a11c33863f
5281fad4-numa-sched-leave-node-affinity-alone-if-not-in-auto-mode.patch 52820823-nested-SVM-adjust-guest-handling-of-structure-mappings.patch 52820863-VMX-don-t-crash-processing-d-debug-key.patch 5282492f-x86-eliminate-has_arch_mmios.patch 52864df2-credit-Update-other-parameters-when-setting-tslice_ms.patch 52864f30-fix-leaking-of-v-cpu_affinity_saved-on-domain-destruction.patch 5289d225-nested-VMX-don-t-ignore-mapping-errors.patch 528a0eb0-x86-consider-modules-when-cutting-off-memory.patch 528f606c-x86-hvm-reset-TSC-to-0-after-domain-resume-from-S3.patch 528f609c-x86-crash-disable-the-watchdog-NMIs-on-the-crashing-cpu.patch 52932418-x86-xsave-fix-nonlazy-state-handling.patch - Add missing requires to pciutils package for xend-tools - bnc#851749 - Xen service file does not call xend properly xend.service - bnc#851386 - VUL-0: xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) code 528a0e5b-TLB-flushing-in-dma_pte_clear_one.patch - bnc#849667 - VUL-0: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock CVE-2013-4553-xsa74.patch - bnc#849665 - VUL-0: CVE-2013-4551: xen: XSA-75: Host crash due to guest VMX instruction execution 52809208-nested-VMX-VMLANUCH-VMRESUME-emulation-must-check-permission-1st.patch - bnc#849668 - VUL-0: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=279
63 lines
2.0 KiB
Diff
63 lines
2.0 KiB
Diff
References: bnc#849665 CVE-2013-4551 XSA-75
|
|
|
|
# Commit 4e87bc5b03e05123ba5c888f77969140c8ebd1bf
|
|
# Date 2013-11-11 09:15:04 +0100
|
|
# Author Jan Beulich <jbeulich@suse.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing
|
|
|
|
Otherwise uninitialized data may be used, leading to crashes.
|
|
|
|
This is CVE-2013-4551 / XSA-75.
|
|
|
|
Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com>
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
|
--- a/xen/arch/x86/hvm/vmx/vvmx.c
|
|
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
|
|
@@ -1508,15 +1508,10 @@ static void clear_vvmcs_launched(struct
|
|
}
|
|
}
|
|
|
|
-int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
|
|
+static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
|
|
{
|
|
struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
|
|
struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
|
|
- int rc;
|
|
-
|
|
- rc = vmx_inst_check_privilege(regs, 0);
|
|
- if ( rc != X86EMUL_OKAY )
|
|
- return rc;
|
|
|
|
/* check VMCS is valid and IO BITMAP is set */
|
|
if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
|
|
@@ -1535,6 +1530,10 @@ int nvmx_handle_vmresume(struct cpu_user
|
|
struct vcpu *v = current;
|
|
struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
|
|
struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
|
|
+ int rc = vmx_inst_check_privilege(regs, 0);
|
|
+
|
|
+ if ( rc != X86EMUL_OKAY )
|
|
+ return rc;
|
|
|
|
if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
|
|
{
|
|
@@ -1554,10 +1553,13 @@ int nvmx_handle_vmresume(struct cpu_user
|
|
int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
|
|
{
|
|
bool_t launched;
|
|
- int rc;
|
|
struct vcpu *v = current;
|
|
struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
|
|
struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
|
|
+ int rc = vmx_inst_check_privilege(regs, 0);
|
|
+
|
|
+ if ( rc != X86EMUL_OKAY )
|
|
+ return rc;
|
|
|
|
if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
|
|
{
|