81501c15a5
23686-pygrub-solaris.patch 23697-pygrub-grub2.patch 23944-pygrub-debug.patch 23998-pygrub-GPT.patch 23999-pygrub-grub2.patch 24064-pygrub-HybridISO.patch 24401-pygrub-scrolling.patch 24402-pygrub-edit-fix.patch 24460-pygrub-extlinux.patch 24706-pygrub-extlinux.patch - Revised version of security patch and an additional patch for bnc#764077 x86_64-AMD-erratum-121.patch x86_64-allow-unsafe-adjust.patch - bnc#764077 - VUL-0: EMBARGOED: xen: XSA-9: denial of service on older AMD systems x86_64-AMD-erratum-121.patch - Revised version of security patch for bnc#757537 x86_64-sysret-canonical.patch - bnc#757537 - VUL-0: xen: CVE-2012-0217 PV guest escalation x86_64-sysret-canonical.patch - bnc#757970 - VUL-1: xen: guest denial of service on syscall GPF generation x86_64-trap-bounce-flags.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=190
87 lines
2.9 KiB
Diff
87 lines
2.9 KiB
Diff
References: CVE-2012-2934, bnc#764077
|
|
|
|
Product management demanded that customer systems must continue to boot
|
|
irrespective of the presence of XSA-9. Rather than having our and
|
|
perhaps other distros carry non-trivial patches, allow for more fine
|
|
grained control (panic on boot, deny guest creation, or merely warn) by
|
|
means of a single line change.
|
|
|
|
--- a/xen/arch/x86/cpu/amd.c
|
|
+++ b/xen/arch/x86/cpu/amd.c
|
|
@@ -32,8 +32,11 @@
|
|
static char opt_famrev[14];
|
|
string_param("cpuid_mask_cpu", opt_famrev);
|
|
|
|
-static int opt_allow_unsafe;
|
|
+#ifdef __x86_64__
|
|
+/* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */
|
|
+int __read_mostly opt_allow_unsafe;
|
|
boolean_param("allow_unsafe", opt_allow_unsafe);
|
|
+#endif
|
|
|
|
static inline void wrmsr_amd(unsigned int index, unsigned int lo,
|
|
unsigned int hi)
|
|
@@ -623,10 +626,19 @@ static void __devinit init_amd(struct cp
|
|
clear_bit(X86_FEATURE_MCE, c->x86_capability);
|
|
|
|
#ifdef __x86_64__
|
|
- if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
|
|
+ if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121))
|
|
+ opt_allow_unsafe = 1;
|
|
+ else if (opt_allow_unsafe < 0)
|
|
panic("Xen will not boot on this CPU for security reasons.\n"
|
|
"Pass \"allow_unsafe\" if you're trusting all your"
|
|
" (PV) guest kernels.\n");
|
|
+ else if (!opt_allow_unsafe && c == &boot_cpu_data)
|
|
+ printk(KERN_WARNING
|
|
+ "*** Xen will not allow creation of DomU-s on"
|
|
+ " this CPU for security reasons. ***\n"
|
|
+ KERN_WARNING
|
|
+ "*** Pass \"allow_unsafe\" if you're trusting"
|
|
+ " all your (PV) guest kernels. ***\n");
|
|
|
|
/* AMD CPUs do not support SYSENTER outside of legacy mode. */
|
|
clear_bit(X86_FEATURE_SEP, c->x86_capability);
|
|
--- a/xen/arch/x86/domain.c
|
|
+++ b/xen/arch/x86/domain.c
|
|
@@ -52,6 +52,7 @@
|
|
#include <asm/traps.h>
|
|
#include <asm/nmi.h>
|
|
#include <asm/mce.h>
|
|
+#include <asm/amd.h>
|
|
#include <xen/numa.h>
|
|
#include <xen/iommu.h>
|
|
#ifdef CONFIG_COMPAT
|
|
@@ -474,6 +475,20 @@ int arch_domain_create(struct domain *d,
|
|
|
|
#else /* __x86_64__ */
|
|
|
|
+ if ( d->domain_id && !is_idle_domain(d) &&
|
|
+ cpu_has_amd_erratum(&boot_cpu_data, AMD_ERRATUM_121) )
|
|
+ {
|
|
+ if ( !opt_allow_unsafe )
|
|
+ {
|
|
+ printk(XENLOG_G_ERR "Xen does not allow DomU creation on this CPU"
|
|
+ " for security reasons.\n");
|
|
+ return -EPERM;
|
|
+ }
|
|
+ printk(XENLOG_G_WARNING
|
|
+ "Dom%d may compromise security on this CPU.\n",
|
|
+ d->domain_id);
|
|
+ }
|
|
+
|
|
BUILD_BUG_ON(PDPT_L2_ENTRIES * sizeof(*d->arch.mm_perdomain_pt_pages)
|
|
!= PAGE_SIZE);
|
|
pg = alloc_domheap_page(NULL, MEMF_node(domain_to_node(d)));
|
|
--- a/xen/include/asm-x86/amd.h
|
|
+++ b/xen/include/asm-x86/amd.h
|
|
@@ -151,6 +151,8 @@ struct cpuinfo_x86;
|
|
int cpu_has_amd_erratum(const struct cpuinfo_x86 *, int, ...);
|
|
|
|
#ifdef __x86_64__
|
|
+extern int opt_allow_unsafe;
|
|
+
|
|
void fam10h_check_enable_mmcfg(void);
|
|
void check_enable_amd_mmconf_dmi(void);
|
|
#endif
|