xen/xsa108.patch

x86/HVM: properly bound x2APIC MSR range

While the write path change appears to be purely cosmetic (but still
gets done here for consistency), the read side mistake permitted
accesses beyond the virtual APIC page.

This is XSA-108.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3101,7 +3101,7 @@ int hvm_msr_read_intercept(unsigned int 
         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
         break;
 
-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
             goto gp_fault;
         break;
@@ -3227,7 +3227,7 @@ int hvm_msr_write_intercept(unsigned int
         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
         break;
 
-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
             goto gp_fault;
         break;
- bnc#897657 - VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR range used for x2APIC emulation xsa108.patch - bnc#895802 - VUL-0: CVE-2014-7156: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts - bnc#895799 - VUL-0: CVE-2014-7155: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation - bnc#895798 - VUL-0: CVE-2014-7154: xen: XSA-104: Race condition in HVMOP_track_dirty_vram OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=333 2014-10-02 12:46:51 +00:00			`x86/HVM: properly bound x2APIC MSR range`

			`While the write path change appears to be purely cosmetic (but still`
			`gets done here for consistency), the read side mistake permitted`
			`accesses beyond the virtual APIC page.`

			`This is XSA-108.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/arch/x86/hvm/hvm.c`
			`+++ b/xen/arch/x86/hvm/hvm.c`
			`@@ -3101,7 +3101,7 @@ int hvm_msr_read_intercept(unsigned int`
			`*msr_content = vcpu_vlapic(v)->hw.apic_base_msr;`
			`break;`

			`- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:`
			`+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:`
			`if ( hvm_x2apic_msr_read(v, msr, msr_content) )`
			`goto gp_fault;`
			`break;`
			`@@ -3227,7 +3227,7 @@ int hvm_msr_write_intercept(unsigned int`
			`vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);`
			`break;`

			`- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:`
			`+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:`
			`if ( hvm_x2apic_msr_write(v, msr, msr_content) )`
			`goto gp_fault;`
			`break;`