3f55414718
- Upstream or pending upstream patches from Jan 25587-fix-off-by-one-parsing-error.patch 25616-x86-MCi_CTL-default.patch 25617-vtd-qinval-addr.patch 25688-x86-nr_irqs_gsi.patch - bnc#773393 - VUL-0: CVE-2012-3433: xen: HVM guest destroy p2m teardown host DoS vulnerability CVE-2012-3433-xsa11.patch - bnc#773401 - VUL-1: CVE-2012-3432: xen: HVM guest user mode MMIO emulation DoS 25682-x86-inconsistent-io-state.patch - bnc#762484 - VUL-1: CVE-2012-2625: xen: pv bootloader doesn't check the size of the bzip2 or lzma compressed kernel, leading to denial of service 25589-pygrub-size-limits.patch - Make it build with latest TeXLive 2012 with new package layout OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=196
79 lines
2.9 KiB
Diff
79 lines
2.9 KiB
Diff
# HG changeset patch
|
|
# User Jan Beulich <jbeulich@suse.com>
|
|
# Date 1340031721 -7200
|
|
# Node ID 5b6a857411ba5212c71885a2fd39cae4c3d8231c
|
|
# Parent c272cfe25bea00375fb65c339926c83b6e830230
|
|
x86-64: don't allow non-canonical addresses to be set for any callback
|
|
|
|
Rather than deferring the detection of these to the point where they
|
|
get actually used (the fix for XSA-7, 25480:76eaf5966c05, causing a #GP
|
|
to be raised by IRET, which invokes the guest's [fragile] fail-safe
|
|
callback), don't even allow such to be set.
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
--- a/xen/arch/x86/domain.c
|
|
+++ b/xen/arch/x86/domain.c
|
|
@@ -683,6 +683,14 @@ int arch_set_info_guest(
|
|
{
|
|
if ( !compat )
|
|
{
|
|
+#ifdef __x86_64__
|
|
+ if ( !is_canonical_address(c.nat->user_regs.eip) ||
|
|
+ !is_canonical_address(c.nat->event_callback_eip) ||
|
|
+ !is_canonical_address(c.nat->syscall_callback_eip) ||
|
|
+ !is_canonical_address(c.nat->failsafe_callback_eip) )
|
|
+ return -EINVAL;
|
|
+#endif
|
|
+
|
|
fixup_guest_stack_selector(d, c.nat->user_regs.ss);
|
|
fixup_guest_stack_selector(d, c.nat->kernel_ss);
|
|
fixup_guest_code_selector(d, c.nat->user_regs.cs);
|
|
@@ -692,7 +700,11 @@ int arch_set_info_guest(
|
|
#endif
|
|
|
|
for ( i = 0; i < 256; i++ )
|
|
+ {
|
|
+ if ( !is_canonical_address(c.nat->trap_ctxt[i].address) )
|
|
+ return -EINVAL;
|
|
fixup_guest_code_selector(d, c.nat->trap_ctxt[i].cs);
|
|
+ }
|
|
|
|
/* LDT safety checks. */
|
|
if ( ((c.nat->ldt_base & (PAGE_SIZE-1)) != 0) ||
|
|
--- a/xen/arch/x86/domctl.c
|
|
+++ b/xen/arch/x86/domctl.c
|
|
@@ -1148,6 +1148,9 @@ long arch_do_domctl(
|
|
if ( evc->size < offsetof(typeof(*evc), mcg_cap) )
|
|
goto ext_vcpucontext_out;
|
|
#ifdef __x86_64__
|
|
+ if ( !is_canonical_address(evc->sysenter_callback_eip) ||
|
|
+ !is_canonical_address(evc->syscall32_callback_eip) )
|
|
+ goto ext_vcpucontext_out;
|
|
fixup_guest_code_selector(d, evc->sysenter_callback_cs);
|
|
v->arch.sysenter_callback_cs = evc->sysenter_callback_cs;
|
|
v->arch.sysenter_callback_eip = evc->sysenter_callback_eip;
|
|
--- a/xen/arch/x86/traps.c
|
|
+++ b/xen/arch/x86/traps.c
|
|
@@ -3544,6 +3544,9 @@ long register_guest_nmi_callback(unsigne
|
|
struct domain *d = v->domain;
|
|
struct trap_info *t = &v->arch.guest_context.trap_ctxt[TRAP_nmi];
|
|
|
|
+ if ( !is_canonical_address(address) )
|
|
+ return -EINVAL;
|
|
+
|
|
t->vector = TRAP_nmi;
|
|
t->flags = 0;
|
|
t->cs = (is_pv_32on64_domain(d) ?
|
|
@@ -3671,6 +3674,9 @@ long do_set_trap_table(XEN_GUEST_HANDLE(
|
|
if ( cur.address == 0 )
|
|
break;
|
|
|
|
+ if ( !is_canonical_address(cur.address) )
|
|
+ return -EINVAL;
|
|
+
|
|
fixup_guest_code_selector(curr->domain, cur.cs);
|
|
|
|
memcpy(&dst[cur.vector], &cur, sizeof(cur));
|