4c13b01c59
range used for x2APIC emulation xsa108.patch - bnc#895802 - VUL-0: CVE-2014-7156: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts - bnc#895799 - VUL-0: CVE-2014-7155: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation - bnc#895798 - VUL-0: CVE-2014-7154: xen: XSA-104: Race condition in HVMOP_track_dirty_vram OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=333
31 lines
1.1 KiB
Diff
31 lines
1.1 KiB
Diff
x86/HVM: properly bound x2APIC MSR range
|
|
|
|
While the write path change appears to be purely cosmetic (but still
|
|
gets done here for consistency), the read side mistake permitted
|
|
accesses beyond the virtual APIC page.
|
|
|
|
This is XSA-108.
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
--- a/xen/arch/x86/hvm/hvm.c
|
|
+++ b/xen/arch/x86/hvm/hvm.c
|
|
@@ -3101,7 +3101,7 @@ int hvm_msr_read_intercept(unsigned int
|
|
*msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
|
|
break;
|
|
|
|
- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
|
|
+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
|
|
if ( hvm_x2apic_msr_read(v, msr, msr_content) )
|
|
goto gp_fault;
|
|
break;
|
|
@@ -3227,7 +3227,7 @@ int hvm_msr_write_intercept(unsigned int
|
|
vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
|
|
break;
|
|
|
|
- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
|
|
+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
|
|
if ( hvm_x2apic_msr_write(v, msr, msr_content) )
|
|
goto gp_fault;
|
|
break;
|