main/xen: fix various security issues

For #11400

Fixed CVEs:

- CVE-2020-11739
- CVE-2020-11740
- CVE-2020-11741
- CVE-2020-11742
- CVE-2020-11743

1 files changed, 39 insertions, 0 deletions

diff --git a/main/xen/xsa318.patch b/main/xen/xsa318.patch
new file mode 100644
index 0000000000..f4becdf81e
--- /dev/null
+++ b/main/xen/xsa318.patch
@@ -0,0 +1,39 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: gnttab: fix GNTTABOP_copy continuation handling
+
+The XSA-226 fix was flawed - the backwards transformation on rc was done
+too early, causing a continuation to not get invoked when the need for
+preemption was determined at the very first iteration of the request.
+This in particular means that all of the status fields of the individual
+operations would be left untouched, i.e. set to whatever the caller may
+or may not have initialized them to.
+
+This is part of XSA-318.
+
+Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Tested-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+
+--- a/xen/common/grant_table.c
++++ b/xen/common/grant_table.c
+@@ -3576,8 +3576,7 @@ do_grant_table_op(
+         rc = gnttab_copy(copy, count);
+         if ( rc > 0 )
+         {
+-            rc = count - rc;
+-            guest_handle_add_offset(copy, rc);
++            guest_handle_add_offset(copy, count - rc);
+             uop = guest_handle_cast(copy, void);
+         }
+         break;
+@@ -3644,6 +3643,9 @@ do_grant_table_op(
+   out:
+     if ( rc > 0 || opaque_out != 0 )
+     {
++        /* Adjust rc, see gnttab_copy() for why this is needed. */
++        if ( cmd == GNTTABOP_copy )
++            rc = count - rc;
+         ASSERT(rc < count);
+         ASSERT((opaque_out & GNTTABOP_CMD_MASK) == 0);
+         rc = hypercall_create_continuation(__HYPERVISOR_grant_table_op, "ihi",