From a853eaef495f42eeda7f09ef18b53850afd7641f Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Fri, 1 Nov 2013 16:05:55 +0000 Subject: main/xen: apply relevant XSA patches (XSA-62 through XSA-71) --- main/xen/APKBUILD | 34 +++++++++- main/xen/xsa62.patch | 46 ++++++++++++++ main/xen/xsa63.patch | 171 +++++++++++++++++++++++++++++++++++++++++++++++++++ main/xen/xsa64.patch | 55 +++++++++++++++++ main/xen/xsa66.patch | 23 +++++++ main/xen/xsa67.patch | 37 +++++++++++ main/xen/xsa68.patch | 69 +++++++++++++++++++++ main/xen/xsa70.patch | 34 ++++++++++ main/xen/xsa71.patch | 43 +++++++++++++ 9 files changed, 511 insertions(+), 1 deletion(-) create mode 100644 main/xen/xsa62.patch create mode 100644 main/xen/xsa63.patch create mode 100644 main/xen/xsa64.patch create mode 100644 main/xen/xsa66.patch create mode 100644 main/xen/xsa67.patch create mode 100644 main/xen/xsa68.patch create mode 100644 main/xen/xsa70.patch create mode 100644 main/xen/xsa71.patch (limited to 'main') diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index a9cae4cbde..c841c9f10a 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: William Pitcock pkgname=xen pkgver=4.3.0 -pkgrel=7 +pkgrel=8 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -25,6 +25,14 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g xsa41c.patch xsa48-4.2.patch + xsa62.patch + xsa63.patch + xsa64.patch + xsa66.patch + xsa67.patch + xsa68.patch + xsa70.patch + xsa71.patch xsa73-4_3-unstable.patch fix-pod2man-choking.patch @@ -194,6 +202,14 @@ md5sums="7b18cfb58f1ac2ce39cf35a1867f0c0a xen-4.3.0.tar.gz ed7d0399c6ca6aeee479da5d8f807fe0 xsa41b.patch 2f3dd7bdc59d104370066d6582725575 xsa41c.patch b3e3a57d189a4f86c9766eaf3b5207f4 xsa48-4.2.patch +01fc0d30d3f5293df65976ec6a4565b2 xsa62.patch +099d02d873a36b8484572281dfa72df0 xsa63.patch +8a27a23cf83dead783b7a8f028ce436d xsa64.patch +b2345060369f7749a1737f3927c42c24 xsa66.patch +879f68ccff2e3d9ca1300cd250066465 xsa67.patch +f5ab90fba31fedc023035ae2a91e5524 xsa68.patch +8367e07fe00c3d2e7658e1eb21cf4740 xsa70.patch +29e7e593373bfc1390aa251da6bd834d xsa71.patch 5005efdb8bf44ccc2ce869611b507c83 xsa73-4_3-unstable.patch 4c5455d1adc09752a835e241097fbc39 fix-pod2man-choking.patch a4097e06a7e000ed00f4607db014d277 qemu-xen-websocket.patch @@ -222,6 +238,14 @@ a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28 docs-Fix-gener 896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5 xsa41b.patch 683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914 xsa41c.patch dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b xsa48-4.2.patch +364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856 xsa62.patch +32fa93d8ebdfbe85931c52010bf9e561fdae8846462c5b1f2fbc217ca36f3005 xsa63.patch +061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch +3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4 xsa66.patch +7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch +64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32 xsa68.patch +2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch +3785784d9c27c0ec1be6808e5169fe72e6873d963173901f1b287360cf8edd9d xsa71.patch 48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4_3-unstable.patch fcb5b9ff0bc4b4d39fed9b88891491b91628aa449914cfea321abe5da24c1da2 fix-pod2man-choking.patch e9f6c482fc449e0b540657a8988ad31f2e680b8933e50e6486687a52f6a9ed04 qemu-xen-websocket.patch @@ -250,6 +274,14 @@ sha512sums="e6b8f64e15e48704ea5cee5585cd6151fe6a5a62bc4670caf0b762c1aa71c9598db2 bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38 xsa41b.patch 36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9 xsa41c.patch 31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4 xsa48-4.2.patch +4738a229a6f18d670da07b3acbaf6e227af5fb3e7b0b414dc98671be02208aefc66ebe07f7396d9158d0fa15993b9d418fd65747880c64694b1a06b8be961419 xsa62.patch +f972de0910dff2109fc18911eeaf789963ec457d2a21029abc9615088d2c8446028effec6c1c01e080ae3479e704175e19040c09053c8ad60c0b38c7d2ec3859 xsa63.patch +2e9283c56f7e336f82d26a6346af91e520375f7084a6f07ad254e52781ac7e96cbb09ee48adfbf2c6c46d5516c56343612011f939f6a40ebef41e1925a9c6ed7 xsa64.patch +5abc6cb7685a9053e67c1646c6d9e06c25da6d6c7004e63e346e7b082270e1319fcc8a194a8db4e9c9cb903fe5dc29ae17169cda6fea94913fa9e0ff5aa9b451 xsa66.patch +959e4760210ceb480da53c709fcdeed4bd9cec27eefbcdb7dfcf6d764184e5ecf4c225f817d8a46ff0bb74baa8d14d90c9ce39bb51c9a781cbc524227b02e153 xsa67.patch +bd1deab154e129fc63dcc51ce5c4d004f5fe044443755a0b8943d8b6087f2ef7cbfd76f2390d36f7b4ad1797ef28abbb23157401468e1bf33ecc7a17aff9e8a4 xsa68.patch +107335f8e4ffddb9cab9e21dfdf745dea0e4d078c71ee59671942291c189dd0e998a9d480fa91ae439e6410591c9fb06491ca8e810006e22640bf0dc9cf5da81 xsa70.patch +da71e6d60c2663d571686063cb427ba04e5d56422d945ffd3f14be1dc72df61af78f1b63dc9e248bcfb0cdaaca03a227b4145cdd2af1ec7cdf9a2655c5b006b8 xsa71.patch 8eb555bc589bc4848f640dd93bdfaf0d0a61667e26667ff2ff89ab60c8c5a777982647e8c440be7510620281bac8d9bb3281afcae36e974f09bd70184ba6ba9a xsa73-4_3-unstable.patch 2e95ad43bb66f928fe1e8caf474a3211571f75f79ea32aaa3eddb3aed9963444bd131006b67e682395af0d79118b2634bf808404693b813a94662d2a9d665ac2 fix-pod2man-choking.patch 45f1da45f3ff937d0a626e37c130d76f5b97f49a57ddeb11ef2a8e850c04c32c819a3dfcef501eb3784db5fe7b39c88230063e56aa6e5197fd9c7b7d424fff77 qemu-xen-websocket.patch diff --git a/main/xen/xsa62.patch b/main/xen/xsa62.patch new file mode 100644 index 0000000000..3bb432762a --- /dev/null +++ b/main/xen/xsa62.patch @@ -0,0 +1,46 @@ +x86/xsave: initialize extended register state when guests enable it + +Till now, when setting previously unset bits in XCR0 we wouldn't touch +the active register state, thus leaving in the newly enabled registers +whatever a prior user of it left there, i.e. potentially leaking +information between guests. + +This is CVE-2013-1442 / XSA-62. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/xstate.c ++++ b/xen/arch/x86/xstate.c +@@ -307,6 +307,7 @@ int validate_xstate(u64 xcr0, u64 xcr0_a + int handle_xsetbv(u32 index, u64 new_bv) + { + struct vcpu *curr = current; ++ u64 mask; + + if ( index != XCR_XFEATURE_ENABLED_MASK ) + return -EOPNOTSUPP; +@@ -320,9 +321,23 @@ int handle_xsetbv(u32 index, u64 new_bv) + if ( !set_xcr0(new_bv) ) + return -EFAULT; + ++ mask = new_bv & ~curr->arch.xcr0_accum; + curr->arch.xcr0 = new_bv; + curr->arch.xcr0_accum |= new_bv; + ++ mask &= curr->fpu_dirtied ? ~XSTATE_FP_SSE : XSTATE_NONLAZY; ++ if ( mask ) ++ { ++ unsigned long cr0 = read_cr0(); ++ ++ clts(); ++ if ( curr->fpu_dirtied ) ++ asm ( "stmxcsr %0" : "=m" (curr->arch.xsave_area->fpu_sse.mxcsr) ); ++ xrstor(curr, mask); ++ if ( cr0 & X86_CR0_TS ) ++ write_cr0(cr0); ++ } ++ + return 0; + } + diff --git a/main/xen/xsa63.patch b/main/xen/xsa63.patch new file mode 100644 index 0000000000..5134650e2f --- /dev/null +++ b/main/xen/xsa63.patch @@ -0,0 +1,171 @@ +x86: properly handle hvm_copy_from_guest_{phys,virt}() errors + +Ignoring them generally implies using uninitialized data and, in all +cases dealt with here, potentially leaking hypervisor stack contents to +guests. + +This is XSA-63. + +Signed-off-by: Jan Beulich +Reviewed-by: Tim Deegan +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -2308,11 +2308,7 @@ void hvm_task_switch( + + rc = hvm_copy_from_guest_virt( + &tss, prev_tr.base, sizeof(tss), PFEC_page_present); +- if ( rc == HVMCOPY_bad_gva_to_gfn ) +- goto out; +- if ( rc == HVMCOPY_gfn_paged_out ) +- goto out; +- if ( rc == HVMCOPY_gfn_shared ) ++ if ( rc != HVMCOPY_okay ) + goto out; + + eflags = regs->eflags; +@@ -2357,13 +2353,11 @@ void hvm_task_switch( + + rc = hvm_copy_from_guest_virt( + &tss, tr.base, sizeof(tss), PFEC_page_present); +- if ( rc == HVMCOPY_bad_gva_to_gfn ) +- goto out; +- if ( rc == HVMCOPY_gfn_paged_out ) +- goto out; +- /* Note: this could be optimised, if the callee functions knew we want RO +- * access */ +- if ( rc == HVMCOPY_gfn_shared ) ++ /* ++ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee ++ * functions knew we want RO access. ++ */ ++ if ( rc != HVMCOPY_okay ) + goto out; + + +--- a/xen/arch/x86/hvm/intercept.c ++++ b/xen/arch/x86/hvm/intercept.c +@@ -87,17 +87,28 @@ static int hvm_mmio_access(struct vcpu * + { + for ( i = 0; i < p->count; i++ ) + { +- int ret; +- +- ret = hvm_copy_from_guest_phys(&data, +- p->data + (sign * i * p->size), +- p->size); +- if ( (ret == HVMCOPY_gfn_paged_out) || +- (ret == HVMCOPY_gfn_shared) ) ++ switch ( hvm_copy_from_guest_phys(&data, ++ p->data + sign * i * p->size, ++ p->size) ) + { ++ case HVMCOPY_okay: ++ break; ++ case HVMCOPY_gfn_paged_out: ++ case HVMCOPY_gfn_shared: + rc = X86EMUL_RETRY; + break; ++ case HVMCOPY_bad_gfn_to_mfn: ++ data = ~0; ++ break; ++ case HVMCOPY_bad_gva_to_gfn: ++ ASSERT(0); ++ /* fall through */ ++ default: ++ rc = X86EMUL_UNHANDLEABLE; ++ break; + } ++ if ( rc != X86EMUL_OKAY ) ++ break; + rc = write_handler(v, p->addr + (sign * i * p->size), p->size, + data); + if ( rc != X86EMUL_OKAY ) +@@ -165,8 +176,28 @@ static int process_portio_intercept(port + for ( i = 0; i < p->count; i++ ) + { + data = 0; +- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size, +- p->size); ++ switch ( hvm_copy_from_guest_phys(&data, ++ p->data + sign * i * p->size, ++ p->size) ) ++ { ++ case HVMCOPY_okay: ++ break; ++ case HVMCOPY_gfn_paged_out: ++ case HVMCOPY_gfn_shared: ++ rc = X86EMUL_RETRY; ++ break; ++ case HVMCOPY_bad_gfn_to_mfn: ++ data = ~0; ++ break; ++ case HVMCOPY_bad_gva_to_gfn: ++ ASSERT(0); ++ /* fall through */ ++ default: ++ rc = X86EMUL_UNHANDLEABLE; ++ break; ++ } ++ if ( rc != X86EMUL_OKAY ) ++ break; + rc = action(IOREQ_WRITE, p->addr, p->size, &data); + if ( rc != X86EMUL_OKAY ) + break; +--- a/xen/arch/x86/hvm/io.c ++++ b/xen/arch/x86/hvm/io.c +@@ -340,14 +340,24 @@ static int dpci_ioport_write(uint32_t mp + data = p->data; + if ( p->data_is_ptr ) + { +- int ret; +- +- ret = hvm_copy_from_guest_phys(&data, +- p->data + (sign * i * p->size), +- p->size); +- if ( (ret == HVMCOPY_gfn_paged_out) && +- (ret == HVMCOPY_gfn_shared) ) ++ switch ( hvm_copy_from_guest_phys(&data, ++ p->data + sign * i * p->size, ++ p->size) ) ++ { ++ case HVMCOPY_okay: ++ break; ++ case HVMCOPY_gfn_paged_out: ++ case HVMCOPY_gfn_shared: + return X86EMUL_RETRY; ++ case HVMCOPY_bad_gfn_to_mfn: ++ data = ~0; ++ break; ++ case HVMCOPY_bad_gva_to_gfn: ++ ASSERT(0); ++ /* fall through */ ++ default: ++ return X86EMUL_UNHANDLEABLE; ++ } + } + + switch ( p->size ) +--- a/xen/arch/x86/hvm/vmx/realmode.c ++++ b/xen/arch/x86/hvm/vmx/realmode.c +@@ -39,7 +39,9 @@ static void realmode_deliver_exception( + + again: + last_byte = (vector * 4) + 3; +- if ( idtr->limit < last_byte ) ++ if ( idtr->limit < last_byte || ++ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) != ++ HVMCOPY_okay ) + { + /* Software interrupt? */ + if ( insn_len != 0 ) +@@ -64,8 +66,6 @@ static void realmode_deliver_exception( + } + } + +- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4); +- + frame[0] = regs->eip + insn_len; + frame[1] = csr->sel; + frame[2] = regs->eflags & ~X86_EFLAGS_RF; diff --git a/main/xen/xsa64.patch b/main/xen/xsa64.patch new file mode 100644 index 0000000000..f2c1117fdd --- /dev/null +++ b/main/xen/xsa64.patch @@ -0,0 +1,55 @@ +commit 95a0770282ea2a03f7bc48c6656d5fc79bae0599 +Author: Tim Deegan +Date: Thu Sep 12 14:16:28 2013 +0100 + + x86/mm/shadow: Fix initialization of PV shadow L4 tables. + + Shadowed PV L4 tables must have the same Xen mappings as their + unshadowed equivalent. This is done by copying the Xen entries + verbatim from the idle pagetable, and then using guest_l4_slot() + in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries. + + adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb) + changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to + the top of the address space, which causes the shadow code to + copy Xen mappings into guest-kernel-address slots too. + + In the common case, all those slots are zero in the idle pagetable, + and no harm is done. But if any slot above #271 is non-zero, Xen will + crash when that slot is later cleared (it attempts to drop + shadow-pagetable refcounts on its own L4 pagetables). + + Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate. + Monitor pagetables need the full Xen mappings, so they keep using the + old name (with its new semantics). + + This is XSA-64. + + Signed-off-by: Tim Deegan + Reviewed-by: Jan Beulich + +diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c +index 4c4c2ba..3fed0b6 100644 +--- a/xen/arch/x86/mm/shadow/multi.c ++++ b/xen/arch/x86/mm/shadow/multi.c +@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct vcpu *v, mfn_t gl4mfn, mfn_t sl4mfn) + { + struct domain *d = v->domain; + shadow_l4e_t *sl4e; ++ unsigned int slots; + + sl4e = sh_map_domain_page(sl4mfn); + ASSERT(sl4e != NULL); + ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t)); + + /* Copy the common Xen mappings from the idle domain */ ++ slots = (shadow_mode_external(d) ++ ? ROOT_PAGETABLE_XEN_SLOTS ++ : ROOT_PAGETABLE_PV_XEN_SLOTS); + memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT], + &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT], +- ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t)); ++ slots * sizeof(l4_pgentry_t)); + + /* Install the per-domain mappings for this domain */ + sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] = diff --git a/main/xen/xsa66.patch b/main/xen/xsa66.patch new file mode 100644 index 0000000000..1d9f25abae --- /dev/null +++ b/main/xen/xsa66.patch @@ -0,0 +1,23 @@ +x86: properly set up fbld emulation operand address + +This is CVE-2013-4361 / XSA-66. + +Signed-off-by: Jan Beulich +Acked-by: Ian Jackson + +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -3156,11 +3156,11 @@ x86_emulate( + break; + case 4: /* fbld m80dec */ + ea.bytes = 10; +- dst = ea; ++ src = ea; + if ( (rc = ops->read(src.mem.seg, src.mem.off, + &src.val, src.bytes, ctxt)) != 0 ) + goto done; +- emulate_fpu_insn_memdst("fbld", src.val); ++ emulate_fpu_insn_memsrc("fbld", src.val); + break; + case 5: /* fild m64i */ + ea.bytes = 8; diff --git a/main/xen/xsa67.patch b/main/xen/xsa67.patch new file mode 100644 index 0000000000..d81a0e18a9 --- /dev/null +++ b/main/xen/xsa67.patch @@ -0,0 +1,37 @@ +x86: check segment descriptor read result in 64-bit OUTS emulation + +When emulating such an operation from a 64-bit context (CS has long +mode set), and the data segment is overridden to FS/GS, the result of +reading the overridden segment's descriptor (read_descriptor) is not +checked. If it fails, data_base is left uninitialized. + +This can lead to 8 bytes of Xen's stack being leaked to the guest +(implicitly, i.e. via the address given in a #PF). + +Coverity-ID: 1055116 + +This is CVE-2013-4368 / XSA-67. + +Signed-off-by: Matthew Daley + +Fix formatting. + +Signed-off-by: Jan Beulich + +--- a/xen/arch/x86/traps.c ++++ b/xen/arch/x86/traps.c +@@ -1993,10 +1993,10 @@ static int emulate_privileged_op(struct + break; + } + } +- else +- read_descriptor(data_sel, v, regs, +- &data_base, &data_limit, &ar, +- 0); ++ else if ( !read_descriptor(data_sel, v, regs, ++ &data_base, &data_limit, &ar, 0) || ++ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) ) ++ goto fail; + data_limit = ~0UL; + ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; + } diff --git a/main/xen/xsa68.patch b/main/xen/xsa68.patch new file mode 100644 index 0000000000..cad655be25 --- /dev/null +++ b/main/xen/xsa68.patch @@ -0,0 +1,69 @@ +libxl: fix vif rate parsing + +strtok can return NULL here. We don't need to use strtok anyway, so just +use a simple strchr method. + +Coverity-ID: 1055642 + +This is CVE-2013-4369 / XSA-68 + +Signed-off-by: Matthew Daley + +Fix type. Add test case + +Signed-off-by: Ian Campbell + +diff --git a/tools/libxl/check-xl-vif-parse b/tools/libxl/check-xl-vif-parse +index 0473182..02c6dba 100755 +--- a/tools/libxl/check-xl-vif-parse ++++ b/tools/libxl/check-xl-vif-parse +@@ -206,4 +206,8 @@ expected +Date: Tue, 10 Sep 2013 22:18:46 +1200 +Subject: [PATCH] libxl: fix out-of-memory error handling in + libxl_list_cpupool + +...otherwise it will return freed memory. All the current users of this +function check already for a NULL return, so use that. + +Coverity-ID: 1056194 + +This is CVE-2013-4371 / XSA-70 + +Signed-off-by: Matthew Daley +Acked-by: Ian Campbell +--- + tools/libxl/libxl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c +index 0879f23..17653ef 100644 +--- a/tools/libxl/libxl.c ++++ b/tools/libxl/libxl.c +@@ -651,6 +651,7 @@ libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool_out) + if (!tmp) { + LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info"); + libxl_cpupoolinfo_list_free(ptr, i); ++ ptr = NULL; + goto out; + } + ptr = tmp; +-- +1.7.10.4 + diff --git a/main/xen/xsa71.patch b/main/xen/xsa71.patch new file mode 100644 index 0000000000..45e52eb0f8 --- /dev/null +++ b/main/xen/xsa71.patch @@ -0,0 +1,43 @@ +From 23260e589e52ec83349f22198eab2331b5a1684e Mon Sep 17 00:00:00 2001 +From: Matthew Daley +Date: Wed, 25 Sep 2013 12:28:47 +1200 +Subject: [PATCH] xen_disk: mark ioreq as mapped before unmapping in error + case + +Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush") +modified the semantics of ioreq_{un,}map so that they are idempotent if +called when they're not needed (ie., twice in a row). However, it neglected +to handle the case where batch mapping is not being used (the default), and +one of the grants fails to map. In this case, ioreq_unmap will be called to +unwind and unmap any mappings already performed, but ioreq_unmap simply +returns due to the aforementioned change (the ioreq has not already been +marked as mapped). + +The frontend user can therefore force xen_disk to leak grant mappings, a +per-backend-domain limited resource. + +Fix by marking the ioreq as mapped before calling ioreq_unmap in this +situation. + +This is XSA-71 / CVE-2013-4375 + +Signed-off-by: Matthew Daley +--- + hw/xen_disk.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/qemu-xen/hw/xen_disk.c b/tools/qemu-xen/hw/xen_disk.c +index a402ac8..1cdfcbc 100644 +--- a/tools/qemu-xen/hw/xen_disk.c ++++ b/tools/qemu-xen/hw/xen_disk.c +@@ -299,6 +299,7 @@ static int ioreq_map(struct ioreq *ioreq) + xen_be_printf(&ioreq->blkdev->xendev, 0, + "can't map grant ref %d (%s, %d maps)\n", + refs[i], strerror(errno), ioreq->blkdev->cnt_map); ++ ioreq->mapped = 1; + ioreq_unmap(ioreq); + return -1; + } +-- +1.7.10.4 + -- cgit v1.2.3