c608e23838
Turn off building the KMPs now that we are using the pvops kernel xen.spec - Upstream patches from Jan 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch 561d20a0-x86-hide-MWAITX-from-PV-domains.patch 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch 5632129c-free-domain-s-vcpu-array.patch (Replaces CVE-2015-7969-xsa149.patch) 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch 563212e4-xenoprof-free-domain-s-vcpu-array.patch 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch (Replaces CVE-2015-5307-xsa156.patch) 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch - Dropped 55b0a2db-x86-MSI-track-guest-masking.patch - Use upstream variants of block-iscsi and block-nbd - Remove xenalyze.hg, its part of xen-4.6 OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=389
45 lines
1.9 KiB
Diff
45 lines
1.9 KiB
Diff
# Commit fe360c90ea13f309ef78810f1a2b92f2ae3b30b8
|
|
# Date 2015-10-29 13:35:07 +0100
|
|
# Author Jan Beulich <jbeulich@suse.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
x86: guard against undue super page PTE creation
|
|
|
|
When optional super page support got added (commit bd1cd81d64 "x86: PV
|
|
support for hugepages"), two adjustments were missed: mod_l2_entry()
|
|
needs to consider the PSE and RW bits when deciding whether to use the
|
|
fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
|
|
unconditionally.
|
|
|
|
This is CVE-2015-7835 / XSA-148.
|
|
|
|
Reported-by: "栾尚聪(好风)" <shangcong.lsc@alibaba-inc.com>
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Reviewed-by: Tim Deegan <tim@xen.org>
|
|
|
|
--- a/xen/arch/x86/mm.c
|
|
+++ b/xen/arch/x86/mm.c
|
|
@@ -160,7 +160,10 @@ static void put_superpage(unsigned long
|
|
static uint32_t base_disallow_mask;
|
|
/* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */
|
|
#define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL)
|
|
-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
|
|
+
|
|
+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
|
|
+ ? base_disallow_mask & ~_PAGE_PSE \
|
|
+ : base_disallow_mask)
|
|
|
|
#define l3_disallow_mask(d) (!is_pv_32bit_domain(d) ? \
|
|
base_disallow_mask : 0xFFFFF198U)
|
|
@@ -1839,7 +1842,10 @@ static int mod_l2_entry(l2_pgentry_t *pl
|
|
}
|
|
|
|
/* Fast path for identical mapping and presence. */
|
|
- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
|
|
+ if ( !l2e_has_changed(ol2e, nl2e,
|
|
+ unlikely(opt_allow_superpage)
|
|
+ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
|
|
+ : _PAGE_PRESENT) )
|
|
{
|
|
adjust_guest_l2e(nl2e, d);
|
|
if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
|