diff --git a/CVE-2015-5307-xsa156.patch b/CVE-2015-5307-xsa156.patch new file mode 100644 index 0000000..6139945 --- /dev/null +++ b/CVE-2015-5307-xsa156.patch @@ -0,0 +1,129 @@ +References: bsc#953527 CVE-2015-5307 XSA-156 + +x86/HVM: always intercept #AC and #DB + +Both being benign exceptions, and both being possible to get triggered +by exception delivery, this is required to prevent a guest from locking +up a CPU (resulting from no other VM exits occurring once getting into +such a loop). + +The specific scenarios: + +1) #AC may be raised during exception delivery if the handler is set to +be a ring-3 one by a 32-bit guest, and the stack is misaligned. + +2) #DB may be raised during exception delivery when a breakpoint got +placed on a data structure involved in delivering the exception. This +can result in an endless loop when a 64-bit guest uses a non-zero IST +for the vector 1 IDT entry, but even without use of IST the time it +takes until a contributory fault would get raised (results depending +on the handler) may be quite long. + +This is XSA-156. + +Reported-by: Benjamin Serebrin +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Tested-by: Andrew Cooper + +--- a/xen/arch/x86/hvm/svm/svm.c ++++ b/xen/arch/x86/hvm/svm/svm.c +@@ -1045,10 +1045,11 @@ static void noreturn svm_do_resume(struc + unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) ) + { + uint32_t intercepts = vmcb_get_exception_intercepts(vmcb); +- uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3); ++ + v->arch.hvm_vcpu.debug_state_latch = debug_state; + vmcb_set_exception_intercepts( +- vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask)); ++ vmcb, debug_state ? (intercepts | (1U << TRAP_int3)) ++ : (intercepts & ~(1U << TRAP_int3))); + } + + if ( v->arch.hvm_svm.launch_core != smp_processor_id() ) +@@ -2435,8 +2436,9 @@ void svm_vmexit_handler(struct cpu_user_ + + case VMEXIT_EXCEPTION_DB: + if ( !v->domain->debugger_attached ) +- goto unexpected_exit_type; +- domain_pause_for_debugger(); ++ hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE); ++ else ++ domain_pause_for_debugger(); + break; + + case VMEXIT_EXCEPTION_BP: +@@ -2484,6 +2486,11 @@ void svm_vmexit_handler(struct cpu_user_ + break; + } + ++ case VMEXIT_EXCEPTION_AC: ++ HVMTRACE_1D(TRAP, TRAP_alignment_check); ++ hvm_inject_hw_exception(TRAP_alignment_check, vmcb->exitinfo1); ++ break; ++ + case VMEXIT_EXCEPTION_UD: + svm_vmexit_ud_intercept(regs); + break; +--- a/xen/arch/x86/hvm/vmx/vmx.c ++++ b/xen/arch/x86/hvm/vmx/vmx.c +@@ -1186,16 +1186,10 @@ static void vmx_update_host_cr3(struct v + + void vmx_update_debug_state(struct vcpu *v) + { +- unsigned long mask; +- +- mask = 1u << TRAP_int3; +- if ( !cpu_has_monitor_trap_flag ) +- mask |= 1u << TRAP_debug; +- + if ( v->arch.hvm_vcpu.debug_state_latch ) +- v->arch.hvm_vmx.exception_bitmap |= mask; ++ v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3; + else +- v->arch.hvm_vmx.exception_bitmap &= ~mask; ++ v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3); + + vmx_vmcs_enter(v); + vmx_update_exception_bitmap(v); +@@ -2801,9 +2795,10 @@ void vmx_vmexit_handler(struct cpu_user_ + __vmread(EXIT_QUALIFICATION, &exit_qualification); + HVMTRACE_1D(TRAP_DEBUG, exit_qualification); + write_debugreg(6, exit_qualification | 0xffff0ff0); +- if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag ) +- goto exit_and_crash; +- domain_pause_for_debugger(); ++ if ( !v->domain->debugger_attached ) ++ hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE); ++ else ++ domain_pause_for_debugger(); + break; + case TRAP_int3: + { +@@ -2868,6 +2863,11 @@ void vmx_vmexit_handler(struct cpu_user_ + + hvm_inject_page_fault(regs->error_code, exit_qualification); + break; ++ case TRAP_alignment_check: ++ HVMTRACE_1D(TRAP, vector); ++ __vmread(VM_EXIT_INTR_ERROR_CODE, &ecode); ++ hvm_inject_hw_exception(vector, ecode); ++ break; + case TRAP_nmi: + if ( (intr_info & INTR_INFO_INTR_TYPE_MASK) != + (X86_EVENTTYPE_NMI << 8) ) +--- a/xen/include/asm-x86/hvm/hvm.h ++++ b/xen/include/asm-x86/hvm/hvm.h +@@ -378,7 +378,10 @@ static inline int hvm_event_pending(stru + (X86_CR4_VMXE | X86_CR4_PAE | X86_CR4_MCE)) + + /* These exceptions must always be intercepted. */ +-#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op)) ++#define HVM_TRAP_MASK ((1U << TRAP_debug) | \ ++ (1U << TRAP_invalid_op) | \ ++ (1U << TRAP_alignment_check) | \ ++ (1U << TRAP_machine_check)) + + /* + * x86 event types. This enumeration is valid for: diff --git a/xen.changes b/xen.changes index d9defd8..550f91d 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Nov 5 07:42:08 MST 2015 - carnold@suse.com + +- bsc#954018 - VUL-0: CVE-2015-5307: xen: x86: CPU lockup during + fault delivery (XSA-156) + CVE-2015-5307-xsa156.patch + ------------------------------------------------------------------- Wed Nov 4 10:33:59 MST 2015 - carnold@suse.com diff --git a/xen.spec b/xen.spec index df76960..008a9ed 100644 --- a/xen.spec +++ b/xen.spec @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + # needssslcertforbuild Name: xen @@ -31,7 +32,7 @@ ExclusiveArch: %ix86 x86_64 %arm aarch64 %define with_oxenstored 0 # %ifarch x86_64 -%define with_kmp 0 +%define with_kmp 1 %define with_debug 1 %define with_stubdom 1 %define with_gdbsx 1 @@ -224,6 +225,7 @@ Patch20: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handlin Patch21: 5604f239-x86-PV-properly-populate-descriptor-tables.patch Patch22: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch Patch149: xsa149.patch +Patch156: CVE-2015-5307-xsa156.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -580,6 +582,7 @@ Authors: %patch21 -p1 %patch22 -p1 %patch149 -p1 +%patch156 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1