xen/26150-x86-shadow-unhook-toplevel-check.patch

References: CVE-2012-4538 XSA-23 bnc#786519

# HG changeset patch
# User Ian Jackson <Ian.Jackson@eu.citrix.com>
# Date 1352893341 0
# Node ID c7a01b6450e483ca839228bf1e1e44de692e3458
# Parent  6b6a4007a6091610a29b71cc32908c74113b852b
xen/mm/shadow: check toplevel pagetables are present before unhooking them.

If the guest has not fully populated its top-level PAE entries when it calls
HVMOP_pagetable_dying, the shadow code could try to unhook entries from
MFN 0.  Add a check to avoid that case.

This issue was introduced by c/s 21239:b9d2db109cf5.

This is a security problem, XSA-23 / CVE-2012-4538.

Signed-off-by: Tim Deegan <tim@xen.org>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
         unsigned long gfn;
         mfn_t smfn, gmfn;
 
-        if ( fast_path )
-            smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+        if ( fast_path ) {
+            if ( pagetable_is_null(v->arch.shadow_table[i]) )
+                smfn = _mfn(INVALID_MFN);
+            else
+                smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+        }
         else
         {
             /* retrieving the l2s */
- bnc#777628 - guest "disappears" after live migration Updated block-dmmd script - fate#310510 - fix xenpaging restore changes to integrate paging into xm/xend xenpaging.autostart.patch xenpaging.doc.patch - bnc#787163 - VUL-0: CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - VUL-0: CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - VUL-0: CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - VUL-0: CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - VUL-0: CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - VUL-0: CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - VUL-0: CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=212 2012-11-19 13:58:33 +00:00			`References: CVE-2012-4538 XSA-23 bnc#786519`

- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version switch list corruption vulnerability (XSA-26) CVE-2012-5510-xsa26.patch - bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) CVE-2012-5511-xsa27.patch - bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) CVE-2012-5513-xsa29.patch - bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) CVE-2012-5514-xsa30.patch - bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) CVE-2012-5515-xsa31.patch - bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not validate input GFNs (XSA-32) CVE-2012-5525-xsa32.patch - Upstream patches from Jan 26129-ACPI-BGRT-invalidate.patch 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26139-cpumap-masking.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=216 2012-12-03 14:47:23 +00:00			`# HG changeset patch`
			`# User Ian Jackson <Ian.Jackson@eu.citrix.com>`
			`# Date 1352893341 0`
			`# Node ID c7a01b6450e483ca839228bf1e1e44de692e3458`
			`# Parent 6b6a4007a6091610a29b71cc32908c74113b852b`
- bnc#777628 - guest "disappears" after live migration Updated block-dmmd script - fate#310510 - fix xenpaging restore changes to integrate paging into xm/xend xenpaging.autostart.patch xenpaging.doc.patch - bnc#787163 - VUL-0: CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - VUL-0: CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - VUL-0: CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - VUL-0: CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - VUL-0: CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - VUL-0: CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - VUL-0: CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=212 2012-11-19 13:58:33 +00:00			`xen/mm/shadow: check toplevel pagetables are present before unhooking them.`

			`If the guest has not fully populated its top-level PAE entries when it calls`
			`HVMOP_pagetable_dying, the shadow code could try to unhook entries from`
			`MFN 0. Add a check to avoid that case.`

			`This issue was introduced by c/s 21239:b9d2db109cf5.`

			`This is a security problem, XSA-23 / CVE-2012-4538.`

			`Signed-off-by: Tim Deegan <tim@xen.org>`
			`Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Acked-by: Ian Campbell <ian.campbell@citrix.com>`
- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version switch list corruption vulnerability (XSA-26) CVE-2012-5510-xsa26.patch - bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) CVE-2012-5511-xsa27.patch - bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) CVE-2012-5513-xsa29.patch - bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) CVE-2012-5514-xsa30.patch - bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) CVE-2012-5515-xsa31.patch - bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not validate input GFNs (XSA-32) CVE-2012-5525-xsa32.patch - Upstream patches from Jan 26129-ACPI-BGRT-invalidate.patch 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26139-cpumap-masking.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=216 2012-12-03 14:47:23 +00:00			`Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>`
- bnc#777628 - guest "disappears" after live migration Updated block-dmmd script - fate#310510 - fix xenpaging restore changes to integrate paging into xm/xend xenpaging.autostart.patch xenpaging.doc.patch - bnc#787163 - VUL-0: CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - VUL-0: CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - VUL-0: CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - VUL-0: CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - VUL-0: CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - VUL-0: CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - VUL-0: CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=212 2012-11-19 13:58:33 +00:00
- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version switch list corruption vulnerability (XSA-26) CVE-2012-5510-xsa26.patch - bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) CVE-2012-5511-xsa27.patch - bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) CVE-2012-5513-xsa29.patch - bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) CVE-2012-5514-xsa30.patch - bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) CVE-2012-5515-xsa31.patch - bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not validate input GFNs (XSA-32) CVE-2012-5525-xsa32.patch - Upstream patches from Jan 26129-ACPI-BGRT-invalidate.patch 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26139-cpumap-masking.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=216 2012-12-03 14:47:23 +00:00			`--- a/xen/arch/x86/mm/shadow/multi.c`
			`+++ b/xen/arch/x86/mm/shadow/multi.c`
- bnc#777628 - guest "disappears" after live migration Updated block-dmmd script - fate#310510 - fix xenpaging restore changes to integrate paging into xm/xend xenpaging.autostart.patch xenpaging.doc.patch - bnc#787163 - VUL-0: CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - VUL-0: CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - VUL-0: CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - VUL-0: CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - VUL-0: CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - VUL-0: CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - VUL-0: CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=212 2012-11-19 13:58:33 +00:00			`@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc`
			`unsigned long gfn;`
			`mfn_t smfn, gmfn;`

			`- if ( fast_path )`
			`- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));`
			`+ if ( fast_path ) {`
			`+ if ( pagetable_is_null(v->arch.shadow_table[i]) )`
			`+ smfn = _mfn(INVALID_MFN);`
			`+ else`
			`+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));`
			`+ }`
			`else`
			`{`
			`/* retrieving the l2s */`