xen/CVE-2013-0151-xsa34.patch

References: CVE-2013-0151 XSA-34 bnc#797285

x86_32: don't allow use of nested HVM

There are (indirect) uses of map_domain_page() in the nested HVM code
that are unsafe when not just using the 1:1 mapping.

This is XSA-34 / CVE-2013-0151.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3930,6 +3930,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
                     rc = -EINVAL;
                 break;
             case HVM_PARAM_NESTEDHVM:
+#ifdef __i386__
+                if ( a.value )
+                    rc = -EINVAL;
+#else
                 if ( a.value > 1 )
                     rc = -EINVAL;
                 if ( !is_hvm_domain(d) )
@@ -3944,6 +3948,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
                     for_each_vcpu(d, v)
                         if ( rc == 0 )
                             rc = nestedhvm_vcpu_initialise(v);
+#endif
                 break;
             case HVM_PARAM_BUFIOREQ_EVTCHN:
                 rc = -EINVAL;
- bnc#797285 - VUL-0: Xen: XSA-34 (CVE-2013-0151) - nested virtualization on 32-bit exposes host crash CVE-2013-0151-xsa34.patch - bnc#797287 - VUL-0: Xen: XSA-35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest CVE-2013-0152-xsa35.patch - bnc#793717 - NetWare will not boot on Xen 4.2 xnloader.py domUloader.py pygrub-netware-xnloader.patch Removed reverse-24757-use-grant-references.patch - bnc#797523 - VUL-1: CVE-2012-6075: qemu / kvm-qemu: e1000 overflows under some conditions CVE-2012-6075-xsa41.patch - Mask the floating point exceptions for guests like NetWare on machines that support XSAVE. x86-fpu-context-conditional.patch - fate##313584: pass bios information to XEN HVM guest 26341-hvm-firmware-passthrough.patch 26342-hvm-firmware-passthrough.patch 26343-hvm-firmware-passthrough.patch 26344-hvm-firmware-passthrough.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=223 2013-01-22 16:40:06 +01:00			`References: CVE-2013-0151 XSA-34 bnc#797285`

			`x86_32: don't allow use of nested HVM`

			`There are (indirect) uses of map_domain_page() in the nested HVM code`
			`that are unsafe when not just using the 1:1 mapping.`

			`This is XSA-34 / CVE-2013-0151.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/arch/x86/hvm/hvm.c`
			`+++ b/xen/arch/x86/hvm/hvm.c`
			`@@ -3930,6 +3930,10 @@ long do_hvm_op(unsigned long op, XEN_GUE`
			`rc = -EINVAL;`
			`break;`
			`case HVM_PARAM_NESTEDHVM:`
			`+#ifdef __i386__`
			`+ if ( a.value )`
			`+ rc = -EINVAL;`
			`+#else`
			`if ( a.value > 1 )`
			`rc = -EINVAL;`
			`if ( !is_hvm_domain(d) )`
			`@@ -3944,6 +3948,7 @@ long do_hvm_op(unsigned long op, XEN_GUE`
			`for_each_vcpu(d, v)`
			`if ( rc == 0 )`
			`rc = nestedhvm_vcpu_initialise(v);`
			`+#endif`
			`break;`
			`case HVM_PARAM_BUFIOREQ_EVTCHN:`
			`rc = -EINVAL;`