part of a legitimate pagetable update, so fail the emulation.
+     */
+    if ( !is_x86_user_segment(seg) )
+        return X86EMUL_UNHANDLEABLE;
+
+    reg = hvm_get_seg_reg(seg, sh_ctxt);
+
     okay = hvm_virtual_to_linear_addr(
         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
- bsc#995785 - VUL-0: CVE-2016-7092: xen: x86: Disallow L3 recursive pagetable for 32-bit PV guests (XSA-185) 57d1563d-x86-32on64-don-t-allow-recursive-page-tables-from-L3.patch - bsc#995789 - VUL-0: CVE-2016-7093: xen: x86: Mishandling of instruction pointer truncation during emulation (XSA-186) 57d15679-x86-emulate-Correct-boundary-interactions-of-emulated-insns.patch 57d18642-hvm-fep-Allow-test-insns-crossing-1-0-boundary.patch - bsc#995792 - VUL-0: CVE-2016-7094: xen: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187) 57d1569a-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch 57d18642-x86-segment-Bounds-check-accesses-to-emulation-ctxt-seg_reg.patch - bsc#991934 - xen hypervisor crash in csched_acct 57c96df3-credit1-fix-a-race-when-picking-initial-pCPU.patch - Upstream patches from Jan 57c4412b-x86-HVM-add-guarding-logic-for-VMX-specific-code.patch 57c57f73-libxc-correct-max_pfn-calculation-for-saving-domain.patch 57c805bf-x86-levelling-restrict-non-architectural-OSXSAVE-handling.patch 57c805c1-x86-levelling-pass-vcpu-to-ctxt_switch_levelling.patch 57c805c3-x86-levelling-provide-architectural-OSXSAVE-handling.patch 57c82be2-x86-32on64-adjust-call-gate-emulation.patch 57c96e2c-x86-correct-PT_NOTE-file-position.patch 57cfed43-VMX-correct-feature-checks-for-MPX-and-XSAVES.patch - bsc#989679 - [pvusb feature] USB device not found when 'virsh detach-device guest usb.xml' 57c93e52-fix-error-in-libxl_device_usbdev_list.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=450 2016-09-12 20:08:38 +02:00			`References: bsc#995792 CVE-2016-7094 XSA-187`

			`# Commit a9f3b3bad17d91e2067fc00d51b0302349570d08`
			`# Date 2016-09-08 14:16:26 +0200`
			`# Author Andrew Cooper <andrew.cooper3@citrix.com>`
			`# Committer Jan Beulich <jbeulich@suse.com>`
			`x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]`

			`hvm_get_seg_reg() does not perform a range check on its input segment, calls`
			`hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].`

			`x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()`
			`in {vmx,svm}_get_segment_register().`

			`HVM guests running with shadow paging can end up performing a virtual to`
			`linear translation with x86_seg_none. This is used for addresses which are`
			`already linear. However, none of this is a legitimate pagetable update, so`
			`fail the emulation in such a case.`

			`This is XSA-187 / CVE-2016-7094.`

			`Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Reviewed-by: Tim Deegan <tim@xen.org>`

			`--- a/xen/arch/x86/mm/shadow/common.c`
			`+++ b/xen/arch/x86/mm/shadow/common.c`
			`@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(`
			`struct sh_emulate_ctxt *sh_ctxt,`
			`unsigned long *paddr)`
			`{`
			`- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);`
			`+ struct segment_register *reg;`
			`int okay;`

			`+ /*`
			`+ * Can arrive here with non-user segments. However, no such cirucmstance`
			`+ * is part of a legitimate pagetable update, so fail the emulation.`
			`+ */`
			`+ if ( !is_x86_user_segment(seg) )`
			`+ return X86EMUL_UNHANDLEABLE;`
			`+`
			`+ reg = hvm_get_seg_reg(seg, sh_ctxt);`
			`+`
			`okay = hvm_virtual_to_linear_addr(`
			`seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);`