da53445dea
recursive pagetable for 32-bit PV guests (XSA-185) 57d1563d-x86-32on64-don-t-allow-recursive-page-tables-from-L3.patch - bsc#995789 - VUL-0: CVE-2016-7093: xen: x86: Mishandling of instruction pointer truncation during emulation (XSA-186) 57d15679-x86-emulate-Correct-boundary-interactions-of-emulated-insns.patch 57d18642-hvm-fep-Allow-test-insns-crossing-1-0-boundary.patch - bsc#995792 - VUL-0: CVE-2016-7094: xen: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187) 57d1569a-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch 57d18642-x86-segment-Bounds-check-accesses-to-emulation-ctxt-seg_reg.patch - bsc#991934 - xen hypervisor crash in csched_acct 57c96df3-credit1-fix-a-race-when-picking-initial-pCPU.patch - Upstream patches from Jan 57c4412b-x86-HVM-add-guarding-logic-for-VMX-specific-code.patch 57c57f73-libxc-correct-max_pfn-calculation-for-saving-domain.patch 57c805bf-x86-levelling-restrict-non-architectural-OSXSAVE-handling.patch 57c805c1-x86-levelling-pass-vcpu-to-ctxt_switch_levelling.patch 57c805c3-x86-levelling-provide-architectural-OSXSAVE-handling.patch 57c82be2-x86-32on64-adjust-call-gate-emulation.patch 57c96e2c-x86-correct-PT_NOTE-file-position.patch 57cfed43-VMX-correct-feature-checks-for-MPX-and-XSAVES.patch - bsc#989679 - [pvusb feature] USB device not found when 'virsh detach-device guest usb.xml' 57c93e52-fix-error-in-libxl_device_usbdev_list.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=450
48 lines
1.7 KiB
Diff
48 lines
1.7 KiB
Diff
References: bsc#995792 CVE-2016-7094 XSA-187
|
|
|
|
# Commit a9f3b3bad17d91e2067fc00d51b0302349570d08
|
|
# Date 2016-09-08 14:16:26 +0200
|
|
# Author Andrew Cooper <andrew.cooper3@citrix.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
|
|
|
|
hvm_get_seg_reg() does not perform a range check on its input segment, calls
|
|
hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
|
|
|
|
x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
|
|
in {vmx,svm}_get_segment_register().
|
|
|
|
HVM guests running with shadow paging can end up performing a virtual to
|
|
linear translation with x86_seg_none. This is used for addresses which are
|
|
already linear. However, none of this is a legitimate pagetable update, so
|
|
fail the emulation in such a case.
|
|
|
|
This is XSA-187 / CVE-2016-7094.
|
|
|
|
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Reviewed-by: Tim Deegan <tim@xen.org>
|
|
|
|
--- a/xen/arch/x86/mm/shadow/common.c
|
|
+++ b/xen/arch/x86/mm/shadow/common.c
|
|
@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(
|
|
struct sh_emulate_ctxt *sh_ctxt,
|
|
unsigned long *paddr)
|
|
{
|
|
- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
|
|
+ struct segment_register *reg;
|
|
int okay;
|
|
|
|
+ /*
|
|
+ * Can arrive here with non-user segments. However, no such cirucmstance
|
|
+ * is part of a legitimate pagetable update, so fail the emulation.
|
|
+ */
|
|
+ if ( !is_x86_user_segment(seg) )
|
|
+ return X86EMUL_UNHANDLEABLE;
|
|
+
|
|
+ reg = hvm_get_seg_reg(seg, sh_ctxt);
|
|
+
|
|
okay = hvm_virtual_to_linear_addr(
|
|
seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
|
|
|