xen/xsa104.patch

x86/shadow: fix race condition sampling the dirty vram state

d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.

If not, two concurrent hypercalls could both end up attempting to free
dirty_vram (the second of which will free a wild pointer), or both end up
allocating a new dirty_vram structure (the first of which will be leaked).

This is XSA-104.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>

Index: xen-4.4.1-testing/xen/arch/x86/mm/shadow/common.c
===================================================================
--- xen-4.4.1-testing.orig/xen/arch/x86/mm/shadow/common.c
+++ xen-4.4.1-testing/xen/arch/x86/mm/shadow/common.c
@@ -3486,7 +3486,7 @@ int shadow_track_dirty_vram(struct domai
     int flush_tlb = 0;
     unsigned long i;
     p2m_type_t t;
-    struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
+    struct sh_dirty_vram *dirty_vram;
     struct p2m_domain *p2m = p2m_get_hostp2m(d);
 
     if ( end_pfn < begin_pfn || end_pfn > p2m->max_mapped_pfn + 1 )
@@ -3496,6 +3496,8 @@ int shadow_track_dirty_vram(struct domai
     p2m_lock(p2m_get_hostp2m(d));
     paging_lock(d);
 
+    dirty_vram = d->arch.hvm_domain.dirty_vram;
+
     if ( dirty_vram && (!nr ||
              ( begin_pfn != dirty_vram->begin_pfn
             || end_pfn   != dirty_vram->end_pfn )) )
Index: xen-4.4.1-testing/xen/include/asm-x86/hvm/domain.h
===================================================================
--- xen-4.4.1-testing.orig/xen/include/asm-x86/hvm/domain.h
+++ xen-4.4.1-testing/xen/include/asm-x86/hvm/domain.h
@@ -67,7 +67,7 @@ struct hvm_domain {
     /* Memory ranges with pinned cache attributes. */
     struct list_head       pinned_cacheattr_ranges;
 
-    /* VRAM dirty support. */
+    /* VRAM dirty support.  Protect with the domain paging lock. */
     struct sh_dirty_vram *dirty_vram;
 
     /* If one of vcpus of this domain is in no_fill_mode or
- bnc#897614 - Virtualization/xen: Bug `xen-tools` uninstallable; grub2-x86_64-xen dependency not available xen.spec - More cleanup of README.SUSE - Update xen patch with upstream patch so that latest libvirt patch can work. (bnc#896044) + 53fcebab-xen-pass-kernel-initrd-to-qemu.patch - xen-pass-kernel-initrd-to-qemu.patch - bnc#895804 - VUL-0: CVE-2014-6268: xen: XSA-107: Mishandling of uninitialised FIFO-based event channel control blocks xsa107.patch - bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts xsa106.patch - bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation xsa105.patch - bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram xsa104.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=331 2014-09-23 19:00:56 +02:00			`x86/shadow: fix race condition sampling the dirty vram state`

			`d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.`

			`If not, two concurrent hypercalls could both end up attempting to free`
			`dirty_vram (the second of which will free a wild pointer), or both end up`
			`allocating a new dirty_vram structure (the first of which will be leaked).`

			`This is XSA-104.`

			`Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Reviewed-by: Tim Deegan <tim@xen.org>`

			`Index: xen-4.4.1-testing/xen/arch/x86/mm/shadow/common.c`
			`===================================================================`
			`--- xen-4.4.1-testing.orig/xen/arch/x86/mm/shadow/common.c`
			`+++ xen-4.4.1-testing/xen/arch/x86/mm/shadow/common.c`
			`@@ -3486,7 +3486,7 @@ int shadow_track_dirty_vram(struct domai`
			`int flush_tlb = 0;`
			`unsigned long i;`
			`p2m_type_t t;`
			`- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;`
			`+ struct sh_dirty_vram *dirty_vram;`
			`struct p2m_domain *p2m = p2m_get_hostp2m(d);`

			`if ( end_pfn < begin_pfn \|\| end_pfn > p2m->max_mapped_pfn + 1 )`
			`@@ -3496,6 +3496,8 @@ int shadow_track_dirty_vram(struct domai`
			`p2m_lock(p2m_get_hostp2m(d));`
			`paging_lock(d);`

			`+ dirty_vram = d->arch.hvm_domain.dirty_vram;`
			`+`
			`if ( dirty_vram && (!nr \|\|`
			`( begin_pfn != dirty_vram->begin_pfn`
			`\|\| end_pfn != dirty_vram->end_pfn )) )`
			`Index: xen-4.4.1-testing/xen/include/asm-x86/hvm/domain.h`
			`===================================================================`
			`--- xen-4.4.1-testing.orig/xen/include/asm-x86/hvm/domain.h`
			`+++ xen-4.4.1-testing/xen/include/asm-x86/hvm/domain.h`
			`@@ -67,7 +67,7 @@ struct hvm_domain {`
			`/* Memory ranges with pinned cache attributes. */`
			`struct list_head pinned_cacheattr_ranges;`

			`- /* VRAM dirty support. */`
			`+ /* VRAM dirty support. Protect with the domain paging lock. */`
			`struct sh_dirty_vram *dirty_vram;`

			`/* If one of vcpus of this domain is in no_fill_mode or`