pool/xen
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xen/CVE-2012-4538-xsa23.patch
Charles Arnold 646cd8897b - bnc#777628 - guest "disappears" after live migration 
Updated block-dmmd script

- fate#310510 - fix xenpaging
  restore changes to integrate paging into xm/xend
  xenpaging.autostart.patch
  xenpaging.doc.patch

- bnc#787163 - VUL-0: CVE-2012-4544: xen: Domain builder Out-of-
  memory due to malicious kernel/ramdisk (XSA 25)
  CVE-2012-4544-xsa25.patch
- bnc#779212 - VUL-0: CVE-2012-4411: XEN / qemu: guest
  administrator can access qemu monitor console (XSA-19)
  CVE-2012-4411-xsa19.patch

- bnc#786516 - VUL-0: CVE-2012-4535: xen: Timer overflow DoS
  vulnerability
  CVE-2012-4535-xsa20.patch
- bnc#786518 - VUL-0: CVE-2012-4536: xen: pirq range check DoS
  vulnerability
  CVE-2012-4536-xsa21.patch
- bnc#786517 - VUL-0: CVE-2012-4537: xen: Memory mapping failure
  DoS vulnerability
  CVE-2012-4537-xsa22.patch
- bnc#786519 - VUL-0: CVE-2012-4538: xen: Unhooking empty PAE
  entries DoS vulnerability
  CVE-2012-4538-xsa23.patch
- bnc#786520 - VUL-0: CVE-2012-4539: xen: Grant table hypercall
  infinite loop DoS vulnerability
  CVE-2012-4539-xsa24.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=212
2012-11-19 13:58:33 +00:00

36 lines
1.3 KiB
Diff
Raw Blame History

References: CVE-2012-4538 XSA-23 bnc#786519
xen/mm/shadow: check toplevel pagetables are present before unhooking them.
If the guest has not fully populated its top-level PAE entries when it calls
HVMOP_pagetable_dying, the shadow code could try to unhook entries from
MFN 0. Add a check to avoid that case.
This issue was introduced by c/s 21239:b9d2db109cf5.
This is a security problem, XSA-23 / CVE-2012-4538.
Signed-off-by: Tim Deegan <tim@xen.org>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.2.0-testing/xen/arch/x86/mm/shadow/multi.c
===================================================================
--- xen-4.2.0-testing.orig/xen/arch/x86/mm/shadow/multi.c
+++ xen-4.2.0-testing/xen/arch/x86/mm/shadow/multi.c
@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
unsigned long gfn;
mfn_t smfn, gmfn;
- if ( fast_path )
- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+ if ( fast_path ) {
+ if ( pagetable_is_null(v->arch.shadow_table[i]) )
+ smfn = _mfn(INVALID_MFN);
+ else
+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+ }
else
{
/* retrieving the l2s */
Reference in New Issue View Git Blame Copy Permalink