diff options
Diffstat (limited to 'main/xen/xsa22-4.2-unstable.patch')
-rw-r--r-- | main/xen/xsa22-4.2-unstable.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/main/xen/xsa22-4.2-unstable.patch b/main/xen/xsa22-4.2-unstable.patch new file mode 100644 index 0000000000..e15fd73534 --- /dev/null +++ b/main/xen/xsa22-4.2-unstable.patch @@ -0,0 +1,40 @@ +x86/physmap: Prevent incorrect updates of m2p mappings + +In certain conditions, such as low memory, set_p2m_entry() can fail. +Currently, the p2m and m2p tables will get out of sync because we still +update the m2p table after the p2m update has failed. + +If that happens, subsequent guest-invoked memory operations can cause +BUG()s and ASSERT()s to kill Xen. + +This is fixed by only updating the m2p table iff the p2m was +successfully updated. + +This is a security problem, XSA-22 / CVE-2012-4537. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> + +diff -r f53b9f915c3d xen/arch/x86/mm/p2m.c +--- a/xen/arch/x86/mm/p2m.c ++++ b/xen/arch/x86/mm/p2m.c +@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d + if ( mfn_valid(_mfn(mfn)) ) + { + if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) ++ { + rc = -EINVAL; ++ goto out; /* Failed to update p2m, bail without updating m2p. */ ++ } + if ( !p2m_is_grant(t) ) + { + for ( i = 0; i < (1UL << page_order); i++ ) +@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d + } + } + ++out: + p2m_unlock(p2m); + + return rc; |