diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-01-23 09:06:40 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-01-23 09:11:02 +0000 |
commit | 621b3e6ae3cef5a89353cb0868372c2b94ffa454 (patch) | |
tree | cac7bb05c5a82d191af7795cb9cc97c6a65a71b3 /main/xen/xsa116.patch | |
parent | bc7a651405864891312f3556d8f87c6bcb822c7b (diff) | |
download | aports-621b3e6ae3cef5a89353cb0868372c2b94ffa454.tar.bz2 aports-621b3e6ae3cef5a89353cb0868372c2b94ffa454.tar.xz |
main/xen: various sec fixes (xsa109 - xsa116)
ref #3704
XSA-116 CVE-2015-0361 xen crash due to use after free on hvm guest
teardown
XSA-114 CVE-2014-9065 CVE-2014-9066
p2m lock starvation
XSA-113 CVE-2014-9030 Guest effectable page reference leak in
MMU_MACHPHYS_UPDATE handling
XSA-112 CVE-2014-8867 Insufficient bounding of "REP MOVS" to MMIO
emulated inside the hypervisor
XSA-111 CVE-2014-8866 Excessive checking in compatibility mode
hypercall argument translation
XSA-110 CVE-2014-8595 Missing privilege level checks in x86 emulation
of far branches
XSA-109 CVE-2014-8594 Insufficient restrictions on certain MMU
update hypercalls
Diffstat (limited to 'main/xen/xsa116.patch')
-rw-r--r-- | main/xen/xsa116.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/main/xen/xsa116.patch b/main/xen/xsa116.patch new file mode 100644 index 0000000000..816a9bd84e --- /dev/null +++ b/main/xen/xsa116.patch @@ -0,0 +1,33 @@ +x86/HVM: prevent use-after-free when destroying a domain + +hvm_domain_relinquish_resources() can free certain domain resources +which can still be accessed, e.g. by HVMOP_set_param, while the domain +is being cleaned up. + +Signed-off-by: Mihai Donțu <mdontu@bitdefender.com> +Tested-by: Răzvan Cojocaru <rcojocaru@bitdefender.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -1487,9 +1487,6 @@ int hvm_domain_initialise(struct domain + + void hvm_domain_relinquish_resources(struct domain *d) + { +- xfree(d->arch.hvm_domain.io_handler); +- xfree(d->arch.hvm_domain.params); +- + if ( is_pvh_domain(d) ) + return; + +@@ -1511,6 +1508,9 @@ void hvm_domain_relinquish_resources(str + + void hvm_domain_destroy(struct domain *d) + { ++ xfree(d->arch.hvm_domain.io_handler); ++ xfree(d->arch.hvm_domain.params); ++ + hvm_destroy_cacheattr_region_list(d); + + if ( is_pvh_domain(d) ) |