xen/538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch

References: bnc#878841 CVE-2014-3967 CVE-2014-3968 XSA-96

# Commit 6f4cc0ac41625a054861b417ea1fc3ab88e2e40a
# Date 2014-06-03 15:17:14 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: eliminate vulnerabilities from hvm_inject_msi()

- pirq_info() returns NULL for a non-allocated pIRQ, and hence we
  mustn't unconditionally de-reference it, and we need to invoke it
  another time after having called map_domain_emuirq_pirq()
- don't use printk(), namely without XENLOG_GUEST, for error reporting

This is XSA-96.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/irq.c
+++ b/xen/arch/x86/hvm/irq.c
@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui
             struct pirq *info = pirq_info(d, pirq);
 
             /* if it is the first time, allocate the pirq */
-            if (info->arch.hvm.emuirq == IRQ_UNBOUND)
+            if ( !info || info->arch.hvm.emuirq == IRQ_UNBOUND )
             {
                 spin_lock(&d->event_lock);
                 map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU);
                 spin_unlock(&d->event_lock);
+                info = pirq_info(d, pirq);
+                if ( !info )
+                    return;
             } else if (info->arch.hvm.emuirq != IRQ_MSI_EMU)
-            {
-                printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq);
                 return;
-            }
             send_guest_pirq(d, info);
             return;
-        } else {
-            printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq);
         }
     }
- Modify how we check for libvirt managed domains xl-check-for-libvirt-managed-domain.patch - bnc#878841 - VUL-0: XSA-96: Xen: Vulnerabilities in HVM MSI injection 538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch - Upstream patches from Jan 537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch 537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch 5383167d-ACPI-ERST-fix-table-mapping.patch 5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch 53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch 5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch 53859956-timers-set-the-deadline-more-accurately.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=318 2014-06-12 05:11:30 +00:00			`References: bnc#878841 CVE-2014-3967 CVE-2014-3968 XSA-96`

			`# Commit 6f4cc0ac41625a054861b417ea1fc3ab88e2e40a`
			`# Date 2014-06-03 15:17:14 +0200`
			`# Author Jan Beulich <jbeulich@suse.com>`
			`# Committer Jan Beulich <jbeulich@suse.com>`
			`x86/HVM: eliminate vulnerabilities from hvm_inject_msi()`

			`- pirq_info() returns NULL for a non-allocated pIRQ, and hence we`
			`mustn't unconditionally de-reference it, and we need to invoke it`
			`another time after having called map_domain_emuirq_pirq()`
			`- don't use printk(), namely without XENLOG_GUEST, for error reporting`

			`This is XSA-96.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/arch/x86/hvm/irq.c`
			`+++ b/xen/arch/x86/hvm/irq.c`
			`@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui`
			`struct pirq *info = pirq_info(d, pirq);`

			`/* if it is the first time, allocate the pirq */`
			`- if (info->arch.hvm.emuirq == IRQ_UNBOUND)`
			`+ if ( !info \|\| info->arch.hvm.emuirq == IRQ_UNBOUND )`
			`{`
			`spin_lock(&d->event_lock);`
			`map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU);`
			`spin_unlock(&d->event_lock);`
			`+ info = pirq_info(d, pirq);`
			`+ if ( !info )`
			`+ return;`
			`} else if (info->arch.hvm.emuirq != IRQ_MSI_EMU)`
			`- {`
			`- printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq);`
			`return;`
			`- }`
			`send_guest_pirq(d, info);`
			`return;`
			`- } else {`
			`- printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq);`
			`}`
			`}`