pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
296b5421e5
xen/xsa104.patch
Charles Arnold 4cdbb395f2 - bnc#897614 - Virtualization/xen: Bug xen-tools uninstallable; 
grub2-x86_64-xen dependency not available
  xen.spec

- More cleanup of README.SUSE

- Update xen patch with upstream patch so that latest libvirt
  patch can work. (bnc#896044)
  + 53fcebab-xen-pass-kernel-initrd-to-qemu.patch
  - xen-pass-kernel-initrd-to-qemu.patch

- bnc#895804 - VUL-0: CVE-2014-6268: xen: XSA-107: Mishandling of
  uninitialised FIFO-based event channel control blocks
  xsa107.patch
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks
  in x86 emulation of software interrupts
  xsa106.patch
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks
  in x86 HLT, LGDT, LIDT, and LMSW emulation
  xsa105.patch
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in
  HVMOP_track_dirty_vram
  xsa104.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=331
2014-09-23 17:00:56 +00:00

49 lines
1.9 KiB
Diff
Raw Blame History

x86/shadow: fix race condition sampling the dirty vram state
d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.
If not, two concurrent hypercalls could both end up attempting to free
dirty_vram (the second of which will free a wild pointer), or both end up
allocating a new dirty_vram structure (the first of which will be leaked).
This is XSA-104.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Index: xen-4.4.1-testing/xen/arch/x86/mm/shadow/common.c
===================================================================
--- xen-4.4.1-testing.orig/xen/arch/x86/mm/shadow/common.c
+++ xen-4.4.1-testing/xen/arch/x86/mm/shadow/common.c
@@ -3486,7 +3486,7 @@ int shadow_track_dirty_vram(struct domai
int flush_tlb = 0;
unsigned long i;
p2m_type_t t;
- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
+ struct sh_dirty_vram *dirty_vram;
struct p2m_domain *p2m = p2m_get_hostp2m(d);
if ( end_pfn < begin_pfn || end_pfn > p2m->max_mapped_pfn + 1 )
@@ -3496,6 +3496,8 @@ int shadow_track_dirty_vram(struct domai
p2m_lock(p2m_get_hostp2m(d));
paging_lock(d);
+ dirty_vram = d->arch.hvm_domain.dirty_vram;
+
if ( dirty_vram && (!nr ||
( begin_pfn != dirty_vram->begin_pfn
|| end_pfn != dirty_vram->end_pfn )) )
Index: xen-4.4.1-testing/xen/include/asm-x86/hvm/domain.h
===================================================================
--- xen-4.4.1-testing.orig/xen/include/asm-x86/hvm/domain.h
+++ xen-4.4.1-testing/xen/include/asm-x86/hvm/domain.h
@@ -67,7 +67,7 @@ struct hvm_domain {
/* Memory ranges with pinned cache attributes. */
struct list_head pinned_cacheattr_ranges;
- /* VRAM dirty support. */
+ /* VRAM dirty support. Protect with the domain paging lock. */
struct sh_dirty_vram *dirty_vram;
/* If one of vcpus of this domain is in no_fill_mode or
Reference in New Issue View Git Blame Copy Permalink