- bsc#954018 - VUL-0: CVE-2015-5307: xen: x86: CPU lockup during

fault delivery (XSA-156)
  CVE-2015-5307-xsa156.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=385

CVE-2015-5307-xsa156.patch

@@ -0,0 +1,129 @@
+References: bsc#953527 CVE-2015-5307 XSA-156
+
+x86/HVM: always intercept #AC and #DB
+
+Both being benign exceptions, and both being possible to get triggered
+by exception delivery, this is required to prevent a guest from locking
+up a CPU (resulting from no other VM exits occurring once getting into
+such a loop).
+
+The specific scenarios:
+
+1) #AC may be raised during exception delivery if the handler is set to
+be a ring-3 one by a 32-bit guest, and the stack is misaligned.
+
+2) #DB may be raised during exception delivery when a breakpoint got
+placed on a data structure involved in delivering the exception. This
+can result in an endless loop when a 64-bit guest uses a non-zero IST
+for the vector 1 IDT entry, but even without use of IST the time it
+takes until a contributory fault would get raised (results depending
+on the handler) may be quite long.
+
+This is XSA-156.
+
+Reported-by: Benjamin Serebrin <serebrin@google.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/hvm/svm/svm.c
++++ b/xen/arch/x86/hvm/svm/svm.c
+@@ -1045,10 +1045,11 @@ static void noreturn svm_do_resume(struc
+         unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) )
+     {
+         uint32_t intercepts = vmcb_get_exception_intercepts(vmcb);
+-        uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3);
++
+         v->arch.hvm_vcpu.debug_state_latch = debug_state;
+         vmcb_set_exception_intercepts(
+-            vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask));
++            vmcb, debug_state ? (intercepts | (1U << TRAP_int3))
++                              : (intercepts & ~(1U << TRAP_int3)));
+     }
+ 
+     if ( v->arch.hvm_svm.launch_core != smp_processor_id() )
+@@ -2435,8 +2436,9 @@ void svm_vmexit_handler(struct cpu_user_
+ 
+     case VMEXIT_EXCEPTION_DB:
+         if ( !v->domain->debugger_attached )
+-            goto unexpected_exit_type;
+-        domain_pause_for_debugger();
++            hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE);
++        else
++            domain_pause_for_debugger();
+         break;
+ 
+     case VMEXIT_EXCEPTION_BP:
+@@ -2484,6 +2486,11 @@ void svm_vmexit_handler(struct cpu_user_
+         break;
+     }
+ 
++    case VMEXIT_EXCEPTION_AC:
++        HVMTRACE_1D(TRAP, TRAP_alignment_check);
++        hvm_inject_hw_exception(TRAP_alignment_check, vmcb->exitinfo1);
++        break;
++
+     case VMEXIT_EXCEPTION_UD:
+         svm_vmexit_ud_intercept(regs);
+         break;
+--- a/xen/arch/x86/hvm/vmx/vmx.c
++++ b/xen/arch/x86/hvm/vmx/vmx.c
+@@ -1186,16 +1186,10 @@ static void vmx_update_host_cr3(struct v
+ 
+ void vmx_update_debug_state(struct vcpu *v)
+ {
+-    unsigned long mask;
+-
+-    mask = 1u << TRAP_int3;
+-    if ( !cpu_has_monitor_trap_flag )
+-        mask |= 1u << TRAP_debug;
+-
+     if ( v->arch.hvm_vcpu.debug_state_latch )
+-        v->arch.hvm_vmx.exception_bitmap |= mask;
++        v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3;
+     else
+-        v->arch.hvm_vmx.exception_bitmap &= ~mask;
++        v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3);
+ 
+     vmx_vmcs_enter(v);
+     vmx_update_exception_bitmap(v);
+@@ -2801,9 +2795,10 @@ void vmx_vmexit_handler(struct cpu_user_
+             __vmread(EXIT_QUALIFICATION, &exit_qualification);
+             HVMTRACE_1D(TRAP_DEBUG, exit_qualification);
+             write_debugreg(6, exit_qualification | 0xffff0ff0);
+-            if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag )
+-                goto exit_and_crash;
+-            domain_pause_for_debugger();
++            if ( !v->domain->debugger_attached )
++                hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE);
++            else
++                domain_pause_for_debugger();
+             break;
+         case TRAP_int3: 
+         {
+@@ -2868,6 +2863,11 @@ void vmx_vmexit_handler(struct cpu_user_
+ 
+             hvm_inject_page_fault(regs->error_code, exit_qualification);
+             break;
++        case TRAP_alignment_check:
++            HVMTRACE_1D(TRAP, vector);
++            __vmread(VM_EXIT_INTR_ERROR_CODE, &ecode);
++            hvm_inject_hw_exception(vector, ecode);
++            break;
+         case TRAP_nmi:
+             if ( (intr_info & INTR_INFO_INTR_TYPE_MASK) !=
+                  (X86_EVENTTYPE_NMI << 8) )
+--- a/xen/include/asm-x86/hvm/hvm.h
++++ b/xen/include/asm-x86/hvm/hvm.h
+@@ -378,7 +378,10 @@ static inline int hvm_event_pending(stru
+     (X86_CR4_VMXE | X86_CR4_PAE | X86_CR4_MCE))
+ 
+ /* These exceptions must always be intercepted. */
+-#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op))
++#define HVM_TRAP_MASK ((1U << TRAP_debug)           | \
++                       (1U << TRAP_invalid_op)      | \
++                       (1U << TRAP_alignment_check) | \
++                       (1U << TRAP_machine_check))
+ 
+ /*
+  * x86 event types. This enumeration is valid for:

xen.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Nov  5 07:42:08 MST 2015 - carnold@suse.com
+
+- bsc#954018 - VUL-0: CVE-2015-5307: xen: x86: CPU lockup during
+  fault delivery (XSA-156)
+  CVE-2015-5307-xsa156.patch
+
 -------------------------------------------------------------------
 Wed Nov  4 10:33:59 MST 2015 - carnold@suse.com
 

xen.spec

@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
+
 # needssslcertforbuild
 
 Name:           xen
@@ -31,7 +32,7 @@ ExclusiveArch:  %ix86 x86_64 %arm aarch64
 %define with_oxenstored 0
 #
 %ifarch x86_64
-%define with_kmp 0
+%define with_kmp 1
 %define with_debug 1
 %define with_stubdom 1
 %define with_gdbsx 1
@@ -224,6 +225,7 @@ Patch20:        55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handlin
 Patch21:        5604f239-x86-PV-properly-populate-descriptor-tables.patch
 Patch22:        561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
 Patch149:       xsa149.patch
+Patch156:       CVE-2015-5307-xsa156.patch
 # Upstream qemu
 Patch250:       VNC-Support-for-ExtendedKeyEvent-client-message.patch
 Patch251:       0001-net-move-the-tap-buffer-into-TAPState.patch
@@ -580,6 +582,7 @@ Authors:
 %patch21 -p1
 %patch22 -p1
 %patch149 -p1
+%patch156 -p1
 # Upstream qemu patches
 %patch250 -p1
 %patch251 -p1