aboutsummaryrefslogtreecommitdiffstats
path: root/main/xen/xsa30-4.2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/xen/xsa30-4.2.patch')
-rw-r--r--main/xen/xsa30-4.2.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/main/xen/xsa30-4.2.patch b/main/xen/xsa30-4.2.patch
new file mode 100644
index 0000000000..c46571dadb
--- /dev/null
+++ b/main/xen/xsa30-4.2.patch
@@ -0,0 +1,56 @@
+xen: fix error handling of guest_physmap_mark_populate_on_demand()
+
+The only user of the "out" label bypasses a necessary unlock, thus
+enabling the caller to lock up Xen.
+
+Also, the function was never meant to be called by a guest for itself,
+so rather than inspecting the code paths in depth for potential other
+problems this might cause, and adjusting e.g. the non-guest printk()
+in the above error path, just disallow the guest access to it.
+
+Finally, the printk() (considering its potential of spamming the log,
+the more that it's not using XENLOG_GUEST), is being converted to
+P2M_DEBUG(), as debugging is what it apparently was added for in the
+first place.
+
+This is XSA-30 / CVE-2012-5514.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r 7c4d806b3753 xen/arch/x86/mm/p2m-pod.c
+--- a/xen/arch/x86/mm/p2m-pod.c Fri Nov 16 15:56:14 2012 +0000
++++ b/xen/arch/x86/mm/p2m-pod.c Thu Nov 22 17:02:32 2012 +0000
+@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st
+ mfn_t omfn;
+ int rc = 0;
+
++ if ( !IS_PRIV_FOR(current->domain, d) )
++ return -EPERM;
++
+ if ( !paging_mode_translate(d) )
+ return -EINVAL;
+
+@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st
+ omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL);
+ if ( p2m_is_ram(ot) )
+ {
+- printk("%s: gfn_to_mfn returned type %d!\n",
+- __func__, ot);
++ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
+ rc = -EBUSY;
+ goto out;
+ }
+@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st
+ pod_unlock(p2m);
+ }
+
++out:
+ gfn_unlock(p2m, gfn, order);
+
+-out:
+ return rc;
+ }
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-25 08:11:20 +0000