diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-04-19 10:21:18 -0300 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-04-19 11:24:19 -0300 |
commit | 95332e4ed106c72d58a0a5490d0f608e3d76b83e (patch) | |
tree | 10ecf6182ac280ecab64dc73620b6f06cfdc9222 /main/xen/xsa318.patch | |
parent | 28f017cec2751a53781073a114e406a428f3f9a6 (diff) | |
download | aports-95332e4ed106c72d58a0a5490d0f608e3d76b83e.tar.bz2 aports-95332e4ed106c72d58a0a5490d0f608e3d76b83e.tar.xz |
main/xen: fix various security issues
For #11400
Fixed CVEs:
- CVE-2020-11739
- CVE-2020-11740
- CVE-2020-11741
- CVE-2020-11742
- CVE-2020-11743
Diffstat (limited to 'main/xen/xsa318.patch')
-rw-r--r-- | main/xen/xsa318.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/main/xen/xsa318.patch b/main/xen/xsa318.patch new file mode 100644 index 0000000000..f4becdf81e --- /dev/null +++ b/main/xen/xsa318.patch @@ -0,0 +1,39 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: gnttab: fix GNTTABOP_copy continuation handling + +The XSA-226 fix was flawed - the backwards transformation on rc was done +too early, causing a continuation to not get invoked when the need for +preemption was determined at the very first iteration of the request. +This in particular means that all of the status fields of the individual +operations would be left untouched, i.e. set to whatever the caller may +or may not have initialized them to. + +This is part of XSA-318. + +Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de> +Tested-by: Pawel Wieczorkiewicz <wipawel@amazon.de> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Juergen Gross <jgross@suse.com> + +--- a/xen/common/grant_table.c ++++ b/xen/common/grant_table.c +@@ -3576,8 +3576,7 @@ do_grant_table_op( + rc = gnttab_copy(copy, count); + if ( rc > 0 ) + { +- rc = count - rc; +- guest_handle_add_offset(copy, rc); ++ guest_handle_add_offset(copy, count - rc); + uop = guest_handle_cast(copy, void); + } + break; +@@ -3644,6 +3643,9 @@ do_grant_table_op( + out: + if ( rc > 0 || opaque_out != 0 ) + { ++ /* Adjust rc, see gnttab_copy() for why this is needed. */ ++ if ( cmd == GNTTABOP_copy ) ++ rc = count - rc; + ASSERT(rc < count); + ASSERT((opaque_out & GNTTABOP_CMD_MASK) == 0); + rc = hypercall_create_continuation(__HYPERVISOR_grant_table_op, "ihi", |