pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
898ade9d0e
xen/CVE-2012-5515-xsa31.patch
Charles Arnold 5c0f7d38a6 - NetWare will not boot or install on Xen 4.2 
reverse-24757-use-grant-references.patch 

- fate#313222 - xenstore-chmod should support 256 permissions
  26189-xenstore-chmod.patch

- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version
  switch list corruption vulnerability (XSA-26)
  CVE-2012-5510-xsa26.patch
- bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do
  not validate the range of their inputs (XSA-27)
  CVE-2012-5511-xsa27.patch
- bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may
  overwrite hypervisor memory (XSA-29)
  CVE-2012-5513-xsa29.patch
- bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in
  guest_physmap_mark_populate_on_demand() (XSA-30)
  CVE-2012-5514-xsa30.patch
- bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall
  operations allow invalid extent order values (XSA-31)
  CVE-2012-5515-xsa31.patch
- bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not
  validate input GFNs (XSA-32)
  CVE-2012-5525-xsa32.patch
- Upstream patches from Jan
  26129-ACPI-BGRT-invalidate.patch
  26132-tmem-save-NULL-check.patch
  26134-x86-shadow-invlpg-check.patch
  26139-cpumap-masking.patch
  26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch)

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=219
2012-12-07 18:04:08 +00:00

51 lines
2.0 KiB
Diff
Raw Blame History

References: CVE-2012-5515 XSA-31 bnc#789950
memop: limit guest specified extent order
Allowing unbounded order values here causes almost unbounded loops
and/or partially incomplete requests, particularly in PoD code.
The added range checks in populate_physmap(), decrease_reservation(),
and the "in" one in memory_exchange() architecturally all could use
PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to
MAX_ORDER.
This is XSA-31 / CVE-2012-5515.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -115,7 +115,8 @@ static void populate_physmap(struct memo
if ( a->memflags & MEMF_populate_on_demand )
{
- if ( guest_physmap_mark_populate_on_demand(d, gpfn,
+ if ( a->extent_order > MAX_ORDER ||
+ guest_physmap_mark_populate_on_demand(d, gpfn,
a->extent_order) < 0 )
goto out;
}
@@ -235,7 +236,8 @@ static void decrease_reservation(struct
xen_pfn_t gmfn;
if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
- a->nr_extents-1) )
+ a->nr_extents-1) ||
+ a->extent_order > MAX_ORDER )
return;
for ( i = a->nr_done; i < a->nr_extents; i++ )
@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA
if ( (exch.nr_exchanged > exch.in.nr_extents) ||
/* Input and output domain identifiers match? */
(exch.in.domid != exch.out.domid) ||
+ /* Extent orders are sensible? */
+ (exch.in.extent_order > MAX_ORDER) ||
+ (exch.out.extent_order > MAX_ORDER) ||
/* Sizes of input and output lists do not overflow a long? */
((~0UL >> exch.in.extent_order) < exch.in.nr_extents) ||
((~0UL >> exch.out.extent_order) < exch.out.nr_extents) ||
Reference in New Issue View Git Blame Copy Permalink