a11c33863f
5281fad4-numa-sched-leave-node-affinity-alone-if-not-in-auto-mode.patch 52820823-nested-SVM-adjust-guest-handling-of-structure-mappings.patch 52820863-VMX-don-t-crash-processing-d-debug-key.patch 5282492f-x86-eliminate-has_arch_mmios.patch 52864df2-credit-Update-other-parameters-when-setting-tslice_ms.patch 52864f30-fix-leaking-of-v-cpu_affinity_saved-on-domain-destruction.patch 5289d225-nested-VMX-don-t-ignore-mapping-errors.patch 528a0eb0-x86-consider-modules-when-cutting-off-memory.patch 528f606c-x86-hvm-reset-TSC-to-0-after-domain-resume-from-S3.patch 528f609c-x86-crash-disable-the-watchdog-NMIs-on-the-crashing-cpu.patch 52932418-x86-xsave-fix-nonlazy-state-handling.patch - Add missing requires to pciutils package for xend-tools - bnc#851749 - Xen service file does not call xend properly xend.service - bnc#851386 - VUL-0: xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) code 528a0e5b-TLB-flushing-in-dma_pte_clear_one.patch - bnc#849667 - VUL-0: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock CVE-2013-4553-xsa74.patch - bnc#849665 - VUL-0: CVE-2013-4551: xen: XSA-75: Host crash due to guest VMX instruction execution 52809208-nested-VMX-VMLANUCH-VMRESUME-emulation-must-check-permission-1st.patch - bnc#849668 - VUL-0: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=279
63 lines
2.3 KiB
Diff
63 lines
2.3 KiB
Diff
# Commit 343cad8c70585c4dba8afc75e1ec1b7610605ab2
|
|
# Date 2013-10-28 12:00:36 +0100
|
|
# Author Jan Beulich <jbeulich@suse.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
x86: refine address validity checks before accessing page tables
|
|
|
|
In commit 40d66baa ("x86: correct LDT checks") and d06a0d71 ("x86: add
|
|
address validity check to guest_map_l1e()") I didn't really pay
|
|
attention to the fact that these checks would better be done before the
|
|
paging_mode_translate() ones, as there's also no equivalent check down
|
|
the shadow code paths involved here (at least not up to the first use
|
|
of the address), and such generic checks shouldn't really be done by
|
|
particular backend functions anyway.
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Acked-by: Tim Deegan <tim@xen.org>
|
|
|
|
--- a/xen/include/asm-x86/paging.h
|
|
+++ b/xen/include/asm-x86/paging.h
|
|
@@ -356,12 +356,14 @@ guest_map_l1e(struct vcpu *v, unsigned l
|
|
{
|
|
l2_pgentry_t l2e;
|
|
|
|
+ if ( unlikely(!__addr_ok(addr)) )
|
|
+ return NULL;
|
|
+
|
|
if ( unlikely(paging_mode_translate(v->domain)) )
|
|
return paging_get_hostmode(v)->guest_map_l1e(v, addr, gl1mfn);
|
|
|
|
/* Find this l1e and its enclosing l1mfn in the linear map */
|
|
- if ( !__addr_ok(addr) ||
|
|
- __copy_from_user(&l2e,
|
|
+ if ( __copy_from_user(&l2e,
|
|
&__linear_l2_table[l2_linear_offset(addr)],
|
|
sizeof(l2_pgentry_t)) != 0 )
|
|
return NULL;
|
|
@@ -382,16 +384,21 @@ guest_unmap_l1e(struct vcpu *v, void *p)
|
|
|
|
/* Read the guest's l1e that maps this address. */
|
|
static inline void
|
|
-guest_get_eff_l1e(struct vcpu *v, unsigned long addr, void *eff_l1e)
|
|
+guest_get_eff_l1e(struct vcpu *v, unsigned long addr, l1_pgentry_t *eff_l1e)
|
|
{
|
|
+ if ( unlikely(!__addr_ok(addr)) )
|
|
+ {
|
|
+ *eff_l1e = l1e_empty();
|
|
+ return;
|
|
+ }
|
|
+
|
|
if ( likely(!paging_mode_translate(v->domain)) )
|
|
{
|
|
ASSERT(!paging_mode_external(v->domain));
|
|
- if ( !__addr_ok(addr) ||
|
|
- __copy_from_user(eff_l1e,
|
|
+ if ( __copy_from_user(eff_l1e,
|
|
&__linear_l1_table[l1_linear_offset(addr)],
|
|
sizeof(l1_pgentry_t)) != 0 )
|
|
- *(l1_pgentry_t *)eff_l1e = l1e_empty();
|
|
+ *eff_l1e = l1e_empty();
|
|
return;
|
|
}
|
|
|