xen/CVE-2013-4375-xsa71.patch

References: bnc#842515 CVE-2013-4375 XSA-71 

xen_disk: mark ioreq as mapped before unmapping in error case

Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush")
modified the semantics of ioreq_{un,}map so that they are idempotent if
called when they're not needed (ie., twice in a row). However, it neglected
to handle the case where batch mapping is not being used (the default), and
one of the grants fails to map. In this case, ioreq_unmap will be called to
unwind and unmap any mappings already performed, but ioreq_unmap simply
returns due to the aforementioned change (the ioreq has not already been
marked as mapped).

The frontend user can therefore force xen_disk to leak grant mappings, a
per-backend-domain limited resource.

Fix by marking the ioreq as mapped before calling ioreq_unmap in this
situation.

This is XSA-71 / CVE-2013-4375

Signed-off-by: Matthew Daley <mattjd@gmail.com>

--- a/tools/qemu-xen-dir-remote/hw/xen_disk.c
+++ b/tools/qemu-xen-dir-remote/hw/xen_disk.c
@@ -406,6 +406,7 @@ static int ioreq_map(struct ioreq *ioreq
                 xen_be_printf(&ioreq->blkdev->xendev, 0,
                               "can't map grant ref %d (%s, %d maps)\n",
                               refs[i], strerror(errno), ioreq->blkdev->cnt_map);
+                ioreq->mapped = 1;
                 ioreq_unmap(ioreq);
                 return -1;
             }
- domUloader can no longer be used with the xl toolstack to boot sles10. Patch pygrub to get the kernel and initrd from the image. pygrub-boot-legacy-sles.patch - bnc#842515 - VUL-0: CVE-2013-4375: XSA-71: xen: qemu disk backend (qdisk) resource leak CVE-2013-4375-xsa71.patch - Upstream patches from Jan 52496bea-x86-properly-handle-hvm_copy_from_guest_-phys-virt-errors.patch (Replaces CVE-2013-4355-xsa63.patch) 52496c11-x86-mm-shadow-Fix-initialization-of-PV-shadow-L4-tables.patch (Replaces CVE-2013-4356-xsa64.patch) 52496c32-x86-properly-set-up-fbld-emulation-operand-address.patch (Replaces CVE-2013-4361-xsa66.patch) 52497c6c-x86-don-t-blindly-create-L3-tables-for-the-direct-map.patch 524e971b-x86-idle-Fix-get_cpu_idle_time-s-interaction-with-offline-pcpus.patch 524e9762-x86-percpu-Force-INVALID_PERCPU_AREA-to-non-canonical.patch 524e983e-Nested-VMX-check-VMX-capability-before-read-VMX-related-MSRs.patch 524e98b1-Nested-VMX-fix-IA32_VMX_CR4_FIXED1-msr-emulation.patch 524e9dc0-xsm-forbid-PV-guest-console-reads.patch 5256a979-x86-check-segment-descriptor-read-result-in-64-bit-OUTS-emulation.patch 5256be57-libxl-fix-vif-rate-parsing.patch 5256be84-tools-ocaml-fix-erroneous-free-of-cpumap-in-stub_xc_vcpu_getaffinity.patch 5256be92-libxl-fix-out-of-memory-error-handling-in-libxl_list_cpupool.patch 5257a89a-x86-correct-LDT-checks.patch 5257a8e7-x86-add-address-validity-check-to-guest_map_l1e.patch 5257a944-x86-check-for-canonical-address-before-doing-page-walks.patch 525b95f4-scheduler-adjust-internal-locking-interface.patch 525b9617-sched-fix-race-between-sched_move_domain-and-vcpu_wake.patch 525e69e8-credit-unpause-parked-vcpu-before-destroying-it.patch 525faf5e-x86-print-relevant-tail-part-of-filename-for-warnings-and-crashes.patch - bnc#840196 - L3: MTU size on Dom0 gets reset when booting DomU OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=276 2013-10-24 21:00:35 +00:00			`References: bnc#842515 CVE-2013-4375 XSA-71`

			`xen_disk: mark ioreq as mapped before unmapping in error case`

			`Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush")`
			`modified the semantics of ioreq_{un,}map so that they are idempotent if`
			`called when they're not needed (ie., twice in a row). However, it neglected`
			`to handle the case where batch mapping is not being used (the default), and`
			`one of the grants fails to map. In this case, ioreq_unmap will be called to`
			`unwind and unmap any mappings already performed, but ioreq_unmap simply`
			`returns due to the aforementioned change (the ioreq has not already been`
			`marked as mapped).`

			`The frontend user can therefore force xen_disk to leak grant mappings, a`
			`per-backend-domain limited resource.`

			`Fix by marking the ioreq as mapped before calling ioreq_unmap in this`
			`situation.`

			`This is XSA-71 / CVE-2013-4375`

			`Signed-off-by: Matthew Daley <mattjd@gmail.com>`

			`--- a/tools/qemu-xen-dir-remote/hw/xen_disk.c`
			`+++ b/tools/qemu-xen-dir-remote/hw/xen_disk.c`
			`@@ -406,6 +406,7 @@ static int ioreq_map(struct ioreq *ioreq`
			`xen_be_printf(&ioreq->blkdev->xendev, 0,`
			`"can't map grant ref %d (%s, %d maps)\n",`
			`refs[i], strerror(errno), ioreq->blkdev->cnt_map);`
			`+ ioreq->mapped = 1;`
			`ioreq_unmap(ioreq);`
			`return -1;`
			`}`