128dffb75f
switch list corruption vulnerability (XSA-26) CVE-2012-5510-xsa26.patch - bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) CVE-2012-5511-xsa27.patch - bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) CVE-2012-5513-xsa29.patch - bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) CVE-2012-5514-xsa30.patch - bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) CVE-2012-5515-xsa31.patch - bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not validate input GFNs (XSA-32) CVE-2012-5525-xsa32.patch - Upstream patches from Jan 26129-ACPI-BGRT-invalidate.patch 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26139-cpumap-masking.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=216
40 lines
1.4 KiB
Diff
40 lines
1.4 KiB
Diff
References: CVE-2012-4538 XSA-23 bnc#786519
|
|
|
|
# HG changeset patch
|
|
# User Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
# Date 1352893341 0
|
|
# Node ID c7a01b6450e483ca839228bf1e1e44de692e3458
|
|
# Parent 6b6a4007a6091610a29b71cc32908c74113b852b
|
|
xen/mm/shadow: check toplevel pagetables are present before unhooking them.
|
|
|
|
If the guest has not fully populated its top-level PAE entries when it calls
|
|
HVMOP_pagetable_dying, the shadow code could try to unhook entries from
|
|
MFN 0. Add a check to avoid that case.
|
|
|
|
This issue was introduced by c/s 21239:b9d2db109cf5.
|
|
|
|
This is a security problem, XSA-23 / CVE-2012-4538.
|
|
|
|
Signed-off-by: Tim Deegan <tim@xen.org>
|
|
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
--- a/xen/arch/x86/mm/shadow/multi.c
|
|
+++ b/xen/arch/x86/mm/shadow/multi.c
|
|
@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
|
|
unsigned long gfn;
|
|
mfn_t smfn, gmfn;
|
|
|
|
- if ( fast_path )
|
|
- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
|
|
+ if ( fast_path ) {
|
|
+ if ( pagetable_is_null(v->arch.shadow_table[i]) )
|
|
+ smfn = _mfn(INVALID_MFN);
|
|
+ else
|
|
+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
|
|
+ }
|
|
else
|
|
{
|
|
/* retrieving the l2s */
|