xen/26444-x86-nHVM-no-self-enable.patch

References: CVE-2013-0152 XSA-35 bnc#797287

# HG changeset patch
# User Ian Campbell <ian.campbell@citrix.com>
# Date 1358938044 -3600
# Node ID 621b1a889e9b120236698731e0b5ecc5b0cb1d82
# Parent  9efe4c0bf9c8d3ecf03868c69c24dad3218523a4
xen: Do not allow guests to enable nested HVM on themselves

There is no reason for this and doing so exposes a memory leak to
guests. Only toolstacks need write access to this HVM param.

This is XSA-35 / CVE-2013-0152.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <JBeulich@suse.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3930,6 +3930,11 @@ long do_hvm_op(unsigned long op, XEN_GUE
                     rc = -EINVAL;
                 break;
             case HVM_PARAM_NESTEDHVM:
+                if ( !IS_PRIV(current->domain) )
+                {
+                    rc = -EPERM;
+                    break;
+                }
 #ifdef __i386__
                 if ( a.value )
                     rc = -EINVAL;
- bnc#797285 - VUL-0: Xen: XSA-34 (CVE-2013-0151) - nested virtualization on 32-bit exposes host crash CVE-2013-0151-xsa34.patch - bnc#797287 - VUL-0: Xen: XSA-35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest CVE-2013-0152-xsa35.patch - bnc#793717 - NetWare will not boot on Xen 4.2 xnloader.py domUloader.py pygrub-netware-xnloader.patch Removed reverse-24757-use-grant-references.patch - bnc#797523 - VUL-1: CVE-2012-6075: qemu / kvm-qemu: e1000 overflows under some conditions CVE-2012-6075-xsa41.patch - Mask the floating point exceptions for guests like NetWare on machines that support XSAVE. x86-fpu-context-conditional.patch - fate##313584: pass bios information to XEN HVM guest 26341-hvm-firmware-passthrough.patch 26342-hvm-firmware-passthrough.patch 26343-hvm-firmware-passthrough.patch 26344-hvm-firmware-passthrough.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=223 2013-01-22 15:40:06 +00:00			`References: CVE-2013-0152 XSA-35 bnc#797287`

- Add upstream patch to fix vfb/vkb initialization in libxl 26369-libxl-devid.patch - fate##313584: pass bios information to XEN HVM guest 26554-hvm-firmware-passthrough.patch 26555-hvm-firmware-passthrough.patch 26556-hvm-firmware-passthrough.patch - Upstream patches from Jan 26516-ACPI-parse-table-retval.patch (Replaces CVE-2013-0153-xsa36.patch) 26517-AMD-IOMMU-clear-irtes.patch (Replaces CVE-2013-0153-xsa36.patch) 26518-AMD-IOMMU-disable-if-SATA-combined-mode.patch (Replaces CVE-2013-0153-xsa36.patch) 26519-AMD-IOMMU-perdev-intremap-default.patch (Replaces CVE-2013-0153-xsa36.patch) 26526-pvdrv-no-devinit.patch 26529-gcc48-build-fix.patch 26531-AMD-IOMMU-IVHD-special-missing.patch (Replaces CVE-2013-0153-xsa36.patch) 26532-AMD-IOMMU-phantom-MSI.patch 26536-xenoprof-div-by-0.patch 26576-x86-APICV-migration.patch 26577-x86-APICV-x2APIC.patch 26578-AMD-IOMMU-replace-BUG_ON.patch - bnc#797014 - no way to control live migrations 26547-tools-xc_fix_logic_error_in_stdiostream_progress.patch 26548-tools-xc_handle_tty_output_differently_in_stdiostream_progress.patch 26549-tools-xc_turn_XCFLAGS_*_into_shifts.patch 26550-tools-xc_restore_logging_in_xc_save.patch 26551-tools-xc_log_pid_in_xc_save-xc_restore_output.patch - PVonHVM: __devinit was removed in linux-3.8 OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=229 2013-02-22 21:42:01 +00:00			`# HG changeset patch`
			`# User Ian Campbell <ian.campbell@citrix.com>`
			`# Date 1358938044 -3600`
			`# Node ID 621b1a889e9b120236698731e0b5ecc5b0cb1d82`
			`# Parent 9efe4c0bf9c8d3ecf03868c69c24dad3218523a4`
- bnc#797285 - VUL-0: Xen: XSA-34 (CVE-2013-0151) - nested virtualization on 32-bit exposes host crash CVE-2013-0151-xsa34.patch - bnc#797287 - VUL-0: Xen: XSA-35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest CVE-2013-0152-xsa35.patch - bnc#793717 - NetWare will not boot on Xen 4.2 xnloader.py domUloader.py pygrub-netware-xnloader.patch Removed reverse-24757-use-grant-references.patch - bnc#797523 - VUL-1: CVE-2012-6075: qemu / kvm-qemu: e1000 overflows under some conditions CVE-2012-6075-xsa41.patch - Mask the floating point exceptions for guests like NetWare on machines that support XSAVE. x86-fpu-context-conditional.patch - fate##313584: pass bios information to XEN HVM guest 26341-hvm-firmware-passthrough.patch 26342-hvm-firmware-passthrough.patch 26343-hvm-firmware-passthrough.patch 26344-hvm-firmware-passthrough.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=223 2013-01-22 15:40:06 +00:00			`xen: Do not allow guests to enable nested HVM on themselves`

			`There is no reason for this and doing so exposes a memory leak to`
			`guests. Only toolstacks need write access to this HVM param.`

			`This is XSA-35 / CVE-2013-0152.`

			`Signed-off-by: Ian Campbell <ian.campbell@citrix.com>`
			`Acked-by: Jan Beulich <JBeulich@suse.com>`
- Add upstream patch to fix vfb/vkb initialization in libxl 26369-libxl-devid.patch - fate##313584: pass bios information to XEN HVM guest 26554-hvm-firmware-passthrough.patch 26555-hvm-firmware-passthrough.patch 26556-hvm-firmware-passthrough.patch - Upstream patches from Jan 26516-ACPI-parse-table-retval.patch (Replaces CVE-2013-0153-xsa36.patch) 26517-AMD-IOMMU-clear-irtes.patch (Replaces CVE-2013-0153-xsa36.patch) 26518-AMD-IOMMU-disable-if-SATA-combined-mode.patch (Replaces CVE-2013-0153-xsa36.patch) 26519-AMD-IOMMU-perdev-intremap-default.patch (Replaces CVE-2013-0153-xsa36.patch) 26526-pvdrv-no-devinit.patch 26529-gcc48-build-fix.patch 26531-AMD-IOMMU-IVHD-special-missing.patch (Replaces CVE-2013-0153-xsa36.patch) 26532-AMD-IOMMU-phantom-MSI.patch 26536-xenoprof-div-by-0.patch 26576-x86-APICV-migration.patch 26577-x86-APICV-x2APIC.patch 26578-AMD-IOMMU-replace-BUG_ON.patch - bnc#797014 - no way to control live migrations 26547-tools-xc_fix_logic_error_in_stdiostream_progress.patch 26548-tools-xc_handle_tty_output_differently_in_stdiostream_progress.patch 26549-tools-xc_turn_XCFLAGS_*_into_shifts.patch 26550-tools-xc_restore_logging_in_xc_save.patch 26551-tools-xc_log_pid_in_xc_save-xc_restore_output.patch - PVonHVM: __devinit was removed in linux-3.8 OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=229 2013-02-22 21:42:01 +00:00			`Committed-by: Jan Beulich <jbeulich@suse.com>`
- bnc#797285 - VUL-0: Xen: XSA-34 (CVE-2013-0151) - nested virtualization on 32-bit exposes host crash CVE-2013-0151-xsa34.patch - bnc#797287 - VUL-0: Xen: XSA-35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest CVE-2013-0152-xsa35.patch - bnc#793717 - NetWare will not boot on Xen 4.2 xnloader.py domUloader.py pygrub-netware-xnloader.patch Removed reverse-24757-use-grant-references.patch - bnc#797523 - VUL-1: CVE-2012-6075: qemu / kvm-qemu: e1000 overflows under some conditions CVE-2012-6075-xsa41.patch - Mask the floating point exceptions for guests like NetWare on machines that support XSAVE. x86-fpu-context-conditional.patch - fate##313584: pass bios information to XEN HVM guest 26341-hvm-firmware-passthrough.patch 26342-hvm-firmware-passthrough.patch 26343-hvm-firmware-passthrough.patch 26344-hvm-firmware-passthrough.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=223 2013-01-22 15:40:06 +00:00
			`--- a/xen/arch/x86/hvm/hvm.c`
			`+++ b/xen/arch/x86/hvm/hvm.c`
			`@@ -3930,6 +3930,11 @@ long do_hvm_op(unsigned long op, XEN_GUE`
			`rc = -EINVAL;`
			`break;`
			`case HVM_PARAM_NESTEDHVM:`
			`+ if ( !IS_PRIV(current->domain) )`
			`+ {`
			`+ rc = -EPERM;`
			`+ break;`
			`+ }`
			`#ifdef __i386__`
			`if ( a.value )`
			`rc = -EINVAL;`