diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-23 09:28:52 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-23 09:48:32 +0000 |
| commit | 9cba7900153b15f9070445e546fd8244cb2da8f1 (patch) | |
| tree | cbccb037c3b72a9c8f240294fcc026759c8da37b /main/xen/xsa104.patch | |
| parent | 256f4e7e9f920e61c9a0f213d108851dd6eee97c (diff) | |
| download | aports-2.5-stable.tar.bz2 aports-2.5-stable.tar.xz | |
main/xen: security upgrade to 4.2.5 and patches2.5-stable
The 4.2.5 release fixes:
CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries to be
created
CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests
In addition we add patches for:
CVE-2014-7154 / XSA-104 Race condition in HVMOP_track_dirty_vram
CVE-2014-7155 / XSA-105 Missing privilege level checks in x86 HLT, LGDT,
LIDT, and LMSW emulation
CVE-2014-7156 / XSA-106 Missing privilege level checks in x86 emulation of
software interrupts
CVE-2014-7188 / XSA-108 Improper MSR range used for x2APIC emulation
fixes #3412
fixes #3457
Diffstat (limited to 'main/xen/xsa104.patch')
| -rw-r--r-- | main/xen/xsa104.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/main/xen/xsa104.patch b/main/xen/xsa104.patch new file mode 100644 index 0000000000..2c5b39ee9b --- /dev/null +++ b/main/xen/xsa104.patch @@ -0,0 +1,44 @@ +x86/shadow: fix race condition sampling the dirty vram state + +d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held. + +If not, two concurrent hypercalls could both end up attempting to free +dirty_vram (the second of which will free a wild pointer), or both end up +allocating a new dirty_vram structure (the first of which will be leaked). + +This is XSA-104. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Tim Deegan <tim@xen.org> + +--- a/xen/arch/x86/mm/shadow/common.c ++++ b/xen/arch/x86/mm/shadow/common.c +@@ -3485,7 +3485,7 @@ int shadow_track_dirty_vram(struct domai + int flush_tlb = 0; + unsigned long i; + p2m_type_t t; +- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram; ++ struct sh_dirty_vram *dirty_vram; + struct p2m_domain *p2m = p2m_get_hostp2m(d); + + if ( end_pfn < begin_pfn || end_pfn > p2m->max_mapped_pfn + 1 ) +@@ -3495,6 +3495,8 @@ int shadow_track_dirty_vram(struct domai + p2m_lock(p2m_get_hostp2m(d)); + paging_lock(d); + ++ dirty_vram = d->arch.hvm_domain.dirty_vram; ++ + if ( dirty_vram && (!nr || + ( begin_pfn != dirty_vram->begin_pfn + || end_pfn != dirty_vram->end_pfn )) ) +--- a/xen/include/asm-x86/hvm/domain.h ++++ b/xen/include/asm-x86/hvm/domain.h +@@ -112,7 +112,7 @@ struct hvm_domain { + /* Memory ranges with pinned cache attributes. */ + struct list_head pinned_cacheattr_ranges; + +- /* VRAM dirty support. */ ++ /* VRAM dirty support. Protect with the domain paging lock. */ + struct sh_dirty_vram *dirty_vram; + + /* If one of vcpus of this domain is in no_fill_mode or |