1 files changed, 40 insertions, 0 deletions

diff --git a/main/xen/xsa22-4.2-unstable.patch b/main/xen/xsa22-4.2-unstable.patch
new file mode 100644
index 0000000000..e15fd73534
--- /dev/null
+++ b/main/xen/xsa22-4.2-unstable.patch
@@ -0,0 +1,40 @@
+x86/physmap: Prevent incorrect updates of m2p mappings
+
+In certain conditions, such as low memory, set_p2m_entry() can fail.
+Currently, the p2m and m2p tables will get out of sync because we still
+update the m2p table after the p2m update has failed.
+
+If that happens, subsequent guest-invoked memory operations can cause
+BUG()s and ASSERT()s to kill Xen.
+
+This is fixed by only updating the m2p table iff the p2m was
+successfully updated.
+
+This is a security problem, XSA-22 / CVE-2012-4537.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r f53b9f915c3d xen/arch/x86/mm/p2m.c
+--- a/xen/arch/x86/mm/p2m.c
++++ b/xen/arch/x86/mm/p2m.c
+@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d
+     if ( mfn_valid(_mfn(mfn)) ) 
+     {
+         if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
++        {
+             rc = -EINVAL;
++            goto out; /* Failed to update p2m, bail without updating m2p. */
++        }
+         if ( !p2m_is_grant(t) )
+         {
+             for ( i = 0; i < (1UL << page_order); i++ )
+@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d
+         }
+     }
+ 
++out:
+     p2m_unlock(p2m);
+ 
+     return rc;