5c0f7d38a6
reverse-24757-use-grant-references.patch - fate#313222 - xenstore-chmod should support 256 permissions 26189-xenstore-chmod.patch - bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version switch list corruption vulnerability (XSA-26) CVE-2012-5510-xsa26.patch - bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) CVE-2012-5511-xsa27.patch - bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) CVE-2012-5513-xsa29.patch - bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) CVE-2012-5514-xsa30.patch - bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) CVE-2012-5515-xsa31.patch - bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not validate input GFNs (XSA-32) CVE-2012-5525-xsa32.patch - Upstream patches from Jan 26129-ACPI-BGRT-invalidate.patch 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26139-cpumap-masking.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=219
48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
References: CVE-2012-4537 XSA-22 bnc#786517
|
|
|
|
# HG changeset patch
|
|
# User Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
# Date 1352892962 0
|
|
# Node ID 6b6a4007a6091610a29b71cc32908c74113b852b
|
|
# Parent bf58b94b3cef4db8d9ad9c8686bf10910ccc0644
|
|
x86/physmap: Prevent incorrect updates of m2p mappings
|
|
|
|
In certain conditions, such as low memory, set_p2m_entry() can fail.
|
|
Currently, the p2m and m2p tables will get out of sync because we still
|
|
update the m2p table after the p2m update has failed.
|
|
|
|
If that happens, subsequent guest-invoked memory operations can cause
|
|
BUG()s and ASSERT()s to kill Xen.
|
|
|
|
This is fixed by only updating the m2p table iff the p2m was
|
|
successfully updated.
|
|
|
|
This is a security problem, XSA-22 / CVE-2012-4537.
|
|
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
--- a/xen/arch/x86/mm/p2m.c
|
|
+++ b/xen/arch/x86/mm/p2m.c
|
|
@@ -654,7 +654,10 @@ guest_physmap_add_entry(struct domain *d
|
|
if ( mfn_valid(_mfn(mfn)) )
|
|
{
|
|
if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
|
|
+ {
|
|
rc = -EINVAL;
|
|
+ goto out; /* Failed to update p2m, bail without updating m2p. */
|
|
+ }
|
|
if ( !p2m_is_grant(t) )
|
|
{
|
|
for ( i = 0; i < (1UL << page_order); i++ )
|
|
@@ -677,6 +680,7 @@ guest_physmap_add_entry(struct domain *d
|
|
}
|
|
}
|
|
|
|
+out:
|
|
p2m_unlock(p2m);
|
|
|
|
return rc;
|