8292994238
logging upon guest changing callback method (XSA-169) 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch - bsc#959387 - VUL-0: CVE-2015-8568 CVE-2015-8567: xen: qemu: net: vmxnet3: host memory leakage CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch - bsc#957988 - VUL-0: CVE-2015-8550: xen: paravirtualized drivers incautious about shared memory contents (XSA-155) xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch xsa155-qemuu-qdisk-double-access.patch xsa155-qemut-qdisk-double-access.patch xsa155-qemuu-xenfb.patch xsa155-qemut-xenfb.patch - bsc#959006 - VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state results in DoS CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch - bsc#958918 - VUL-0: CVE-2015-7549: xen: qemu pci: null pointer dereference issue CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch - bsc#958493 - VUL-0: CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point exception CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch - bsc#958007 - VUL-0: CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X handling (XSA-164) xsa164.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=393
38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
References: bsc#958007 XSA-164
|
|
|
|
MSI-X: avoid array overrun upon MSI-X table writes
|
|
|
|
pt_msix_init() allocates msix->msix_entry[] to just cover
|
|
msix->total_entries entries. While pci_msix_readl() resorts to reading
|
|
physical memory for out of bounds reads, pci_msix_writel() so far
|
|
simply accessed/corrupted unrelated memory.
|
|
|
|
pt_iomem_map()'s call to cpu_register_physical_memory() registers a
|
|
page granular region, which is necessary as the Pending Bit Array may
|
|
share space with the MSI-X table (but nothing else is allowed to). This
|
|
also explains why pci_msix_readl() actually honors out of bounds reads,
|
|
but pci_msi_writel() doesn't need to.
|
|
|
|
This is XSA-164.
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
|
|
===================================================================
|
|
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
|
|
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
|
|
@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque
|
|
return;
|
|
}
|
|
|
|
+ if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 )
|
|
+ {
|
|
+ PT_LOG("Error: Out of bounds write to MSI-X table,"
|
|
+ " addr %016"PRIx64"\n", addr);
|
|
+ return;
|
|
+ }
|
|
+
|
|
entry_nr = (addr - msix->mmio_base_addr) / 16;
|
|
entry = &msix->msix_entry[entry_nr];
|
|
offset = ((addr - msix->mmio_base_addr) % 16) / 4;
|