From 1f27ee9d2d8a8ced3ba7ca7805505b9c76dba765 Mon Sep 17 00:00:00 2001 From: Michael Young Date: Jun 17 2014 20:50:19 +0000 Subject: Hypervisor heap contents leaked to guest, with extra patch to avoid regression --- diff --git a/xen.git-6b4d71d028f445cba7426a144751fddc8bfdd67b.patch b/xen.git-6b4d71d028f445cba7426a144751fddc8bfdd67b.patch new file mode 100644 index 0000000..7f233d6 --- /dev/null +++ b/xen.git-6b4d71d028f445cba7426a144751fddc8bfdd67b.patch @@ -0,0 +1,45 @@ +From 6b4d71d028f445cba7426a144751fddc8bfdd67b Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Wed, 28 May 2014 09:50:33 +0200 +Subject: [PATCH] AMD IOMMU: don't free page table prematurely + +iommu_merge_pages() still wants to look at the next level page table, +the TLB flush necessary before freeing too happens in that function, +and if it fails no free should happen at all. Hence the freeing must +be done after that function returned successfully, not before it's +being called. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Reviewed-by: Suravee Suthikulpanit +Tested-by: Suravee Suthikulpanit +--- + xen/drivers/passthrough/amd/iommu_map.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/xen/drivers/passthrough/amd/iommu_map.c b/xen/drivers/passthrough/amd/iommu_map.c +index ceb1c28..a8c60ec 100644 +--- a/xen/drivers/passthrough/amd/iommu_map.c ++++ b/xen/drivers/passthrough/amd/iommu_map.c +@@ -691,8 +691,6 @@ int amd_iommu_map_page(struct domain *d, unsigned long gfn, unsigned long mfn, + if ( !iommu_update_pde_count(d, pt_mfn[merge_level], + gfn, mfn, merge_level) ) + break; +- /* Deallocate lower level page table */ +- free_amd_iommu_pgtable(mfn_to_page(pt_mfn[merge_level - 1])); + + if ( iommu_merge_pages(d, pt_mfn[merge_level], gfn, + flags, merge_level) ) +@@ -703,6 +701,9 @@ int amd_iommu_map_page(struct domain *d, unsigned long gfn, unsigned long mfn, + domain_crash(d); + return -EFAULT; + } ++ ++ /* Deallocate lower level page table */ ++ free_amd_iommu_pgtable(mfn_to_page(pt_mfn[merge_level - 1])); + } + + out: +-- +1.7.2.5 + diff --git a/xen.spec b/xen.spec index 97b0c8c..e15a2f8 100644 --- a/xen.spec +++ b/xen.spec @@ -53,7 +53,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.4.0 -Release: 6%{?dist} +Release: 7%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -104,6 +104,8 @@ Patch22: xen.console.fix.patch Patch23: xsa89.patch Patch24: xsa92.patch Patch25: xsa96.patch +Patch26: xsa100.patch +Patch27: xen.git-6b4d71d028f445cba7426a144751fddc8bfdd67b.patch Patch99: localgcc490fix.patch Patch100: xen-configure-xend.patch @@ -293,6 +295,8 @@ manage Xen virtual machines. %patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 +%patch27 -p1 %patch99 -p1 %patch100 -p1 @@ -890,6 +894,10 @@ rm -rf %{buildroot} %endif %changelog +* Tue Jun 17 2014 Michael Young - 4.4.0-7 +- Hypervisor heap contents leaked to guest [XSA-100, CVE-2014-4021] + (#1110316) with extra patch to avoid regression + * Sun Jun 15 2014 Michael Young - 4.4.0-6 - Fix two %if line typos in the spec file - Vulnerabilities in HVM MSI injection [XSA-96, CVE-2014-3967,CVE-2014-3968] diff --git a/xsa100.patch b/xsa100.patch new file mode 100644 index 0000000..7ce339e --- /dev/null +++ b/xsa100.patch @@ -0,0 +1,33 @@ +page-alloc: scrub pages used by hypervisor upon freeing + +... unless they're part of a fully separate pool (and hence can't ever +be used for guest allocations). + +This is XSA-100. + +Signed-off-by: Jan Beulich +Reviewed-by: Ian Campbell +Acked-by: Keir Fraser + +--- a/xen/common/page_alloc.c ++++ b/xen/common/page_alloc.c +@@ -1409,7 +1409,10 @@ void free_xenheap_pages(void *v, unsigne + pg = virt_to_page(v); + + for ( i = 0; i < (1u << order); i++ ) ++ { ++ scrub_one_page(&pg[i]); + pg[i].count_info &= ~PGC_xen_heap; ++ } + + free_heap_pages(pg, order); + } +@@ -1579,6 +1582,8 @@ void free_domheap_pages(struct page_info + else + { + /* Freeing anonymous domain-heap pages. */ ++ for ( i = 0; i < (1 << order); i++ ) ++ scrub_one_page(&pg[i]); + free_heap_pages(pg, order); + drop_dom_ref = 0; + }