-
Notifications
You must be signed in to change notification settings - Fork 46
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #420 from eric-ch/stable-6_xsa-09-2016
STABLE-6: Xen XSA-185 and 187.
- Loading branch information
Showing
3 changed files
with
115 additions
and
0 deletions.
There are no files selected for viewing
43 changes: 43 additions & 0 deletions
43
...extended/xen/files/xsa-185-x86-Disallow-L3-recursive-pagetable-for-32-bit-PV-guests.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
################################################################################ | ||
SHORT DESCRIPTION: | ||
################################################################################ | ||
XSA-185 (http://xenbits.xen.org/xsa/advisory-185.html) | ||
Disallow L3 recursive pagetable for 32-bit PV guests. | ||
|
||
################################################################################ | ||
LONG DESCRIPTION: | ||
################################################################################ | ||
Source: http://xenbits.xen.org/xsa/advisory-185.html | ||
Patches: xsa185.patch | ||
|
||
On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 | ||
pagetable entries, but the pagetable walk behaves as if they were set. (The L3 | ||
entries are cached in processor registers, and don't actually form part | ||
of the pagewalk.) | ||
|
||
When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR in the USER | ||
and RW bits for L3 updates for the guest to observe architectural behaviour. | ||
This is unsafe in combination with recursive pagetables. | ||
|
||
As there is no way to construct an L3 recursive pagetable in native 32-bit PAE | ||
mode, disallow this option in 32-bit PV guests. | ||
|
||
################################################################################ | ||
PATCHES | ||
################################################################################ | ||
|
||
Index: xen-4.3.4/xen/arch/x86/mm.c | ||
=================================================================== | ||
--- xen-4.3.4.orig/xen/arch/x86/mm.c 2016-08-26 15:52:49.862633320 +0200 | ||
+++ xen-4.3.4/xen/arch/x86/mm.c 2016-08-31 16:43:01.006691879 +0200 | ||
@@ -1003,7 +1003,9 @@ | ||
|
||
rc = get_page_and_type_from_pagenr( | ||
l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1); | ||
- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) ) | ||
+ if ( unlikely(rc == -EINVAL) && | ||
+ !is_pv_32bit_domain(d) && | ||
+ get_l3_linear_pagetable(l3e, pfn, d) ) | ||
rc = 0; | ||
|
||
return rc; |
70 changes: 70 additions & 0 deletions
70
recipes-extended/xen/files/xsa-187-x86-hvm-overflow-of-sh_ctxt-seg_reg.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
################################################################################ | ||
SHORT DESCRIPTION: | ||
################################################################################ | ||
XSA-187 (http://xenbits.xen.org/xsa/advisory-187.html) | ||
HVM Overflow of sh_ctxt->seg_reg[]. | ||
|
||
################################################################################ | ||
LONG DESCRIPTION: | ||
################################################################################ | ||
Source: http://xenbits.xen.org/xsa/advisory-187.html | ||
Patches: xsa187-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch | ||
xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch | ||
|
||
x86 HVM guests running with shadow paging use a subset of the x86 emulator to | ||
handle the guest writing to its own pagetables. There are situations a guest | ||
can provoke which result in exceeding the space allocated for internal state. | ||
|
||
################################################################################ | ||
PATCHES | ||
################################################################################ | ||
Index: xen-4.3.4/xen/arch/x86/mm/shadow/common.c | ||
=================================================================== | ||
--- xen-4.3.4.orig/xen/arch/x86/mm/shadow/common.c 2016-08-31 17:35:37.323531691 +0200 | ||
+++ xen-4.3.4/xen/arch/x86/mm/shadow/common.c 2016-08-31 17:35:37.530196436 +0200 | ||
@@ -137,9 +137,18 @@ | ||
struct sh_emulate_ctxt *sh_ctxt, | ||
unsigned long *paddr) | ||
{ | ||
- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); | ||
+ const struct segment_register *reg; | ||
int okay; | ||
|
||
+ /* | ||
+ * Can arrive here with non-user segments. However, no such cirucmstance | ||
+ * is part of a legitimate pagetable update, so fail the emulation. | ||
+ */ | ||
+ if ( !is_x86_user_segment(seg) ) | ||
+ return X86EMUL_UNHANDLEABLE; | ||
+ | ||
+ reg = hvm_get_seg_reg(seg, sh_ctxt); | ||
+ | ||
okay = hvm_virtual_to_linear_addr( | ||
seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); | ||
|
||
Index: xen-4.3.4/xen/arch/x86/hvm/hvm.c | ||
=================================================================== | ||
--- xen-4.3.4.orig/xen/arch/x86/hvm/hvm.c 2016-08-31 17:50:27.978569162 +0200 | ||
+++ xen-4.3.4/xen/arch/x86/hvm/hvm.c 2016-08-31 17:50:35.378500114 +0200 | ||
@@ -1966,7 +1966,7 @@ | ||
|
||
int hvm_virtual_to_linear_addr( | ||
enum x86_segment seg, | ||
- struct segment_register *reg, | ||
+ const struct segment_register *reg, | ||
unsigned long offset, | ||
unsigned int bytes, | ||
enum hvm_access_type access_type, | ||
Index: xen-4.3.4/xen/include/asm-x86/hvm/hvm.h | ||
=================================================================== | ||
--- xen-4.3.4.orig/xen/include/asm-x86/hvm/hvm.h 2016-08-31 17:50:27.995235674 +0200 | ||
+++ xen-4.3.4/xen/include/asm-x86/hvm/hvm.h 2016-08-31 17:50:35.528498714 +0200 | ||
@@ -441,7 +441,7 @@ | ||
}; | ||
int hvm_virtual_to_linear_addr( | ||
enum x86_segment seg, | ||
- struct segment_register *reg, | ||
+ const struct segment_register *reg, | ||
unsigned long offset, | ||
unsigned int bytes, | ||
enum hvm_access_type access_type, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters