diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-10-14 12:55:11 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-10-14 13:45:55 +0000 |
commit | 716fb7870a1867cea94cca60f29602002a6f6f21 (patch) | |
tree | d382c26bc9860918eea5566ffb83abcc7133396a | |
parent | f63b96be2fe0f6fc14f13f208218a2b78c7d91ff (diff) | |
download | aports-716fb7870a1867cea94cca60f29602002a6f6f21.tar.bz2 aports-716fb7870a1867cea94cca60f29602002a6f6f21.tar.xz |
main/xen: security fixes. Fixes #6155
CVE-2016-7092, XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests
CVE-2016-7094, XSA-187: x86 HVM: Overflow of sh_ctxt->seg_reg[]
CVE-2016-7154, XSA-188: use after free in FIFO event channel code
-rw-r--r-- | main/xen/APKBUILD | 30 | ||||
-rw-r--r-- | main/xen/xsa185.patch | 38 | ||||
-rw-r--r-- | main/xen/xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch | 142 | ||||
-rw-r--r-- | main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch | 42 | ||||
-rw-r--r-- | main/xen/xsa188.patch | 23 |
5 files changed, 270 insertions, 5 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index f1a6612b0c..b0707d711c 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen pkgver=4.4.4 -pkgrel=0 +pkgrel=1 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -21,9 +21,14 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g xsa170-4.5.patch xsa172.patch xsa173-4.4.patch + xsa176.patch xsa181-4.4.patch xsa184-qemut-master.patch xsa184-qemuu-master.patch + xsa185.patch + xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch + xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch + xsa188.patch 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch 0002-libxl-Provide-libxl__backendpath_parse_domid.patch @@ -36,7 +41,6 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch - xsa176.patch 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch 0002-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch @@ -87,6 +91,10 @@ _builddir="$srcdir"/$pkgname-$pkgver # 4.4.4-r0: # - CVE-2016-5242 # - CVE-2016-5403 +# 4.4.4-r1: +# - CVE-2016-7092 +# - CVE-2016-7094 +# - CVE-2016-7154 prepare() { local i @@ -255,9 +263,14 @@ md5sums="421ab1dc50357c916d7f3e1fbe7db074 xen-4.4.4.tar.gz 2c2adc771c0ac13671bdcdd314602fcd xsa170-4.5.patch b14d9a4247ae654579cb757c9b0e949a xsa172.patch 6de4080f47887c2e28911d4dd2f05fee xsa173-4.4.patch +f5a889df9c86a2cda28da20ec7cd7adc xsa176.patch c7ee17c756c6801234f6095cfc056e0c xsa181-4.4.patch 95bc220677fc2bb9a3df4dc14a0b31f6 xsa184-qemut-master.patch cc0904605d03a9e4f6f21d16824e41c9 xsa184-qemuu-master.patch +8ae22c70681f3daf97ee7ef8ad947e76 xsa185.patch +c426383254acdcbb9466bbec2d6f8d9b xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch +a7545557908b8e2580af85b7ec680e43 xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch +adc72106be77107b379a62aa61294519 xsa188.patch d598b31823a2b4398fb2f9c39aec0cff 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch 761926907618592763ba75fce4c02c57 0002-libxl-Provide-libxl__backendpath_parse_domid.patch b5e297a4a111f897b403d70c25158adb 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch @@ -268,7 +281,6 @@ bb3fe7f6fd1850082b4cda123eeb0ea5 0004-libxl-Do-not-trust-frontend-in-libxl__dev 0ee118dcd7bd840916a0399d200d494a 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch c7d84a8620cd25244c5a04f7e9a5f77c 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch 7c09155ea89d59061d5d02ce68a01d7f 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch -f5a889df9c86a2cda28da20ec7cd7adc xsa176.patch 37ccd7198ec535411082a5ecc15e57e0 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch 332c4d1f44dad70d503129a4702644ce 0002-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch 8f15863d4c985db7d52bf89a82fa23f5 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch @@ -308,9 +320,14 @@ sha256sums="86007e0f81c1c7d85009902e3ece0baf29b205ff4248b81709828c6fdc9ec253 xe 1df068fb439c7edc1e86dfa9ea3b9ae99b58cdc3ac874b96cdf63b26ef9a6b98 xsa170-4.5.patch f18282fcb794b8772bc3af51d56860050071bd62a5a909b8f2fc2018e2958154 xsa172.patch 35e02b8d4c2841ad951dd967b4f11aa7911fe5d52be2cb605b174e8c2e9214ca xsa173-4.4.patch +e61c52477a8d8aa79111d686b103202ff8a558d8b3356635288c1290789b7eb3 xsa176.patch 97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f xsa181-4.4.patch 88c939c64b8f9fc9f86d0a30517d5455462d1ff837aa4285a9cb189b54c0cf20 xsa184-qemut-master.patch 3877e19992c4532b8b2a37e151fe6a6187a1bbee2b54c1718b995260bb0fcf65 xsa184-qemuu-master.patch +3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4 xsa185.patch +be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch +727b18ae83001f7ea04613aa7199ada3e6a84939aa44516f7c426e609d383b2a xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch +9f374c2e1437ad71369f41275e7b333e7b7691a783ba693ee567c899bd78c722 xsa188.patch cefe2c82a30227b6538c6924d7d939192be3c481e48ac94c82f4c51f60388570 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch f24b26891fac4e8bf8a0939a5b64fc7ad096ef699f1882aad6e96cf81b85fc3e 0002-libxl-Provide-libxl__backendpath_parse_domid.patch 748ea9d369b1f8372d1a4c420e6a9d90f881b7142e7913ed5d72b99c07ac11a0 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch @@ -321,7 +338,6 @@ be5665c91b0dfd79c8c4bb35d5adfb719ab23a547479a14aacac9d5f46d77a0f 0006-libxl-Do- b57f96af3c1cac5f56a684afe223b4a977c144daf8d5f2a1e184697cd29fdbe2 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch c8941fcf41edae75fa5a1b417d9b457fdd67a5531b6cf75dc16da9d63697c61f 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch 0641b38b7718d5fa84a8ce12a2bf034273caeb1e372f48b73170b3fd085f169c 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch -e61c52477a8d8aa79111d686b103202ff8a558d8b3356635288c1290789b7eb3 xsa176.patch 5d8e426eb650b35702a63df9b729836c4c7a8bfd7888da600d41e09e5d547457 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch 693fe1757711ecb2631e6b922ef4514c172813a99f92a08b1d31843829b85366 0002-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch 4baa48fbd2a93fcfae70a1162c2ebbf14324783392a49e905ad0e0d1f1dbc5c8 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch @@ -361,9 +377,14 @@ sha512sums="dfb085f84ab6f160f73af9a0cccf85de597261313ca1a8139142ac1ded57e8c82c39 1b6f700bd9239ec7fad8e9c6d3f3c83b051dd5bc374c92d131211688985f8d8389bc2c24aa784fe1647524af4bdebd50943187218e7cf842154b16b8d4fcd9db xsa170-4.5.patch 8636f74b270b0ccf56ea6bab4c90d0ee909e5d2891987b4572df4a0906e2230e046aad0c99add6c1d70f7023cc6d99bcfd2947c953f600074a6ed7c176a5d3dc xsa172.patch 0f916156724995abe68bdd66a704c2e80d5b9c7883fd406cbd67e47e626e5c309418d4117588388bdd626b0876c0f7664733815c492c29e0c9d3a46460a01124 xsa173-4.4.patch +0f86e4e4ee94c22166174d018954f60d9700ea4d880f4ca41b6ae1b242a4e1649da305851ef4d9b3aa91d512411a3a423f1aadceb20714d160d4d97d145dc312 xsa176.patch c11965a710eb0ff7b3f7d4797882d6607e8091159b06267a190dc12e0292370a7682a8ec3b7036bb23b283bcacd8efb19d275efe441461fbf970b82989c8439a xsa181-4.4.patch 14c07d077a9d60a03859ca1b92347517c93faf88db06f8cb0515e486a3919afa8401203161ff671dda8fbdb64e6ca5e86120f1b8f65e6bfaa63a8c6a33211bad xsa184-qemut-master.patch 862e00d9cd126f8323f9c9706bf6ce7896d97e68e647416c699d9f2e01b88083a5fea346b13403577311384946912123f64bf5a568f1a6f92077d28923df54c6 xsa184-qemuu-master.patch +6b774cfef049d457d89149a973b5a5af674b995726c88ce09278f4a64cb94f5b3c2c2380a6273475a13eb9cdd972f5429f393247ecca6463f6068d606ea74886 xsa185.patch +d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch +cb3bcaa104a1e1a45f1fcb90682c1496f008d603dc9ea63e9b815628f6d1b6d439d450f67d633db34a08368b9594fb5aca70aa6c77035b24ae8f09f69d2b56db xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch +171182bf8fd2d546a58bdd695729b24b6e8d121d6236dfb4c50144ee7697ae43c2d30d01af0412a7a60caabd79126b8eb94029192b4619cfefeca883d73d7991 xsa188.patch a78d27cbd0090521854a10d83180d58b4050c1ab8d8a7eef4639240ea24df5a03d8638795589479010a5de1a4df3ce64f705afc8971786ad981a87a545778014 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch c7142a142413542e291df407621c16b7d3c0a4b8cfb4c3287f2be012ea72485cb2b8d70cffc3cf4393f664f7154e9cbe4a436ead044ef820f7ab8eee7f445625 0002-libxl-Provide-libxl__backendpath_parse_domid.patch fd9d3d113ecb74f8589a792e5461e61d2664939e601744671a064194e2c603533e01b3abd8ae42ce203916f9055b5438d481dd47236b84b20d8129b4159ee4ae 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch @@ -374,7 +395,6 @@ c45c06a8ddcd180044ccd49cbd108da16181b5fe64400bdd62bd54c5533b2c0102be7f180ae9f0aa 12447525b319ae8912bbade257ab38730b70b43fa2c3056f567c9a9b5f95647c7d61eb43d82f2c526700224a080baae6f991bbc683d19fba416ffaa1c667a013 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch 20212bf1b0912548dd35f38166550195fad0debe46ade82979c68e0da8f30eedb87ec90ab547c4eebbcc0c56675c27037c0716da9339180412fbe5012e76ceda 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch f88337c4c89d8bd8465fb227d944f1046e9ebb00739fe731004104d073ed0713e1dc42a6c21adf420f94a268515b8f3487bb22ac39fad02691b284eadcd2d7cb 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch -0f86e4e4ee94c22166174d018954f60d9700ea4d880f4ca41b6ae1b242a4e1649da305851ef4d9b3aa91d512411a3a423f1aadceb20714d160d4d97d145dc312 xsa176.patch 25ad6f183890ea6a96b99d6bb6d1c70acf1f5eddba0acf2467c4a7bb349b6bb10dcf7c8b45d45867a1ec2ba96df3a1c614cfba4c6a246f7febce8f637a62d51e 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch 3b503a4a58e52366c27c999f0476471ce56d12069c97c07209f99f72d894b35c7ee40692c8d4bad376d0d458c51745ee974a653da759fc676d0f70b815097cdc 0002-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch 09220bd7d5283df84d6c7451aaddd568eecea6afeb58f76cb105140732ebc6a70696e5cbd6b68ad12aaa8dc28bcb264d5f20832df43f34f927cc8b2e7dbfc7ae 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch diff --git a/main/xen/xsa185.patch b/main/xen/xsa185.patch new file mode 100644 index 0000000000..a4c133ee19 --- /dev/null +++ b/main/xen/xsa185.patch @@ -0,0 +1,38 @@ +From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001 +From: Jan Beulich <jbeulich@suse.com> +Date: Mon, 8 Aug 2016 10:58:12 +0100 +Subject: x86/32on64: don't allow recursive page tables from L3 + +L3 entries are special in PAE mode, and hence can't reasonably be used +for setting up recursive (and hence linear) page table mappings. Since +abuse is possible when the guest in fact gets run on 4-level page +tables, this needs to be excluded explicitly. + +This is XSA-185. + +Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com> +Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +--- + xen/arch/x86/mm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c +index 109b8be..69b8b8d 100644 +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -1122,7 +1122,9 @@ get_page_from_l3e( + + rc = get_page_and_type_from_pagenr( + l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1); +- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) ) ++ if ( unlikely(rc == -EINVAL) && ++ !is_pv_32bit_domain(d) && ++ get_l3_linear_pagetable(l3e, pfn, d) ) + rc = 0; + + return rc; +-- +2.1.4 + diff --git a/main/xen/xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch b/main/xen/xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch new file mode 100644 index 0000000000..ee891eac91 --- /dev/null +++ b/main/xen/xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch @@ -0,0 +1,142 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] + +HVM HAP codepaths have space for all segment registers in the seg_reg[] +cache (with x86_seg_none still risking an array overrun), while the shadow +codepaths only have space for the user segments. + +Range check the input segment of *_get_seg_reg() against the size of the array +used to cache the results, to avoid overruns in the case that the callers +don't filter their input suitably. + +Subsume the is_x86_user_segment(seg) checks from the shadow code, which were +an incomplete attempt at range checking, and are now superceeded. Make +hvm_get_seg_reg() static, as it is not used outside of shadow/common.c + +No functional change, but far easier to reason that no overflow is possible. + +Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Tim Deegan <tim@xen.org> +Acked-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/hvm/emulate.c ++++ b/xen/arch/x86/hvm/emulate.c +@@ -436,6 +436,8 @@ static int hvmemul_virtual_to_linear( + *reps = min_t(unsigned long, *reps, 4096); + + reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); ++ if ( IS_ERR(reg) ) ++ return -PTR_ERR(reg); + + if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) ) + { +@@ -926,6 +928,10 @@ static int hvmemul_read_segment( + struct hvm_emulate_ctxt *hvmemul_ctxt = + container_of(ctxt, struct hvm_emulate_ctxt, ctxt); + struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); ++ ++ if ( IS_ERR(sreg) ) ++ return -PTR_ERR(sreg); ++ + memcpy(reg, sreg, sizeof(struct segment_register)); + return X86EMUL_OKAY; + } +@@ -939,6 +945,9 @@ static int hvmemul_write_segment( + container_of(ctxt, struct hvm_emulate_ctxt, ctxt); + struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); + ++ if ( IS_ERR(sreg) ) ++ return -PTR_ERR(sreg); ++ + memcpy(sreg, reg, sizeof(struct segment_register)); + __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty); + +@@ -1302,10 +1311,17 @@ void hvm_emulate_writeback( + } + } + ++/* ++ * Callers which pass a known in-range x86_segment can rely on the return ++ * pointer being valid. Other callers must explicitly check for errors. ++ */ + struct segment_register *hvmemul_get_seg_reg( + enum x86_segment seg, + struct hvm_emulate_ctxt *hvmemul_ctxt) + { ++ if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) ) ++ return ERR_PTR(-X86EMUL_UNHANDLEABLE); ++ + if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) ) + hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]); + return &hvmemul_ctxt->seg_reg[seg]; +--- a/xen/arch/x86/mm/shadow/common.c ++++ b/xen/arch/x86/mm/shadow/common.c +@@ -120,10 +120,19 @@ __initcall(shadow_audit_key_init); + /* x86 emulator support for the shadow code + */ + ++/* ++ * Callers which pass a known in-range x86_segment can rely on the return ++ * pointer being valid. Other callers must explicitly check for errors. ++ */ + struct segment_register *hvm_get_seg_reg( + enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt) + { +- struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg]; ++ struct segment_register *seg_reg; ++ ++ if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) ) ++ return ERR_PTR(-X86EMUL_UNHANDLEABLE); ++ ++ seg_reg = &sh_ctxt->seg_reg[seg]; + if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) ) + hvm_get_segment_register(current, seg, seg_reg); + return seg_reg; +@@ -140,14 +149,9 @@ static int hvm_translate_linear_addr( + struct segment_register *reg; + int okay; + +- /* +- * Can arrive here with non-user segments. However, no such cirucmstance +- * is part of a legitimate pagetable update, so fail the emulation. +- */ +- if ( !is_x86_user_segment(seg) ) +- return X86EMUL_UNHANDLEABLE; +- + reg = hvm_get_seg_reg(seg, sh_ctxt); ++ if ( IS_ERR(reg) ) ++ return -PTR_ERR(reg); + + okay = hvm_virtual_to_linear_addr( + seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); +@@ -249,9 +253,6 @@ hvm_emulate_write(enum x86_segment seg, + unsigned long addr; + int rc; + +- if ( !is_x86_user_segment(seg) ) +- return X86EMUL_UNHANDLEABLE; +- + /* How many emulations could we save if we unshadowed on stack writes? */ + if ( seg == x86_seg_ss ) + perfc_incr(shadow_fault_emulate_stack); +@@ -279,9 +280,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg + unsigned long addr, old[2], new[2]; + int rc; + +- if ( !is_x86_user_segment(seg) ) +- return X86EMUL_UNHANDLEABLE; +- + rc = hvm_translate_linear_addr( + seg, offset, bytes, hvm_access_write, sh_ctxt, &addr); + if ( rc ) +--- a/xen/include/asm-x86/hvm/emulate.h ++++ b/xen/include/asm-x86/hvm/emulate.h +@@ -13,6 +13,7 @@ + #define __ASM_X86_HVM_EMULATE_H__ + + #include <xen/config.h> ++#include <xen/err.h> + #include <asm/x86_emulate.h> + + struct hvm_emulate_ctxt { diff --git a/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch b/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch new file mode 100644 index 0000000000..bc99596083 --- /dev/null +++ b/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch @@ -0,0 +1,42 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] + +hvm_get_seg_reg() does not perform a range check on its input segment, calls +hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[]. + +x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG() +in {vmx,svm}_get_segment_register(). + +HVM guests running with shadow paging can end up performing a virtual to +linear translation with x86_seg_none. This is used for addresses which are +already linear. However, none of this is a legitimate pagetable update, so +fail the emulation in such a case. + +This is XSA-187 + +Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Tim Deegan <tim@xen.org> + +--- a/xen/arch/x86/mm/shadow/common.c ++++ b/xen/arch/x86/mm/shadow/common.c +@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr( + struct sh_emulate_ctxt *sh_ctxt, + unsigned long *paddr) + { +- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); ++ struct segment_register *reg; + int okay; + ++ /* ++ * Can arrive here with non-user segments. However, no such cirucmstance ++ * is part of a legitimate pagetable update, so fail the emulation. ++ */ ++ if ( !is_x86_user_segment(seg) ) ++ return X86EMUL_UNHANDLEABLE; ++ ++ reg = hvm_get_seg_reg(seg, sh_ctxt); ++ + okay = hvm_virtual_to_linear_addr( + seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); + diff --git a/main/xen/xsa188.patch b/main/xen/xsa188.patch new file mode 100644 index 0000000000..efa60a9d90 --- /dev/null +++ b/main/xen/xsa188.patch @@ -0,0 +1,23 @@ +evtchn-fifo: prevent use after free + +evtchn_fifo_init_control() calls evtchn_fifo_destroy() on an error +path, leading to cleanup_event_array() which frees d->evtchn_fifo +without also clearing the pointer. Otoh the bulk of +evtchn_fifo_init_control() is dependent on d->evtchn_fifo being NULL. + +This is XSA-188. + +Reported-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com> +Suggested-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/common/event_fifo.c ++++ b/xen/common/event_fifo.c +@@ -482,6 +482,7 @@ static void cleanup_event_array(struct d + for ( i = 0; i < EVTCHN_FIFO_MAX_EVENT_ARRAY_PAGES; i++ ) + unmap_guest_page(d->evtchn_fifo->event_array[i]); + xfree(d->evtchn_fifo); ++ d->evtchn_fifo = NULL; + } + + static void setup_ports(struct domain *d) |