xen/xsa160.patch

From adcbd15b1aec8367f790774c998db199c9b577bf Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 18 Nov 2015 15:34:54 +0000
Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv
 build failure

The bootloader may call libxl__file_reference_map(), which mmap's the
pv_kernel and pv_ramdisk into process memory.  This was only unmapped,
however, on the success path of libxl__build_pv().  If there were a
failure anywhere between libxl_bootloader.c:parse_bootloader_result()
and the end of libxl__build_pv(), the calls to
libxl__file_reference_unmap() would be skipped, leaking the mapped
virtual memory.

Ideally this would be fixed by adding the unmap calls to the
destruction path for libxl__domain_build_state.  Unfortunately the
lifetime of the libxl__domain_build_state is opaque, and it doesn't
have a proper destruction path.  But, the only thing in it that isn't
from the gc are these bootloader references, and they are only ever
set for one libxl__domain_build_state, the one which is
libxl__domain_create_state.build_state.

So we can clean up in the exit path from libxl__domain_create_*, which
always comes through domcreate_complete.

Remove the now-redundant unmaps in libxl__build_pv's success path.

This is XSA-160.

Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
 tools/libxl/libxl_create.c |    3 +++
 tools/libxl/libxl_dom.c    |    3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)

Index: xen-4.6.0-testing/tools/libxl/libxl_create.c
===================================================================
--- xen-4.6.0-testing.orig/tools/libxl/libxl_create.c
+++ xen-4.6.0-testing/tools/libxl/libxl_create.c
@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__eg
     libxl_domain_config *const d_config = dcs->guest_config;
     libxl_domain_config *d_config_saved = &dcs->guest_config_saved;
 
+    libxl__file_reference_unmap(&dcs->build_state.pv_kernel);
+    libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk);
+
     if (!rc && d_config->b_info.exec_ssidref)
         rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);
 
Index: xen-4.6.0-testing/tools/libxl/libxl_dom.c
===================================================================
--- xen-4.6.0-testing.orig/tools/libxl/libxl_dom.c
+++ xen-4.6.0-testing/tools/libxl/libxl_dom.c
@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint3
         state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn);
     }
 
-    libxl__file_reference_unmap(&state->pv_kernel);
-    libxl__file_reference_unmap(&state->pv_ramdisk);
-
     ret = 0;
 out:
     xc_dom_release(dom);
- bsc#960093 - VUL-0: CVE-2015-8615: xen: x86: unintentional logging upon guest changing callback method (XSA-169) 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch - bsc#959387 - VUL-0: CVE-2015-8568 CVE-2015-8567: xen: qemu: net: vmxnet3: host memory leakage CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch - bsc#957988 - VUL-0: CVE-2015-8550: xen: paravirtualized drivers incautious about shared memory contents (XSA-155) xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch xsa155-qemuu-qdisk-double-access.patch xsa155-qemut-qdisk-double-access.patch xsa155-qemuu-xenfb.patch xsa155-qemut-xenfb.patch - bsc#959006 - VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state results in DoS CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch - bsc#958918 - VUL-0: CVE-2015-7549: xen: qemu pci: null pointer dereference issue CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch - bsc#958493 - VUL-0: CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point exception CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch - bsc#958007 - VUL-0: CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X handling (XSA-164) xsa164.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=393 2016-01-04 23:25:00 +01:00			`From adcbd15b1aec8367f790774c998db199c9b577bf Mon Sep 17 00:00:00 2001`
			`From: Ian Jackson <ian.jackson@eu.citrix.com>`
			`Date: Wed, 18 Nov 2015 15:34:54 +0000`
			`Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv`
			`build failure`

			`The bootloader may call libxl__file_reference_map(), which mmap's the`
			`pv_kernel and pv_ramdisk into process memory. This was only unmapped,`
			`however, on the success path of libxl__build_pv(). If there were a`
			`failure anywhere between libxl_bootloader.c:parse_bootloader_result()`
			`and the end of libxl__build_pv(), the calls to`
			`libxl__file_reference_unmap() would be skipped, leaking the mapped`
			`virtual memory.`

			`Ideally this would be fixed by adding the unmap calls to the`
			`destruction path for libxl__domain_build_state. Unfortunately the`
			`lifetime of the libxl__domain_build_state is opaque, and it doesn't`
			`have a proper destruction path. But, the only thing in it that isn't`
			`from the gc are these bootloader references, and they are only ever`
			`set for one libxl__domain_build_state, the one which is`
			`libxl__domain_create_state.build_state.`

			`So we can clean up in the exit path from libxl__domain_create_*, which`
			`always comes through domcreate_complete.`

			`Remove the now-redundant unmaps in libxl__build_pv's success path.`

			`This is XSA-160.`

			`Acked-by: Ian Campbell <ian.campbell@citrix.com>`
			`---`
			`tools/libxl/libxl_create.c \| 3 +++`
			`tools/libxl/libxl_dom.c \| 3 ---`
			`2 files changed, 3 insertions(+), 3 deletions(-)`

			`Index: xen-4.6.0-testing/tools/libxl/libxl_create.c`
			`===================================================================`
			`--- xen-4.6.0-testing.orig/tools/libxl/libxl_create.c`
			`+++ xen-4.6.0-testing/tools/libxl/libxl_create.c`
			`@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__eg`
			`libxl_domain_config *const d_config = dcs->guest_config;`
			`libxl_domain_config *d_config_saved = &dcs->guest_config_saved;`

			`+ libxl__file_reference_unmap(&dcs->build_state.pv_kernel);`
			`+ libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk);`
			`+`
			`if (!rc && d_config->b_info.exec_ssidref)`
			`rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);`

			`Index: xen-4.6.0-testing/tools/libxl/libxl_dom.c`
			`===================================================================`
			`--- xen-4.6.0-testing.orig/tools/libxl/libxl_dom.c`
			`+++ xen-4.6.0-testing/tools/libxl/libxl_dom.c`
			`@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint3`
			`state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn);`
			`}`

			`- libxl__file_reference_unmap(&state->pv_kernel);`
			`- libxl__file_reference_unmap(&state->pv_ramdisk);`
			`-`
			`ret = 0;`
			`out:`
			`xc_dom_release(dom);`