b244ce9e91
sles10. Patch pygrub to get the kernel and initrd from the image. pygrub-boot-legacy-sles.patch - bnc#842515 - VUL-0: CVE-2013-4375: XSA-71: xen: qemu disk backend (qdisk) resource leak CVE-2013-4375-xsa71.patch - Upstream patches from Jan 52496bea-x86-properly-handle-hvm_copy_from_guest_-phys-virt-errors.patch (Replaces CVE-2013-4355-xsa63.patch) 52496c11-x86-mm-shadow-Fix-initialization-of-PV-shadow-L4-tables.patch (Replaces CVE-2013-4356-xsa64.patch) 52496c32-x86-properly-set-up-fbld-emulation-operand-address.patch (Replaces CVE-2013-4361-xsa66.patch) 52497c6c-x86-don-t-blindly-create-L3-tables-for-the-direct-map.patch 524e971b-x86-idle-Fix-get_cpu_idle_time-s-interaction-with-offline-pcpus.patch 524e9762-x86-percpu-Force-INVALID_PERCPU_AREA-to-non-canonical.patch 524e983e-Nested-VMX-check-VMX-capability-before-read-VMX-related-MSRs.patch 524e98b1-Nested-VMX-fix-IA32_VMX_CR4_FIXED1-msr-emulation.patch 524e9dc0-xsm-forbid-PV-guest-console-reads.patch 5256a979-x86-check-segment-descriptor-read-result-in-64-bit-OUTS-emulation.patch 5256be57-libxl-fix-vif-rate-parsing.patch 5256be84-tools-ocaml-fix-erroneous-free-of-cpumap-in-stub_xc_vcpu_getaffinity.patch 5256be92-libxl-fix-out-of-memory-error-handling-in-libxl_list_cpupool.patch 5257a89a-x86-correct-LDT-checks.patch 5257a8e7-x86-add-address-validity-check-to-guest_map_l1e.patch 5257a944-x86-check-for-canonical-address-before-doing-page-walks.patch 525b95f4-scheduler-adjust-internal-locking-interface.patch 525b9617-sched-fix-race-between-sched_move_domain-and-vcpu_wake.patch 525e69e8-credit-unpause-parked-vcpu-before-destroying-it.patch 525faf5e-x86-print-relevant-tail-part-of-filename-for-warnings-and-crashes.patch - bnc#840196 - L3: MTU size on Dom0 gets reset when booting DomU OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=276
44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
References: bnc#842511 CVE-2013-4368 XSA-67
|
|
|
|
# Commit 0771faba163769089c9f05f7f76b63e397677613
|
|
# Date 2013-10-10 15:19:53 +0200
|
|
# Author Matthew Daley <mattjd@gmail.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
x86: check segment descriptor read result in 64-bit OUTS emulation
|
|
|
|
When emulating such an operation from a 64-bit context (CS has long
|
|
mode set), and the data segment is overridden to FS/GS, the result of
|
|
reading the overridden segment's descriptor (read_descriptor) is not
|
|
checked. If it fails, data_base is left uninitialized.
|
|
|
|
This can lead to 8 bytes of Xen's stack being leaked to the guest
|
|
(implicitly, i.e. via the address given in a #PF).
|
|
|
|
Coverity-ID: 1055116
|
|
|
|
This is CVE-2013-4368 / XSA-67.
|
|
|
|
Signed-off-by: Matthew Daley <mattjd@gmail.com>
|
|
|
|
Fix formatting.
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
--- a/xen/arch/x86/traps.c
|
|
+++ b/xen/arch/x86/traps.c
|
|
@@ -1990,10 +1990,10 @@ static int emulate_privileged_op(struct
|
|
break;
|
|
}
|
|
}
|
|
- else
|
|
- read_descriptor(data_sel, v, regs,
|
|
- &data_base, &data_limit, &ar,
|
|
- 0);
|
|
+ else if ( !read_descriptor(data_sel, v, regs,
|
|
+ &data_base, &data_limit, &ar, 0) ||
|
|
+ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) )
|
|
+ goto fail;
|
|
data_limit = ~0UL;
|
|
ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P;
|
|
}
|