xen/CVE-2012-5515-xsa31.patch

References: CVE-2012-5515 XSA-31 bnc#789950

memop: limit guest specified extent order

Allowing unbounded order values here causes almost unbounded loops
and/or partially incomplete requests, particularly in PoD code.

The added range checks in populate_physmap(), decrease_reservation(),
and the "in" one in memory_exchange() architecturally all could use
PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to
MAX_ORDER.

This is XSA-31 / CVE-2012-5515.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -115,7 +115,8 @@ static void populate_physmap(struct memo
 
         if ( a->memflags & MEMF_populate_on_demand )
         {
-            if ( guest_physmap_mark_populate_on_demand(d, gpfn,
+            if ( a->extent_order > MAX_ORDER ||
+                 guest_physmap_mark_populate_on_demand(d, gpfn,
                                                        a->extent_order) < 0 )
                 goto out;
         }
@@ -235,7 +236,8 @@ static void decrease_reservation(struct 
     xen_pfn_t gmfn;
 
     if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
-                                     a->nr_extents-1) )
+                                     a->nr_extents-1) ||
+         a->extent_order > MAX_ORDER )
         return;
 
     for ( i = a->nr_done; i < a->nr_extents; i++ )
@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA
     if ( (exch.nr_exchanged > exch.in.nr_extents) ||
          /* Input and output domain identifiers match? */
          (exch.in.domid != exch.out.domid) ||
+         /* Extent orders are sensible? */
+         (exch.in.extent_order > MAX_ORDER) ||
+         (exch.out.extent_order > MAX_ORDER) ||
          /* Sizes of input and output lists do not overflow a long? */
          ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) ||
          ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) ||
- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version switch list corruption vulnerability (XSA-26) CVE-2012-5510-xsa26.patch - bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) CVE-2012-5511-xsa27.patch - bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) CVE-2012-5513-xsa29.patch - bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) CVE-2012-5514-xsa30.patch - bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) CVE-2012-5515-xsa31.patch - bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not validate input GFNs (XSA-32) CVE-2012-5525-xsa32.patch - Upstream patches from Jan 26129-ACPI-BGRT-invalidate.patch 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26139-cpumap-masking.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=216 2012-12-03 14:47:23 +00:00			`References: CVE-2012-5515 XSA-31 bnc#789950`

			`memop: limit guest specified extent order`

			`Allowing unbounded order values here causes almost unbounded loops`
			`and/or partially incomplete requests, particularly in PoD code.`

			`The added range checks in populate_physmap(), decrease_reservation(),`
			`and the "in" one in memory_exchange() architecturally all could use`
			`PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to`
			`MAX_ORDER.`

			`This is XSA-31 / CVE-2012-5515.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: Tim Deegan <tim@xen.org>`
			`Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>`

			`--- a/xen/common/memory.c`
			`+++ b/xen/common/memory.c`
			`@@ -115,7 +115,8 @@ static void populate_physmap(struct memo`

			`if ( a->memflags & MEMF_populate_on_demand )`
			`{`
			`- if ( guest_physmap_mark_populate_on_demand(d, gpfn,`
			`+ if ( a->extent_order > MAX_ORDER \|\|`
			`+ guest_physmap_mark_populate_on_demand(d, gpfn,`
			`a->extent_order) < 0 )`
			`goto out;`
			`}`
			`@@ -235,7 +236,8 @@ static void decrease_reservation(struct`
			`xen_pfn_t gmfn;`

			`if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,`
			`- a->nr_extents-1) )`
			`+ a->nr_extents-1) \|\|`
			`+ a->extent_order > MAX_ORDER )`
			`return;`

			`for ( i = a->nr_done; i < a->nr_extents; i++ )`
			`@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA`
			`if ( (exch.nr_exchanged > exch.in.nr_extents) \|\|`
			`/* Input and output domain identifiers match? */`
			`(exch.in.domid != exch.out.domid) \|\|`
			`+ /* Extent orders are sensible? */`
			`+ (exch.in.extent_order > MAX_ORDER) \|\|`
			`+ (exch.out.extent_order > MAX_ORDER) \|\|`
			`/* Sizes of input and output lists do not overflow a long? */`
			`((~0UL >> exch.in.extent_order) < exch.in.nr_extents) \|\|`
			`((~0UL >> exch.out.extent_order) < exch.out.nr_extents) \|\|`