diff --git a/xen.spec b/xen.spec index 0e4a473..51ac2fa 100644 --- a/xen.spec +++ b/xen.spec @@ -46,7 +46,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.3.0 -Release: 6%{?dist} +Release: 7%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -98,6 +98,9 @@ Patch19: xen.pygrubtitlefix.patch Patch20: xen.xsm.enable.patch Patch21: xen.64.bit.hyp.on.ix86.patch Patch22: xsa62.patch +Patch23: xsa63.patch +Patch24: xsa64.patch +Patch25: xsa66.patch Patch100: xen-configure-xend.patch @@ -279,6 +282,9 @@ manage Xen virtual machines. %patch21 -p1 %endif %patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 %patch100 -p1 @@ -791,6 +797,17 @@ rm -rf %{buildroot} %endif %changelog +* Wed Oct 02 2013 Michael Young - 4.3.0-7 +- Set "Domain-0" label in xenstored.service systemd file to match + xencommons init.d script. +- security fixes (#1013748) + Information leaks to HVM guests through I/O instruction emulation + [XSA-63, CVE-2013-4355] + Memory accessible by 64-bit PV guests under live migration + [XSA-64, CVE-2013-4356] + Information leak to HVM guests through fbld instruction emulation + [XSA-66, CVE-2013-4361] + * Wed Sep 25 2013 Michael Young - 4.3.0-6 - Information leak on AVX and/or LWP capable CPUs [XSA-62, CVE-2013-1442] (#1012056) diff --git a/xenstored.service b/xenstored.service index 59b640a..6d7ef9e 100644 --- a/xenstored.service +++ b/xenstored.service @@ -13,6 +13,7 @@ EnvironmentFile=-/etc/sysconfig/xenstored PIDFile=/var/run/xenstored.pid ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities ExecStart=/usr/sbin/xenstored --pid-file /var/run/xenstored.pid $XENSTORED_ARGS +ExecStartPost=-/usr/bin/xenstore-write "/local/domain/0/name" "Domain-0" [Install] WantedBy=multi-user.target diff --git a/xsa63.patch b/xsa63.patch new file mode 100644 index 0000000..5134650 --- /dev/null +++ b/xsa63.patch @@ -0,0 +1,171 @@ +x86: properly handle hvm_copy_from_guest_{phys,virt}() errors + +Ignoring them generally implies using uninitialized data and, in all +cases dealt with here, potentially leaking hypervisor stack contents to +guests. + +This is XSA-63. + +Signed-off-by: Jan Beulich +Reviewed-by: Tim Deegan +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -2308,11 +2308,7 @@ void hvm_task_switch( + + rc = hvm_copy_from_guest_virt( + &tss, prev_tr.base, sizeof(tss), PFEC_page_present); +- if ( rc == HVMCOPY_bad_gva_to_gfn ) +- goto out; +- if ( rc == HVMCOPY_gfn_paged_out ) +- goto out; +- if ( rc == HVMCOPY_gfn_shared ) ++ if ( rc != HVMCOPY_okay ) + goto out; + + eflags = regs->eflags; +@@ -2357,13 +2353,11 @@ void hvm_task_switch( + + rc = hvm_copy_from_guest_virt( + &tss, tr.base, sizeof(tss), PFEC_page_present); +- if ( rc == HVMCOPY_bad_gva_to_gfn ) +- goto out; +- if ( rc == HVMCOPY_gfn_paged_out ) +- goto out; +- /* Note: this could be optimised, if the callee functions knew we want RO +- * access */ +- if ( rc == HVMCOPY_gfn_shared ) ++ /* ++ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee ++ * functions knew we want RO access. ++ */ ++ if ( rc != HVMCOPY_okay ) + goto out; + + +--- a/xen/arch/x86/hvm/intercept.c ++++ b/xen/arch/x86/hvm/intercept.c +@@ -87,17 +87,28 @@ static int hvm_mmio_access(struct vcpu * + { + for ( i = 0; i < p->count; i++ ) + { +- int ret; +- +- ret = hvm_copy_from_guest_phys(&data, +- p->data + (sign * i * p->size), +- p->size); +- if ( (ret == HVMCOPY_gfn_paged_out) || +- (ret == HVMCOPY_gfn_shared) ) ++ switch ( hvm_copy_from_guest_phys(&data, ++ p->data + sign * i * p->size, ++ p->size) ) + { ++ case HVMCOPY_okay: ++ break; ++ case HVMCOPY_gfn_paged_out: ++ case HVMCOPY_gfn_shared: + rc = X86EMUL_RETRY; + break; ++ case HVMCOPY_bad_gfn_to_mfn: ++ data = ~0; ++ break; ++ case HVMCOPY_bad_gva_to_gfn: ++ ASSERT(0); ++ /* fall through */ ++ default: ++ rc = X86EMUL_UNHANDLEABLE; ++ break; + } ++ if ( rc != X86EMUL_OKAY ) ++ break; + rc = write_handler(v, p->addr + (sign * i * p->size), p->size, + data); + if ( rc != X86EMUL_OKAY ) +@@ -165,8 +176,28 @@ static int process_portio_intercept(port + for ( i = 0; i < p->count; i++ ) + { + data = 0; +- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size, +- p->size); ++ switch ( hvm_copy_from_guest_phys(&data, ++ p->data + sign * i * p->size, ++ p->size) ) ++ { ++ case HVMCOPY_okay: ++ break; ++ case HVMCOPY_gfn_paged_out: ++ case HVMCOPY_gfn_shared: ++ rc = X86EMUL_RETRY; ++ break; ++ case HVMCOPY_bad_gfn_to_mfn: ++ data = ~0; ++ break; ++ case HVMCOPY_bad_gva_to_gfn: ++ ASSERT(0); ++ /* fall through */ ++ default: ++ rc = X86EMUL_UNHANDLEABLE; ++ break; ++ } ++ if ( rc != X86EMUL_OKAY ) ++ break; + rc = action(IOREQ_WRITE, p->addr, p->size, &data); + if ( rc != X86EMUL_OKAY ) + break; +--- a/xen/arch/x86/hvm/io.c ++++ b/xen/arch/x86/hvm/io.c +@@ -340,14 +340,24 @@ static int dpci_ioport_write(uint32_t mp + data = p->data; + if ( p->data_is_ptr ) + { +- int ret; +- +- ret = hvm_copy_from_guest_phys(&data, +- p->data + (sign * i * p->size), +- p->size); +- if ( (ret == HVMCOPY_gfn_paged_out) && +- (ret == HVMCOPY_gfn_shared) ) ++ switch ( hvm_copy_from_guest_phys(&data, ++ p->data + sign * i * p->size, ++ p->size) ) ++ { ++ case HVMCOPY_okay: ++ break; ++ case HVMCOPY_gfn_paged_out: ++ case HVMCOPY_gfn_shared: + return X86EMUL_RETRY; ++ case HVMCOPY_bad_gfn_to_mfn: ++ data = ~0; ++ break; ++ case HVMCOPY_bad_gva_to_gfn: ++ ASSERT(0); ++ /* fall through */ ++ default: ++ return X86EMUL_UNHANDLEABLE; ++ } + } + + switch ( p->size ) +--- a/xen/arch/x86/hvm/vmx/realmode.c ++++ b/xen/arch/x86/hvm/vmx/realmode.c +@@ -39,7 +39,9 @@ static void realmode_deliver_exception( + + again: + last_byte = (vector * 4) + 3; +- if ( idtr->limit < last_byte ) ++ if ( idtr->limit < last_byte || ++ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) != ++ HVMCOPY_okay ) + { + /* Software interrupt? */ + if ( insn_len != 0 ) +@@ -64,8 +66,6 @@ static void realmode_deliver_exception( + } + } + +- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4); +- + frame[0] = regs->eip + insn_len; + frame[1] = csr->sel; + frame[2] = regs->eflags & ~X86_EFLAGS_RF; diff --git a/xsa64.patch b/xsa64.patch new file mode 100644 index 0000000..f2c1117 --- /dev/null +++ b/xsa64.patch @@ -0,0 +1,55 @@ +commit 95a0770282ea2a03f7bc48c6656d5fc79bae0599 +Author: Tim Deegan +Date: Thu Sep 12 14:16:28 2013 +0100 + + x86/mm/shadow: Fix initialization of PV shadow L4 tables. + + Shadowed PV L4 tables must have the same Xen mappings as their + unshadowed equivalent. This is done by copying the Xen entries + verbatim from the idle pagetable, and then using guest_l4_slot() + in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries. + + adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb) + changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to + the top of the address space, which causes the shadow code to + copy Xen mappings into guest-kernel-address slots too. + + In the common case, all those slots are zero in the idle pagetable, + and no harm is done. But if any slot above #271 is non-zero, Xen will + crash when that slot is later cleared (it attempts to drop + shadow-pagetable refcounts on its own L4 pagetables). + + Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate. + Monitor pagetables need the full Xen mappings, so they keep using the + old name (with its new semantics). + + This is XSA-64. + + Signed-off-by: Tim Deegan + Reviewed-by: Jan Beulich + +diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c +index 4c4c2ba..3fed0b6 100644 +--- a/xen/arch/x86/mm/shadow/multi.c ++++ b/xen/arch/x86/mm/shadow/multi.c +@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct vcpu *v, mfn_t gl4mfn, mfn_t sl4mfn) + { + struct domain *d = v->domain; + shadow_l4e_t *sl4e; ++ unsigned int slots; + + sl4e = sh_map_domain_page(sl4mfn); + ASSERT(sl4e != NULL); + ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t)); + + /* Copy the common Xen mappings from the idle domain */ ++ slots = (shadow_mode_external(d) ++ ? ROOT_PAGETABLE_XEN_SLOTS ++ : ROOT_PAGETABLE_PV_XEN_SLOTS); + memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT], + &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT], +- ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t)); ++ slots * sizeof(l4_pgentry_t)); + + /* Install the per-domain mappings for this domain */ + sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] = diff --git a/xsa66.patch b/xsa66.patch new file mode 100644 index 0000000..1d9f25a --- /dev/null +++ b/xsa66.patch @@ -0,0 +1,23 @@ +x86: properly set up fbld emulation operand address + +This is CVE-2013-4361 / XSA-66. + +Signed-off-by: Jan Beulich +Acked-by: Ian Jackson + +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -3156,11 +3156,11 @@ x86_emulate( + break; + case 4: /* fbld m80dec */ + ea.bytes = 10; +- dst = ea; ++ src = ea; + if ( (rc = ops->read(src.mem.seg, src.mem.off, + &src.val, src.bytes, ctxt)) != 0 ) + goto done; +- emulate_fpu_insn_memdst("fbld", src.val); ++ emulate_fpu_insn_memsrc("fbld", src.val); + break; + case 5: /* fild m64i */ + ea.bytes = 8;