From b4cec285f5436041695c718489cd39d28dfd68dd Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 23 Oct 2014 12:53:24 +0000 Subject: main/xen: security fixes (CVE-2014-7154, CVE-2014-7155, CVE-2014-7156) XSA-104 CVE-2014-7154 Race condition in HVMOP_track_dirty_vram XSA-105 CVE-2014-7155 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation XSA-106 CVE-2014-7156 Missing privilege level checks in x86 emulation of software interrupts fixes #3459 --- main/xen/APKBUILD | 15 ++++++++++++++- main/xen/xsa104.patch | 44 ++++++++++++++++++++++++++++++++++++++++++++ main/xen/xsa105.patch | 37 +++++++++++++++++++++++++++++++++++++ main/xen/xsa106.patch | 23 +++++++++++++++++++++++ 4 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 main/xen/xsa104.patch create mode 100644 main/xen/xsa105.patch create mode 100644 main/xen/xsa106.patch (limited to 'main/xen') diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 4012d7d0bd..e0ca99e98c 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: William Pitcock pkgname=xen pkgver=4.3.3 -pkgrel=0 +pkgrel=1 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -25,6 +25,10 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g xsa41c.patch xsa97-hap-4_3.patch + + xsa104.patch + xsa105.patch + xsa106.patch xsa108.patch fix-pod2man-choking.patch @@ -194,6 +198,9 @@ md5sums="1b4438a50d8875700ac2c7e1ffbcd91b xen-4.3.3.tar.gz ed7d0399c6ca6aeee479da5d8f807fe0 xsa41b.patch 2f3dd7bdc59d104370066d6582725575 xsa41c.patch 8b0feffc89e3f34d835d60ad62688b30 xsa97-hap-4_3.patch +1cc14dc8cc1a42aa93a6ea1508931d98 xsa104.patch +cdc40a86a58fc864ebb7b1dbf90d2352 xsa105.patch +f58b915ad62aef72bde99f8d04f9a7a4 xsa106.patch 1f66f6c52941309c825f60e1bf144987 xsa108.patch 4c5455d1adc09752a835e241097fbc39 fix-pod2man-choking.patch a4097e06a7e000ed00f4607db014d277 qemu-xen-websocket.patch @@ -222,6 +229,9 @@ a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28 docs-Fix-gener 896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5 xsa41b.patch 683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914 xsa41c.patch cfab6521221a5058a0dfbb6d59c3c4cd0e7f4239bb6cbee2723de22c33caafda xsa97-hap-4_3.patch +fc02f6365ca79a6ef386c882b57fab8b56aa12b54fc9b05054552f0f25e32047 xsa104.patch +dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39 xsa105.patch +301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e xsa108.patch fcb5b9ff0bc4b4d39fed9b88891491b91628aa449914cfea321abe5da24c1da2 fix-pod2man-choking.patch e9f6c482fc449e0b540657a8988ad31f2e680b8933e50e6486687a52f6a9ed04 qemu-xen-websocket.patch @@ -250,6 +260,9 @@ sha512sums="cd9b7199d2859a856c719b75ee50a059c480f7493bbc493bcc3701d20321bd6d83c6 bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38 xsa41b.patch 36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9 xsa41c.patch acfd1058632d42bef061a9586565d184c0010d74870a25bc9b0a0bf40dda8abfd882056b8340dec45355efd9326d05f92a933f5d5c1c58e97597a8e88c61c639 xsa97-hap-4_3.patch +25d6ecde45eb69877476c2c8a91eff8ffb688befeb41228fea9161e785009c64efd02b1a9119727dfecb46d2bfc7a362fdf8c618055493447bd298c9ac5d65a4 xsa104.patch +9bc41d22a3286ff054a8daa04bd496e91a43910d9b3ab80f4cfea517d57dfdb06fb09192bf9004f07b950574cf5bfba1faebe431bc4e82a4849ff7c5468f7cc0 xsa105.patch +9403eece50848844f5734f26877558cec705ad83496cdac5abc994264eb221830f185c1a7a1262c8834f45dc7fe544d8ea99898d471a3cea04f98c39bb87b2c3 xsa106.patch f511a13ee4223ea2fa9d109fea1802b462f178d3be7de630aeba6eb40ef5d17c7db9d3b99ea414c5794d92d181a60c0bd2061f51987c6deb3a9071f5626fd049 xsa108.patch 2e95ad43bb66f928fe1e8caf474a3211571f75f79ea32aaa3eddb3aed9963444bd131006b67e682395af0d79118b2634bf808404693b813a94662d2a9d665ac2 fix-pod2man-choking.patch 45f1da45f3ff937d0a626e37c130d76f5b97f49a57ddeb11ef2a8e850c04c32c819a3dfcef501eb3784db5fe7b39c88230063e56aa6e5197fd9c7b7d424fff77 qemu-xen-websocket.patch diff --git a/main/xen/xsa104.patch b/main/xen/xsa104.patch new file mode 100644 index 0000000000..2c5b39ee9b --- /dev/null +++ b/main/xen/xsa104.patch @@ -0,0 +1,44 @@ +x86/shadow: fix race condition sampling the dirty vram state + +d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held. + +If not, two concurrent hypercalls could both end up attempting to free +dirty_vram (the second of which will free a wild pointer), or both end up +allocating a new dirty_vram structure (the first of which will be leaked). + +This is XSA-104. + +Signed-off-by: Andrew Cooper +Reviewed-by: Tim Deegan + +--- a/xen/arch/x86/mm/shadow/common.c ++++ b/xen/arch/x86/mm/shadow/common.c +@@ -3485,7 +3485,7 @@ int shadow_track_dirty_vram(struct domai + int flush_tlb = 0; + unsigned long i; + p2m_type_t t; +- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram; ++ struct sh_dirty_vram *dirty_vram; + struct p2m_domain *p2m = p2m_get_hostp2m(d); + + if ( end_pfn < begin_pfn || end_pfn > p2m->max_mapped_pfn + 1 ) +@@ -3495,6 +3495,8 @@ int shadow_track_dirty_vram(struct domai + p2m_lock(p2m_get_hostp2m(d)); + paging_lock(d); + ++ dirty_vram = d->arch.hvm_domain.dirty_vram; ++ + if ( dirty_vram && (!nr || + ( begin_pfn != dirty_vram->begin_pfn + || end_pfn != dirty_vram->end_pfn )) ) +--- a/xen/include/asm-x86/hvm/domain.h ++++ b/xen/include/asm-x86/hvm/domain.h +@@ -112,7 +112,7 @@ struct hvm_domain { + /* Memory ranges with pinned cache attributes. */ + struct list_head pinned_cacheattr_ranges; + +- /* VRAM dirty support. */ ++ /* VRAM dirty support. Protect with the domain paging lock. */ + struct sh_dirty_vram *dirty_vram; + + /* If one of vcpus of this domain is in no_fill_mode or diff --git a/main/xen/xsa105.patch b/main/xen/xsa105.patch new file mode 100644 index 0000000000..cc7cafddd6 --- /dev/null +++ b/main/xen/xsa105.patch @@ -0,0 +1,37 @@ +x86/emulate: check cpl for all privileged instructions + +Without this, it is possible for userspace to load its own IDT or GDT. + +This is XSA-105. + +Reported-by: Andrei LUTAS +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +Tested-by: Andrei LUTAS + +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -3314,6 +3314,7 @@ x86_emulate( + goto swint; + + case 0xf4: /* hlt */ ++ generate_exception_if(!mode_ring0(), EXC_GP, 0); + ctxt->retire.flags.hlt = 1; + break; + +@@ -3710,6 +3711,7 @@ x86_emulate( + break; + case 2: /* lgdt */ + case 3: /* lidt */ ++ generate_exception_if(!mode_ring0(), EXC_GP, 0); + generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); + fail_if(ops->write_segment == NULL); + memset(®, 0, sizeof(reg)); +@@ -3738,6 +3740,7 @@ x86_emulate( + case 6: /* lmsw */ + fail_if(ops->read_cr == NULL); + fail_if(ops->write_cr == NULL); ++ generate_exception_if(!mode_ring0(), EXC_GP, 0); + if ( (rc = ops->read_cr(0, &cr0, ctxt)) ) + goto done; + if ( ea.type == OP_REG ) diff --git a/main/xen/xsa106.patch b/main/xen/xsa106.patch new file mode 100644 index 0000000000..436724dbc1 --- /dev/null +++ b/main/xen/xsa106.patch @@ -0,0 +1,23 @@ +x86emul: only emulate software interrupt injection for real mode + +Protected mode emulation currently lacks proper privilege checking of +the referenced IDT entry, and there's currently no legitimate way for +any of the respective instructions to reach the emulator when the guest +is in protected mode. + +This is XSA-106. + +Reported-by: Andrei LUTAS +Signed-off-by: Jan Beulich +Acked-by: Keir Fraser + +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -2634,6 +2634,7 @@ x86_emulate( + case 0xcd: /* int imm8 */ + src.val = insn_fetch_type(uint8_t); + swint: ++ fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */ + fail_if(ops->inject_sw_interrupt == NULL); + rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip, + ctxt) ? : X86EMUL_EXCEPTION; -- cgit v1.2.3