xen/CVE-2013-4356-xsa64.patch

References: bnc#840593 CVE-2013-4356 XSA-64

x86/mm/shadow: Fix initialization of PV shadow L4 tables.
    
Shadowed PV L4 tables must have the same Xen mappings as their
unshadowed equivalent.  This is done by copying the Xen entries
verbatim from the idle pagetable, and then using guest_l4_slot()
in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries.
    
adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb)
changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to
the top of the address space, which causes the shadow code to
copy Xen mappings into guest-kernel-address slots too.
    
In the common case, all those slots are zero in the idle pagetable,
and no harm is done.  But if any slot above #271 is non-zero, Xen will
crash when that slot is later cleared (it attempts to drop
shadow-pagetable refcounts on its own L4 pagetables).
    
Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate.
Monitor pagetables need the full Xen mappings, so they keep using the
old name (with its new semantics).

This is CVE-2013-4356 / XSA-64.
    
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Tim Deegan <tim@xen.org>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct
 {
     struct domain *d = v->domain;
     shadow_l4e_t *sl4e;
+    unsigned int slots;
 
     sl4e = sh_map_domain_page(sl4mfn);
     ASSERT(sl4e != NULL);
     ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t));
-    
+
     /* Copy the common Xen mappings from the idle domain */
+    slots = (shadow_mode_external(d)
+             ? ROOT_PAGETABLE_XEN_SLOTS
+             : ROOT_PAGETABLE_PV_XEN_SLOTS);
     memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT],
            &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT],
-           ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t));
+           slots * sizeof(l4_pgentry_t));
 
     /* Install the per-domain mappings for this domain */
     sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] =
- Improvements to block-dmmd script bnc#828623 - bnc#839596 - VUL-0: CVE-2013-1442: XSA-62: xen: Information leak on AVX and/or LWP capable CPUs 5242a1b5-x86-xsave-initialize-extended-register-state-when-guests-enable-it.patch - bnc#840592 - VUL-0: CVE-2013-4355: XSA-63: xen: Information leaks through I/O instruction emulation CVE-2013-4355-xsa63.patch - bnc#840593 - VUL-0: CVE-2013-4356: XSA-64: xen: Memory accessible by 64-bit PV guests under live migration CVE-2013-4356-xsa64.patch - bnc#841766 - VUL-1: CVE-2013-4361: XSA-66: xen: Information leak through fbld instruction emulation CVE-2013-4361-xsa66.patch - bnc#833796 - L3: Xen: migration broken from xsave-capable to xsave-incapable host 52205e27-x86-xsave-initialization-improvements.patch 522dc0e6-x86-xsave-fix-migration-from-xsave-capable-to-xsave-incapable-host.patch - bnc#839600 - [HP BCS SLES11 Bug]: In HP’s UEFI x86_64 platform and sles11sp3 with xen environment, xen hypervisor will panic on multiple blades nPar. 523172d5-x86-fix-memory-cut-off-when-using-PFN-compression.patch - bnc#833251 - [HP BCS SLES11 Bug]: In HP’s UEFI x86_64 platform and with xen environment, in booting stage ,xen hypervisor will panic. 522d896b-x86-EFI-properly-handle-run-time-memory-regions-outside-the-1-1-map.patch - bnc#834751 - [HP BCS SLES11 Bug]: In xen, “shutdown –y 0 –h” cannot power off system 522d896b-x86-EFI-properly-handle-run-time-memory-regions-outside-the-1-1-map.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=274 2013-10-02 22:41:46 +00:00			`References: bnc#840593 CVE-2013-4356 XSA-64`

			`x86/mm/shadow: Fix initialization of PV shadow L4 tables.`

			`Shadowed PV L4 tables must have the same Xen mappings as their`
			`unshadowed equivalent. This is done by copying the Xen entries`
			`verbatim from the idle pagetable, and then using guest_l4_slot()`
			`in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries.`

			`adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb)`
			`changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to`
			`the top of the address space, which causes the shadow code to`
			`copy Xen mappings into guest-kernel-address slots too.`

			`In the common case, all those slots are zero in the idle pagetable,`
			`and no harm is done. But if any slot above #271 is non-zero, Xen will`
			`crash when that slot is later cleared (it attempts to drop`
			`shadow-pagetable refcounts on its own L4 pagetables).`

			`Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate.`
			`Monitor pagetables need the full Xen mappings, so they keep using the`
			`old name (with its new semantics).`

			`This is CVE-2013-4356 / XSA-64.`

			`Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Signed-off-by: Tim Deegan <tim@xen.org>`
			`Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Reviewed-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/arch/x86/mm/shadow/multi.c`
			`+++ b/xen/arch/x86/mm/shadow/multi.c`
			`@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct`
			`{`
			`struct domain *d = v->domain;`
			`shadow_l4e_t *sl4e;`
			`+ unsigned int slots;`

			`sl4e = sh_map_domain_page(sl4mfn);`
			`ASSERT(sl4e != NULL);`
			`ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t));`
			`-`
			`+`
			`/* Copy the common Xen mappings from the idle domain */`
			`+ slots = (shadow_mode_external(d)`
			`+ ? ROOT_PAGETABLE_XEN_SLOTS`
			`+ : ROOT_PAGETABLE_PV_XEN_SLOTS);`
			`memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT],`
			`&idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT],`
			`- ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t));`
			`+ slots * sizeof(l4_pgentry_t));`

			`/* Install the per-domain mappings for this domain */`
			`sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] =`