31905d81fa
xen-4.6.1-testing-src.tar.bz2 - Dropped patches now contained in tarball or unnecessary xen-4.6.0-testing-src.tar.bz2 5604f239-x86-PV-properly-populate-descriptor-tables.patch 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch 561d20a0-x86-hide-MWAITX-from-PV-domains.patch 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch 5632129c-free-domain-s-vcpu-array.patch 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch 563212e4-xenoprof-free-domain-s-vcpu-array.patch 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch 56549f24-x86-vPMU-document-as-unsupported.patch 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch xen-4.6.0-testing-src.tar.bz2 xsa155-qemut-qdisk-double-access.patch xsa155-qemut-xenfb.patch xsa155-qemuu-qdisk-double-access.patch xsa155-qemuu-xenfb.patch xsa159.patch xsa160.patch xsa162-qemut.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=399
38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
References: bsc#958007 XSA-164
|
|
|
|
MSI-X: avoid array overrun upon MSI-X table writes
|
|
|
|
pt_msix_init() allocates msix->msix_entry[] to just cover
|
|
msix->total_entries entries. While pci_msix_readl() resorts to reading
|
|
physical memory for out of bounds reads, pci_msix_writel() so far
|
|
simply accessed/corrupted unrelated memory.
|
|
|
|
pt_iomem_map()'s call to cpu_register_physical_memory() registers a
|
|
page granular region, which is necessary as the Pending Bit Array may
|
|
share space with the MSI-X table (but nothing else is allowed to). This
|
|
also explains why pci_msix_readl() actually honors out of bounds reads,
|
|
but pci_msi_writel() doesn't need to.
|
|
|
|
This is XSA-164.
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
|
|
===================================================================
|
|
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
|
|
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
|
|
@@ -447,6 +447,13 @@ static void pci_msix_writel(void *opaque
|
|
return;
|
|
}
|
|
|
|
+ if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 )
|
|
+ {
|
|
+ PT_LOG("Error: Out of bounds write to MSI-X table,"
|
|
+ " addr %016"PRIx64"\n", addr);
|
|
+ return;
|
|
+ }
|
|
+
|
|
entry_nr = (addr - msix->mmio_base_addr) / 16;
|
|
entry = &msix->msix_entry[entry_nr];
|
|
offset = ((addr - msix->mmio_base_addr) % 16) / 4;
|