diff options
Diffstat (limited to 'main/xen/xsa67.patch')
| -rw-r--r-- | main/xen/xsa67.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/main/xen/xsa67.patch b/main/xen/xsa67.patch new file mode 100644 index 0000000000..d81a0e18a9 --- /dev/null +++ b/main/xen/xsa67.patch @@ -0,0 +1,37 @@ +x86: check segment descriptor read result in 64-bit OUTS emulation + +When emulating such an operation from a 64-bit context (CS has long +mode set), and the data segment is overridden to FS/GS, the result of +reading the overridden segment's descriptor (read_descriptor) is not +checked. If it fails, data_base is left uninitialized. + +This can lead to 8 bytes of Xen's stack being leaked to the guest +(implicitly, i.e. via the address given in a #PF). + +Coverity-ID: 1055116 + +This is CVE-2013-4368 / XSA-67. + +Signed-off-by: Matthew Daley <mattjd@gmail.com> + +Fix formatting. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/traps.c ++++ b/xen/arch/x86/traps.c +@@ -1993,10 +1993,10 @@ static int emulate_privileged_op(struct + break; + } + } +- else +- read_descriptor(data_sel, v, regs, +- &data_base, &data_limit, &ar, +- 0); ++ else if ( !read_descriptor(data_sel, v, regs, ++ &data_base, &data_limit, &ar, 0) || ++ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) ) ++ goto fail; + data_limit = ~0UL; + ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; + } |