9e9b5acb9c
5604f239-x86-PV-properly-populate-descriptor-tables.patch 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch 561d20a0-x86-hide-MWAITX-from-PV-domains.patch 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch - bsc#951845 - VUL-0: CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy can crash guests (XSA-153) xsa153-libxl.patch - bsc#950703 - VUL-1: CVE-2015-7969: xen: leak of main per-domain vcpu pointer array (DoS) (XSA-149) xsa149.patch - bsc#950705 - VUL-1: CVE-2015-7969: xen: x86: leak of per-domain profiling-related vcpu pointer array (DoS) (XSA-151) xsa151.patch - bsc#950706 - VUL-0: CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152) xsa152.patch - Dropped 55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch 5604f239-x86-PV-properly-populate-descriptor-tables.patch - bsc#932267 - VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure temporary file use in /net/slirp.c CVE-2015-4037-qemuu-smb-config-dir-name.patch CVE-2015-4037-qemut-smb-config-dir-name.patch - bsc#877642 - VUL-0: CVE-2014-0222: qemu: qcow1: validate L2 table size to avoid integer overflows OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=382
44 lines
1.8 KiB
Diff
44 lines
1.8 KiB
Diff
References: bsc#950367 CVE-2015-7835 XSA-148
|
|
|
|
x86: guard against undue super page PTE creation
|
|
|
|
When optional super page support got added (commit bd1cd81d64 "x86: PV
|
|
support for hugepages"), two adjustments were missed: mod_l2_entry()
|
|
needs to consider the PSE and RW bits when deciding whether to use the
|
|
fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
|
|
unconditionally.
|
|
|
|
This is CVE-2015-7835 / XSA-148.
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Reviewed-by: Tim Deegan <tim@xen.org>
|
|
|
|
Index: xen-4.5.1-testing/xen/arch/x86/mm.c
|
|
===================================================================
|
|
--- xen-4.5.1-testing.orig/xen/arch/x86/mm.c
|
|
+++ xen-4.5.1-testing/xen/arch/x86/mm.c
|
|
@@ -162,7 +162,10 @@ static void put_superpage(unsigned long
|
|
static uint32_t base_disallow_mask;
|
|
/* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */
|
|
#define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL)
|
|
-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
|
|
+
|
|
+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
|
|
+ ? base_disallow_mask & ~_PAGE_PSE \
|
|
+ : base_disallow_mask)
|
|
|
|
#define l3_disallow_mask(d) (!is_pv_32on64_domain(d) ? \
|
|
base_disallow_mask : \
|
|
@@ -1790,7 +1793,10 @@ static int mod_l2_entry(l2_pgentry_t *pl
|
|
}
|
|
|
|
/* Fast path for identical mapping and presence. */
|
|
- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
|
|
+ if ( !l2e_has_changed(ol2e, nl2e,
|
|
+ unlikely(opt_allow_superpage)
|
|
+ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
|
|
+ : _PAGE_PRESENT) )
|
|
{
|
|
adjust_guest_l2e(nl2e, d);
|
|
if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
|