diff --git a/xen.spec b/xen.spec index 8ae2d41..9467ab7 100644 --- a/xen.spec +++ b/xen.spec @@ -55,7 +55,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.17.0 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ Source0: https://downloads.xenproject.org/release/xen/%{version}/xen-%{version}.tar.gz @@ -116,6 +116,7 @@ Patch50: xsa427.patch Patch51: xsa428-4.17-1.patch Patch52: xsa428-4.17-2.patch Patch53: xsa429.patch +Patch54: xsa430.patch %if %build_qemutrad @@ -334,6 +335,7 @@ manage Xen virtual machines. %patch51 -p1 %patch52 -p1 %patch53 -p1 +%patch54 -p1 # qemu-xen-traditional patches pushd tools/qemu-xen-traditional @@ -941,6 +943,9 @@ fi %endif %changelog +* Tue Apr 25 2023 Michael Young - 4.17.0-9 +- x86 shadow paging arbitrary pointer dereference [XSA-430, CVE-2022-42335] + * Tue Mar 21 2023 Michael Young - 4.17.0-8 - 3 security issues (#2180425) x86 shadow plus log-dirty mode use-after-free [XSA-427, CVE-2022-42332] diff --git a/xsa430.patch b/xsa430.patch new file mode 100644 index 0000000..4472e41 --- /dev/null +++ b/xsa430.patch @@ -0,0 +1,65 @@ +From 57b3a2ace5c4a78118b372c95f69af4f0585b48d Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne +Date: Mon, 20 Mar 2023 12:08:52 +0100 +Subject: [PATCH] x86/shadow: restore dropped check in + sh_unshadow_for_p2m_change() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As a result of 241702e064604dbb3e0d9b731aa8f45be448243b the +mfn_valid() check in sh_unshadow_for_p2m_change() was lost. That +allows sh_remove_shadows() to be called with gfns that have no backing +page, causing an ASSERT to trigger in debug builds or dereferencing an +arbitrary pointer partially under guest control in non-debug builds: + +RIP: e008:[] sh_remove_shadows+0x19f/0x722 +RFLAGS: 0000000000010246 CONTEXT: hypervisor (d0v2) +[...] +Xen call trace: + [] R sh_remove_shadows+0x19f/0x722 + [] F arch/x86/mm/shadow/hvm.c#sh_unshadow_for_p2m_change+0xab/0x2b7 + [] F arch/x86/mm/p2m-pt.c#write_p2m_entry+0x19b/0x4d3 + [] F arch/x86/mm/p2m-pt.c#p2m_pt_set_entry+0x67b/0xa8e + [] F p2m_set_entry+0xcc/0x149 + [] F unmap_mmio_regions+0x17b/0x2c9 + [] F do_domctl+0x11f3/0x195e + [] F hvm_hypercall+0x5b1/0xa2d + [] F vmx_vmexit_handler+0x130f/0x1cd5 + [] F vmx_asm_vmexit_handler+0xf2/0x210 + +**************************************** +Panic on CPU 1: +Assertion 'mfn_valid(gmfn)' failed at arch/x86/mm/shadow/common.c:2203 +**************************************** + +Fix this by restoring the mfn_valid() check in +sh_unshadow_for_p2m_change(), unifying it with the rest of the checks +that are done at the start of the function. + +This is XSA-430 / CVE-2022-42335 + +Fixes: 241702e064 ('x86/shadow: slightly consolidate sh_unshadow_for_p2m_change() (part II)') +Signed-off-by: Roger Pau Monné +Reviewed-by: Jan Beulich +--- + xen/arch/x86/mm/shadow/hvm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/x86/mm/shadow/hvm.c b/xen/arch/x86/mm/shadow/hvm.c +index 88c3c16322..6de479c008 100644 +--- a/xen/arch/x86/mm/shadow/hvm.c ++++ b/xen/arch/x86/mm/shadow/hvm.c +@@ -814,7 +814,8 @@ static void cf_check sh_unshadow_for_p2m_change( + + /* Only previously present / valid entries need processing. */ + if ( !(oflags & _PAGE_PRESENT) || +- (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt)) ) ++ (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt)) || ++ !mfn_valid(omfn) ) + return; + + switch ( level ) +-- +2.40.0 +