xen/CVE-2012-5513-xsa29.patch

References: CVE-2012-5513 XSA-29 bnc#789951

xen: add missing guest address range checks to XENMEM_exchange handlers

Ever since its existence (3.0.3 iirc) the handler for this has been
using non address range checking guest memory accessors (i.e.
the ones prefixed with two underscores) without first range
checking the accessed space (via guest_handle_okay()), allowing
a guest to access and overwrite hypervisor memory.

This is XSA-29 / CVE-2012-5513.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

--- a/xen/common/compat/memory.c
+++ b/xen/common/compat/memory.c
@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, X
                   (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )
                 return -EINVAL;
 
+            if ( !compat_handle_okay(cmp.xchg.in.extent_start,
+                                     cmp.xchg.in.nr_extents) ||
+                 !compat_handle_okay(cmp.xchg.out.extent_start,
+                                     cmp.xchg.out.nr_extents) )
+                return -EFAULT;
+
             start_extent = cmp.xchg.nr_exchanged;
             end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /
                          (((1U << ABS(order_delta)) + 1) *
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HA
         goto fail_early;
     }
 
+    if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
+         !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
+    {
+        rc = -EFAULT;
+        goto fail_early;
+    }
+
     /* Only privileged guests can allocate multi-page contiguous extents. */
     if ( !multipage_allocation_permitted(current->domain,
                                          exch.in.extent_order) ||
- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version switch list corruption vulnerability (XSA-26) CVE-2012-5510-xsa26.patch - bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) CVE-2012-5511-xsa27.patch - bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) CVE-2012-5513-xsa29.patch - bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) CVE-2012-5514-xsa30.patch - bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) CVE-2012-5515-xsa31.patch - bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not validate input GFNs (XSA-32) CVE-2012-5525-xsa32.patch - Upstream patches from Jan 26129-ACPI-BGRT-invalidate.patch 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26139-cpumap-masking.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=216 2012-12-03 14:47:23 +00:00			`References: CVE-2012-5513 XSA-29 bnc#789951`

			`xen: add missing guest address range checks to XENMEM_exchange handlers`

			`Ever since its existence (3.0.3 iirc) the handler for this has been`
			`using non address range checking guest memory accessors (i.e.`
			`the ones prefixed with two underscores) without first range`
			`checking the accessed space (via guest_handle_okay()), allowing`
			`a guest to access and overwrite hypervisor memory.`

			`This is XSA-29 / CVE-2012-5513.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: Ian Campbell <ian.campbell@citrix.com>`
			`Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>`

			`--- a/xen/common/compat/memory.c`
			`+++ b/xen/common/compat/memory.c`
			`@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, X`
			`(cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )`
			`return -EINVAL;`

			`+ if ( !compat_handle_okay(cmp.xchg.in.extent_start,`
			`+ cmp.xchg.in.nr_extents) \|\|`
			`+ !compat_handle_okay(cmp.xchg.out.extent_start,`
			`+ cmp.xchg.out.nr_extents) )`
			`+ return -EFAULT;`
			`+`
			`start_extent = cmp.xchg.nr_exchanged;`
			`end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /`
			`(((1U << ABS(order_delta)) + 1) *`
			`--- a/xen/common/memory.c`
			`+++ b/xen/common/memory.c`
			`@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HA`
			`goto fail_early;`
			`}`

			`+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) \|\|`
			`+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )`
			`+ {`
			`+ rc = -EFAULT;`
			`+ goto fail_early;`
			`+ }`
			`+`
			`/* Only privileged guests can allocate multi-page contiguous extents. */`
			`if ( !multipage_allocation_permitted(current->domain,`
			`exch.in.extent_order) \|\|`