xen/52809208-nested-VMX-VMLANUCH-VMRESUME-emulation-must-check-permission-1st.patch

References: bnc#849665 CVE-2013-4551 XSA-75

# Commit 4e87bc5b03e05123ba5c888f77969140c8ebd1bf
# Date 2013-11-11 09:15:04 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing

Otherwise uninitialized data may be used, leading to crashes.

This is CVE-2013-4551 / XSA-75.

Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -1508,15 +1508,10 @@ static void clear_vvmcs_launched(struct 
     }
 }
 
-int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
+static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
 {
     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
-    int rc;
-
-    rc = vmx_inst_check_privilege(regs, 0);
-    if ( rc != X86EMUL_OKAY )
-        return rc;
 
     /* check VMCS is valid and IO BITMAP is set */
     if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
@@ -1535,6 +1530,10 @@ int nvmx_handle_vmresume(struct cpu_user
     struct vcpu *v = current;
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
+    int rc = vmx_inst_check_privilege(regs, 0);
+
+    if ( rc != X86EMUL_OKAY )
+        return rc;
 
     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
     {
@@ -1554,10 +1553,13 @@ int nvmx_handle_vmresume(struct cpu_user
 int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
 {
     bool_t launched;
-    int rc;
     struct vcpu *v = current;
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
+    int rc = vmx_inst_check_privilege(regs, 0);
+
+    if ( rc != X86EMUL_OKAY )
+        return rc;
 
     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
     {
- Upstream patches from Jan 5281fad4-numa-sched-leave-node-affinity-alone-if-not-in-auto-mode.patch 52820823-nested-SVM-adjust-guest-handling-of-structure-mappings.patch 52820863-VMX-don-t-crash-processing-d-debug-key.patch 5282492f-x86-eliminate-has_arch_mmios.patch 52864df2-credit-Update-other-parameters-when-setting-tslice_ms.patch 52864f30-fix-leaking-of-v-cpu_affinity_saved-on-domain-destruction.patch 5289d225-nested-VMX-don-t-ignore-mapping-errors.patch 528a0eb0-x86-consider-modules-when-cutting-off-memory.patch 528f606c-x86-hvm-reset-TSC-to-0-after-domain-resume-from-S3.patch 528f609c-x86-crash-disable-the-watchdog-NMIs-on-the-crashing-cpu.patch 52932418-x86-xsave-fix-nonlazy-state-handling.patch - Add missing requires to pciutils package for xend-tools - bnc#851749 - Xen service file does not call xend properly xend.service - bnc#851386 - VUL-0: xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) code 528a0e5b-TLB-flushing-in-dma_pte_clear_one.patch - bnc#849667 - VUL-0: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock CVE-2013-4553-xsa74.patch - bnc#849665 - VUL-0: CVE-2013-4551: xen: XSA-75: Host crash due to guest VMX instruction execution 52809208-nested-VMX-VMLANUCH-VMRESUME-emulation-must-check-permission-1st.patch - bnc#849668 - VUL-0: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=279 2013-11-26 20:18:36 +00:00			`References: bnc#849665 CVE-2013-4551 XSA-75`

			`# Commit 4e87bc5b03e05123ba5c888f77969140c8ebd1bf`
			`# Date 2013-11-11 09:15:04 +0100`
			`# Author Jan Beulich <jbeulich@suse.com>`
			`# Committer Jan Beulich <jbeulich@suse.com>`
			`nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing`

			`Otherwise uninitialized data may be used, leading to crashes.`

			`This is CVE-2013-4551 / XSA-75.`

			`Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com>`
			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Acked-by: Ian Campbell <ian.campbell@citrix.com>`

			`--- a/xen/arch/x86/hvm/vmx/vvmx.c`
			`+++ b/xen/arch/x86/hvm/vmx/vvmx.c`
			`@@ -1508,15 +1508,10 @@ static void clear_vvmcs_launched(struct`
			`}`
			`}`

			`-int nvmx_vmresume(struct vcpu v, struct cpu_user_regs regs)`
			`+static int nvmx_vmresume(struct vcpu v, struct cpu_user_regs regs)`
			`{`
			`struct nestedvmx *nvmx = &vcpu_2_nvmx(v);`
			`struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);`
			`- int rc;`
			`-`
			`- rc = vmx_inst_check_privilege(regs, 0);`
			`- if ( rc != X86EMUL_OKAY )`
			`- return rc;`

			`/* check VMCS is valid and IO BITMAP is set */`
			`if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&`
			`@@ -1535,6 +1530,10 @@ int nvmx_handle_vmresume(struct cpu_user`
			`struct vcpu *v = current;`
			`struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);`
			`struct nestedvmx *nvmx = &vcpu_2_nvmx(v);`
			`+ int rc = vmx_inst_check_privilege(regs, 0);`
			`+`
			`+ if ( rc != X86EMUL_OKAY )`
			`+ return rc;`

			`if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )`
			`{`
			`@@ -1554,10 +1553,13 @@ int nvmx_handle_vmresume(struct cpu_user`
			`int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)`
			`{`
			`bool_t launched;`
			`- int rc;`
			`struct vcpu *v = current;`
			`struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);`
			`struct nestedvmx *nvmx = &vcpu_2_nvmx(v);`
			`+ int rc = vmx_inst_check_privilege(regs, 0);`
			`+`
			`+ if ( rc != X86EMUL_OKAY )`
			`+ return rc;`

			`if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )`
			`{`