diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-03-12 13:56:41 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-03-12 13:58:06 +0000 |
| commit | 0cfa2abffc5ad51933b5969c177bd1c441ea06f2 (patch) | |
| tree | 5b61ec77c71bdde1d2a3ca26d7741471c6c8ffc7 | |
| parent | e97cc6b12291643f5d11a3ce92b0b6dc7d6076b3 (diff) | |
| download | aports-0cfa2abffc5ad51933b5969c177bd1c441ea06f2.tar.bz2 aports-0cfa2abffc5ad51933b5969c177bd1c441ea06f2.tar.xz | |
main/xen: security fixes
| -rw-r--r-- | main/xen/APKBUILD | 19 | ||||
| -rw-r--r-- | main/xen/xsa252-4.6.patch | 25 | ||||
| -rw-r--r-- | main/xen/xsa255-4.6-1.patch | 126 | ||||
| -rw-r--r-- | main/xen/xsa255-4.6-2.patch | 187 |
4 files changed, 355 insertions, 2 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 737460876b..f4f2d2760c 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen pkgver=4.6.6 -pkgrel=3 +pkgrel=4 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -85,11 +85,14 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor" # - CVE-2017-15592 XSA-243 # - CVE-2017-15594 XSA-244 # - CVE-2017-17046 XSA-245 -# 4.6.3-r3: +# 4.6.6-r3: # - CVE-2017-17566 XSA-248 # - CVE-2017-17563 XSA-249 # - CVE-2017-17564 XSA-250 # - CVE-2017-17565 XSA-251 +# 4.6.3-r4: +# - CVE-2018-7540, XSA-252 +# - CVE-2018-7541, XSA-255 # grep _VERSION= stubdom/configure _ZLIB_VERSION="1.2.3" @@ -149,6 +152,9 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/$pkgname-$pkgver.ta xsa249.patch xsa250.patch xsa251-4.8.patch + xsa252-4.6.patch + xsa255-4.6-1.patch + xsa255-4.6-2.patch xenstore_client_transaction_fix.patch qemu-coroutine-gthread.patch @@ -378,6 +384,9 @@ ed39b07fbee1f07d767921732806578b xsa246-4.7.patch bf2dee471f8b9d235005f62f8db581c1 xsa249.patch 06cdce66d0fb6ae33e0fa05af8c7fc71 xsa250.patch 486252987844bc59c4fb468cd485fdf3 xsa251-4.8.patch +ac62001428e32ca965850eb1a6b1fe61 xsa252-4.6.patch +c9e31b5a50d4fa11564a837dce3086ff xsa255-4.6-1.patch +3ad014bba5878afe4687219cb3bebdf4 xsa255-4.6-2.patch b05500e9fdcec5a076ab8817fc313ac3 xenstore_client_transaction_fix.patch de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch 08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch @@ -443,6 +452,9 @@ dce7e6c1961a85f59d20a3a98ea02d677a4956c3caf5273ea0b890d977cda3e5 0001-p2m-Alway e99066b0171d4757c6a66e1223aabe01e990de2d0dc50416936e064e6e750d00 xsa249.patch adf4d8242dbddb4ec52fe1effc1f8b233d33d8d6a59c1bb677dcc6e2ed2bf711 xsa250.patch f8cecf013a3628038e0a4566778852a560b25a1ce2f3872a989087ab2fc9a913 xsa251-4.8.patch +b7ba005fa62ace07f4880cc79824968c24ead3182245e4ed3a6e22cf8d2d7c05 xsa252-4.6.patch +be62d81583df10a6be275427d5cfa02084c8717473b3694cd2a9bbdc10cbadcb xsa255-4.6-1.patch +3dd58114c5ce68fd8dd43f8f92eaafdcec1fd9add37eb41faed1cf818058539a xsa255-4.6-2.patch c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1 xenstore_client_transaction_fix.patch 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch @@ -508,6 +520,9 @@ d8da3b041341f322e553a0c68ff173b7a6e47c8608f3e4b21a9438a0741a9bc722cf33f545a82e7e 05a2e954bab1877500eb5ed3a8c49edb27411ed3ec9dbfb2115b7804a3b03c6d45c9f08a7ed96ff2b586346f321142065a8c5a5d996468496b373637b6ee31b9 xsa249.patch b3030f09ddb4f9e4a356519c7b74d393e8db085278a1e616788c81d19988699a6efdd8568277c25514f3298ca92e5a09e3cd08b0a308a4d2ddb55374a8445657 xsa250.patch 22ac1c788e5c4c6b03e4d6c04ef97819fda4d5fb22015aa3a79d2f9a7dbac050f0b516401c0392c237576087306a810155a2dcdc6918d3de46f1ceb06b0b8a25 xsa251-4.8.patch +a0264d255f9d214a1a3b27fb0a80790084c5e4a5534ae291089d1c9f0c9126623116a6ff4228bd29d20b2834a2997280aabc0a5235410ef996cf59265ca33b3c xsa252-4.6.patch +46ad17fb615de4bcc23e8faa79f7d647d7df1acbc55b46e542662619a35198247ebdd19ee3d77eee9c4571b1309cb0c910e6509453a3e9f2b1e069c09b762f7c xsa255-4.6-1.patch +bae474a1e648dc635c708f63c3b55775d3053ebf051ca2d1dcec98bdca7e5152744011f9545baa426b0251cdefb9121a614b66a9eba2635e14f7fea11bb1d35b xsa255-4.6-2.patch 69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch diff --git a/main/xen/xsa252-4.6.patch b/main/xen/xsa252-4.6.patch new file mode 100644 index 0000000000..8fb1068228 --- /dev/null +++ b/main/xen/xsa252-4.6.patch @@ -0,0 +1,25 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: memory: don't implicitly unpin for decrease-reservation + +It very likely was a mistake (copy-and-paste from domain cleanup code) +to implicitly unpin here: The caller should really unpin itself before +(or after, if they so wish) requesting the page to be removed. + +This is XSA-252. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -316,9 +316,6 @@ int guest_remove_page(struct domain *d, + + rc = guest_physmap_remove_page(d, gmfn, mfn, 0); + +- if ( !rc && test_and_clear_bit(_PGT_pinned, &page->u.inuse.type_info) ) +- put_page_and_type(page); +- + if ( !rc && test_and_clear_bit(_PGC_allocated, &page->count_info) ) + put_page(page); + diff --git a/main/xen/xsa255-4.6-1.patch b/main/xen/xsa255-4.6-1.patch new file mode 100644 index 0000000000..84455a7c02 --- /dev/null +++ b/main/xen/xsa255-4.6-1.patch @@ -0,0 +1,126 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: gnttab/ARM: don't corrupt shared GFN array + +... by writing status GFNs to it. Introduce a second array instead. +Also implement gnttab_status_gmfn() properly now that the information is +suitably being tracked. + +While touching it anyway, remove a misguided (but luckily benign) upper +bound check from gnttab_shared_gmfn(): We should never access beyond the +bounds of that array. + +This is part of XSA-255. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/arch/arm/domain.c ++++ b/xen/arch/arm/domain.c +@@ -428,19 +428,37 @@ void startup_cpu_idle_loop(void) + struct domain *alloc_domain_struct(void) + { + struct domain *d; ++ unsigned int i, max_status_frames; ++ + BUILD_BUG_ON(sizeof(*d) > PAGE_SIZE); + d = alloc_xenheap_pages(0, 0); + if ( d == NULL ) + return NULL; + + clear_page(d); +- d->arch.grant_table_gpfn = xzalloc_array(xen_pfn_t, max_grant_frames); ++ ++ d->arch.grant_shared_gfn = xmalloc_array(gfn_t, max_grant_frames); ++ max_status_frames = grant_to_status_frames(max_grant_frames); ++ d->arch.grant_status_gfn = xmalloc_array(gfn_t, max_status_frames); ++ if ( !d->arch.grant_shared_gfn || !d->arch.grant_status_gfn ) ++ { ++ free_domain_struct(d); ++ return NULL; ++ } ++ ++ for ( i = 0; i < max_grant_frames; ++i ) ++ d->arch.grant_shared_gfn[i] = _gfn(INVALID_GFN); ++ ++ for ( i = 0; i < max_status_frames; ++i ) ++ d->arch.grant_status_gfn[i] = _gfn(INVALID_GFN); ++ + return d; + } + + void free_domain_struct(struct domain *d) + { +- xfree(d->arch.grant_table_gpfn); ++ xfree(d->arch.grant_shared_gfn); ++ xfree(d->arch.grant_status_gfn); + free_xenheap_page(d); + } + +--- a/xen/arch/arm/mm.c ++++ b/xen/arch/arm/mm.c +@@ -1057,6 +1057,7 @@ int xenmem_add_to_physmap_one( + int rc; + p2m_type_t t; + struct page_info *page = NULL; ++ bool_t status = 0; + + switch ( space ) + { +@@ -1074,6 +1075,7 @@ int xenmem_add_to_physmap_one( + mfn = virt_to_mfn(d->grant_table->status[idx]); + else + mfn = INVALID_MFN; ++ status = 1; + } + else + { +@@ -1089,7 +1091,10 @@ int xenmem_add_to_physmap_one( + + if ( mfn != INVALID_MFN ) + { +- d->arch.grant_table_gpfn[idx] = gpfn; ++ if ( status ) ++ d->arch.grant_status_gfn[idx] = _gfn(gpfn); ++ else ++ d->arch.grant_shared_gfn[idx] = _gfn(gpfn); + + t = p2m_ram_rw; + } +--- a/xen/include/asm-arm/domain.h ++++ b/xen/include/asm-arm/domain.h +@@ -52,7 +52,8 @@ struct arch_domain + uint64_t vttbr; + + struct hvm_domain hvm_domain; +- xen_pfn_t *grant_table_gpfn; ++ gfn_t *grant_shared_gfn; ++ gfn_t *grant_status_gfn; + + struct io_handler io_handlers; + /* Continuable domain_relinquish_resources(). */ +--- a/xen/include/asm-arm/grant_table.h ++++ b/xen/include/asm-arm/grant_table.h +@@ -14,7 +14,6 @@ int replace_grant_host_mapping(unsigned + unsigned long new_gpaddr, unsigned int flags); + void gnttab_mark_dirty(struct domain *d, unsigned long l); + #define gnttab_create_status_page(d, t, i) do {} while (0) +-#define gnttab_status_gmfn(d, t, i) (0) + #define gnttab_release_host_mappings(domain) 1 + static inline int replace_grant_supported(void) + { +@@ -29,8 +28,12 @@ static inline int replace_grant_supporte + } while ( 0 ) + + #define gnttab_shared_gmfn(d, t, i) \ +- ( ((i >= nr_grant_frames(d->grant_table)) && \ +- (i < max_grant_frames)) ? 0 : (d->arch.grant_table_gpfn[i])) ++ gfn_x(((i) >= nr_grant_frames(t)) ? _gfn(INVALID_GFN) \ ++ : (d)->arch.grant_shared_gfn[i]) ++ ++#define gnttab_status_gmfn(d, t, i) \ ++ gfn_x(((i) >= nr_status_frames(t)) ? _gfn(INVALID_GFN) \ ++ : (d)->arch.grant_status_gfn[i]) + + #define gnttab_need_iommu_mapping(d) \ + (is_domain_direct_mapped(d) && need_iommu(d)) diff --git a/main/xen/xsa255-4.6-2.patch b/main/xen/xsa255-4.6-2.patch new file mode 100644 index 0000000000..5fdfd12966 --- /dev/null +++ b/main/xen/xsa255-4.6-2.patch @@ -0,0 +1,187 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: gnttab: don't blindly free status pages upon version change + +There may still be active mappings, which would trigger the respective +BUG_ON(). Split the loop into one dealing with the page attributes and +the second (when the first fully passed) freeing the pages. Return an +error if any pages still have pending references. + +This is part of XSA-255. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/arch/arm/mm.c ++++ b/xen/arch/arm/mm.c +@@ -1089,12 +1089,23 @@ int xenmem_add_to_physmap_one( + mfn = INVALID_MFN; + } + ++ if ( mfn != INVALID_MFN && ++ gfn_x(gnttab_get_frame_gfn(d, status, idx)) != INVALID_GFN ) ++ { ++ rc = guest_physmap_remove_page(d, ++ gfn_x(gnttab_get_frame_gfn(d, status, ++ idx)), ++ mfn, 0); ++ if ( rc ) ++ { ++ write_unlock(&d->grant_table->lock); ++ return rc; ++ } ++ } ++ + if ( mfn != INVALID_MFN ) + { +- if ( status ) +- d->arch.grant_status_gfn[idx] = _gfn(gpfn); +- else +- d->arch.grant_shared_gfn[idx] = _gfn(gpfn); ++ gnttab_set_frame_gfn(d, status, idx, _gfn(gpfn)); + + t = p2m_ram_rw; + } +--- a/xen/common/grant_table.c ++++ b/xen/common/grant_table.c +@@ -1512,23 +1512,74 @@ status_alloc_failed: + return -ENOMEM; + } + +-static void ++static int + gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt) + { +- int i; ++ unsigned int i; + + for ( i = 0; i < nr_status_frames(gt); i++ ) + { + struct page_info *pg = virt_to_page(gt->status[i]); ++ gfn_t gfn = gnttab_get_frame_gfn(d, 1, i); ++ ++ /* ++ * For translated domains, recovering from failure after partial ++ * changes were made is more complicated than it seems worth ++ * implementing at this time. Hence respective error paths below ++ * crash the domain in such a case. ++ */ ++ if ( paging_mode_translate(d) ) ++ { ++ int rc = gfn_x(gfn) == INVALID_GFN ++ ? 0 ++ : guest_physmap_remove_page(d, gfn_x(gfn), ++ page_to_mfn(pg), 0); ++ ++ if ( rc ) ++ { ++ gprintk(XENLOG_ERR, ++ "Could not remove status frame %u (GFN %#lx) from P2M\n", ++ i, gfn_x(gfn)); ++ domain_crash(d); ++ return rc; ++ } ++ gnttab_set_frame_gfn(d, 1, i, _gfn(INVALID_GFN)); ++ } + + BUG_ON(page_get_owner(pg) != d); + if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) + put_page(pg); +- BUG_ON(pg->count_info & ~PGC_xen_heap); ++ ++ if ( pg->count_info & ~PGC_xen_heap ) ++ { ++ if ( paging_mode_translate(d) ) ++ { ++ gprintk(XENLOG_ERR, ++ "Wrong page state %#lx of status frame %u (GFN %#lx)\n", ++ pg->count_info, i, gfn_x(gfn)); ++ domain_crash(d); ++ } ++ else ++ { ++ if ( get_page(pg, d) ) ++ set_bit(_PGC_allocated, &pg->count_info); ++ while ( i-- ) ++ gnttab_create_status_page(d, gt, i); ++ } ++ return -EBUSY; ++ } ++ ++ page_set_owner(pg, NULL); ++ } ++ ++ for ( i = 0; i < nr_status_frames(gt); i++ ) ++ { + free_xenheap_page(gt->status[i]); + gt->status[i] = NULL; + } + gt->nr_status_frames = 0; ++ ++ return 0; + } + + /* +@@ -2768,8 +2819,9 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA + break; + } + +- if ( op.version < 2 && gt->gt_version == 2 ) +- gnttab_unpopulate_status_frames(currd, gt); ++ if ( op.version < 2 && gt->gt_version == 2 && ++ (res = gnttab_unpopulate_status_frames(currd, gt)) != 0 ) ++ goto out_unlock; + + /* Make sure there's no crud left over from the old version. */ + for ( i = 0; i < nr_grant_frames(gt); i++ ) +--- a/xen/include/asm-arm/grant_table.h ++++ b/xen/include/asm-arm/grant_table.h +@@ -20,6 +20,17 @@ static inline int replace_grant_supporte + return 1; + } + ++#define gnttab_set_frame_gfn(d, st, idx, gfn) \ ++ do { \ ++ ((st) ? (d)->arch.grant_status_gfn \ ++ : (d)->arch.grant_shared_gfn)[idx] = (gfn); \ ++ } while ( 0 ) ++ ++#define gnttab_get_frame_gfn(d, st, idx) ({ \ ++ _gfn((st) ? gnttab_status_gmfn(d, (d)->grant_table, idx) \ ++ : gnttab_shared_gmfn(d, (d)->grant_table, idx)); \ ++}) ++ + #define gnttab_create_shared_page(d, t, i) \ + do { \ + share_xen_page_with_guest( \ +--- a/xen/include/asm-x86/grant_table.h ++++ b/xen/include/asm-x86/grant_table.h +@@ -18,6 +18,14 @@ int create_grant_host_mapping(uint64_t a + int replace_grant_host_mapping( + uint64_t addr, unsigned long frame, uint64_t new_addr, unsigned int flags); + ++#define gnttab_set_frame_gfn(d, st, idx, gfn) do {} while ( 0 ) ++#define gnttab_get_frame_gfn(d, st, idx) ({ \ ++ unsigned long mfn_ = (st) ? gnttab_status_mfn((d)->grant_table, idx) \ ++ : gnttab_shared_mfn((d)->grant_table, idx); \ ++ unsigned long gpfn_ = get_gpfn_from_mfn(mfn_); \ ++ _gfn(VALID_M2P(gpfn_) ? gpfn_ : INVALID_GFN); \ ++}) ++ + #define gnttab_create_shared_page(d, t, i) \ + do { \ + share_xen_page_with_guest( \ +@@ -33,11 +41,11 @@ int replace_grant_host_mapping( + } while ( 0 ) + + +-#define gnttab_shared_mfn(d, t, i) \ ++#define gnttab_shared_mfn(t, i) \ + ((virt_to_maddr((t)->shared_raw[i]) >> PAGE_SHIFT)) + + #define gnttab_shared_gmfn(d, t, i) \ +- (mfn_to_gmfn(d, gnttab_shared_mfn(d, t, i))) ++ (mfn_to_gmfn(d, gnttab_shared_mfn(t, i))) + + + #define gnttab_status_mfn(t, i) \ |