pool/xen
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xen/CVE-2012-5514-xsa30.patch
Charles Arnold 5c0f7d38a6 - NetWare will not boot or install on Xen 4.2 
reverse-24757-use-grant-references.patch 

- fate#313222 - xenstore-chmod should support 256 permissions
  26189-xenstore-chmod.patch

- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version
  switch list corruption vulnerability (XSA-26)
  CVE-2012-5510-xsa26.patch
- bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do
  not validate the range of their inputs (XSA-27)
  CVE-2012-5511-xsa27.patch
- bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may
  overwrite hypervisor memory (XSA-29)
  CVE-2012-5513-xsa29.patch
- bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in
  guest_physmap_mark_populate_on_demand() (XSA-30)
  CVE-2012-5514-xsa30.patch
- bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall
  operations allow invalid extent order values (XSA-31)
  CVE-2012-5515-xsa31.patch
- bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not
  validate input GFNs (XSA-32)
  CVE-2012-5525-xsa32.patch
- Upstream patches from Jan
  26129-ACPI-BGRT-invalidate.patch
  26132-tmem-save-NULL-check.patch
  26134-x86-shadow-invlpg-check.patch
  26139-cpumap-masking.patch
  26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch)

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=219
2012-12-07 18:04:08 +00:00

58 lines
1.7 KiB
Diff
Raw Blame History

References: CVE-2012-5514 XSA-30 bnc#789948
fix error handling of guest_physmap_mark_populate_on_demand()
The only user of the "out" label bypasses a necessary unlock, thus
enabling the caller to lock up Xen.
Also, the function was never meant to be called by a guest for itself,
so rather than inspecting the code paths in depth for potential other
problems this might cause, and adjusting e.g. the non-guest printk()
in the above error path, just disallow the guest access to it.
Finally, the printk() (considering its potential of spamming the log,
the more that it's not using XENLOG_GUEST), is being converted to
P2M_DEBUG(), as debugging is what it apparently was added for in the
first place.
This is XSA-30 / CVE-2012-5514.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st
mfn_t omfn;
int rc = 0;
+ if ( !IS_PRIV_FOR(current->domain, d) )
+ return -EPERM;
+
if ( !paging_mode_translate(d) )
return -EINVAL;
@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st
omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL);
if ( p2m_is_ram(ot) )
{
- printk("%s: gfn_to_mfn returned type %d!\n",
- __func__, ot);
+ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
rc = -EBUSY;
goto out;
}
@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st
pod_unlock(p2m);
}
+out:
gfn_unlock(p2m, gfn, order);
-out:
return rc;
}
Reference in New Issue View Git Blame Copy Permalink