rpm/xen
SHA256
1
0
Fork 0
forked from pool/xen
Code Pull Requests Activity
Files
a11c33863f89e80dfe31afaad2a34ba4a4bda81bf497a5e1faef64766df701fc
xen/CVE-2013-4553-xsa74.patch

44 lines
1.4 KiB
Diff
Raw Normal View History

- Upstream patches from Jan 5281fad4-numa-sched-leave-node-affinity-alone-if-not-in-auto-mode.patch 52820823-nested-SVM-adjust-guest-handling-of-structure-mappings.patch 52820863-VMX-don-t-crash-processing-d-debug-key.patch 5282492f-x86-eliminate-has_arch_mmios.patch 52864df2-credit-Update-other-parameters-when-setting-tslice_ms.patch 52864f30-fix-leaking-of-v-cpu_affinity_saved-on-domain-destruction.patch 5289d225-nested-VMX-don-t-ignore-mapping-errors.patch 528a0eb0-x86-consider-modules-when-cutting-off-memory.patch 528f606c-x86-hvm-reset-TSC-to-0-after-domain-resume-from-S3.patch 528f609c-x86-crash-disable-the-watchdog-NMIs-on-the-crashing-cpu.patch 52932418-x86-xsave-fix-nonlazy-state-handling.patch - Add missing requires to pciutils package for xend-tools - bnc#851749 - Xen service file does not call xend properly xend.service - bnc#851386 - VUL-0: xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) code 528a0e5b-TLB-flushing-in-dma_pte_clear_one.patch - bnc#849667 - VUL-0: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock CVE-2013-4553-xsa74.patch - bnc#849665 - VUL-0: CVE-2013-4551: xen: XSA-75: Host crash due to guest VMX instruction execution 52809208-nested-VMX-VMLANUCH-VMRESUME-emulation-must-check-permission-1st.patch - bnc#849668 - VUL-0: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=279
2013-11-26 20:18:36 +00:00
References: bnc#849667 CVE-2013-4553 XSA-74
x86: restrict XEN_DOMCTL_getmemlist
Coverity ID 1055652
(See the code comment.)
This is CVE-2013-4553 / XSA-74.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -329,6 +329,26 @@ long arch_do_domctl(
break;
}
+ /*
+ * XSA-74: This sub-hypercall is broken in several ways:
+ * - lock order inversion (p2m locks inside page_alloc_lock)
+ * - no preemption on huge max_pfns input
+ * - not (re-)checking d->is_dying with page_alloc_lock held
+ * - not honoring start_pfn input (which libxc also doesn't set)
+ * Additionally it is rather useless, as the result is stale by the
+ * time the caller gets to look at it.
+ * As it only has a single, non-production consumer (xen-mceinj),
+ * rather than trying to fix it we restrict it for the time being.
+ */
+ if ( /* No nested locks inside copy_to_guest_offset(). */
+ paging_mode_external(current->domain) ||
+ /* Arbitrary limit capping processing time. */
+ max_pfns > GB(4) / PAGE_SIZE )
+ {
+ ret = -EOPNOTSUPP;
+ break;
+ }
+
spin_lock(&d->page_alloc_lock);
ret = i = 0;
Copy Permalink