diff --git a/xen.spec b/xen.spec index 561c146..73185d2 100644 --- a/xen.spec +++ b/xen.spec @@ -48,7 +48,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.4.0 -Release: 1%{?dist} +Release: 2%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -96,6 +96,7 @@ Patch19: xen.pygrubtitlefix.patch Patch20: xen.xsm.enable.patch Patch21: xen.64.bit.hyp.on.ix86.patch Patch22: xen.console.fix.patch +Patch23: xsa89.patch Patch100: xen-configure-xend.patch @@ -275,6 +276,7 @@ manage Xen virtual machines. %patch21 -p1 %endif %patch22 -p1 +%patch23 -p1 %patch100 -p1 @@ -832,6 +834,9 @@ rm -rf %{buildroot} %endif %changelog +* Wed Mar 26 2014 Michael Young - 4.4.0-2 +- HVMOP_set_mem_access is not preemptible [XSA-89, CVE-2014-2599] (#1080425) + * Sun Mar 23 2014 Michael Young - 4.4.0-1 - update to xen-4.4.0 - adjust xend.selinux.fixes.patch and xen-initscript.patch as xend has moved diff --git a/xsa89.patch b/xsa89.patch new file mode 100644 index 0000000..3443e33 --- /dev/null +++ b/xsa89.patch @@ -0,0 +1,96 @@ +x86: enforce preemption in HVM_set_mem_access / p2m_set_mem_access() + +Processing up to 4G PFNs may take almost arbitrarily long, so +preemption is needed here. + +This is XSA-89. + +Signed-off-by: Jan Beulich +Reviewed-by: Tim Deegan + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -4593,6 +4593,15 @@ long do_hvm_op(unsigned long op, XEN_GUE + goto param_fail5; + + rc = p2m_set_mem_access(d, a.first_pfn, a.nr, a.hvmmem_access); ++ if ( rc > 0 ) ++ { ++ a.first_pfn += a.nr - rc; ++ a.nr = rc; ++ if ( __copy_to_guest(arg, &a, 1) ) ++ rc = -EFAULT; ++ else ++ rc = -EAGAIN; ++ } + + param_fail5: + rcu_unlock_domain(d); +--- a/xen/arch/x86/mm/p2m.c ++++ b/xen/arch/x86/mm/p2m.c +@@ -1333,15 +1333,14 @@ void p2m_mem_access_resume(struct domain + + /* Set access type for a region of pfns. + * If start_pfn == -1ul, sets the default access type */ +-int p2m_set_mem_access(struct domain *d, unsigned long start_pfn, +- uint32_t nr, hvmmem_access_t access) ++long p2m_set_mem_access(struct domain *d, unsigned long pfn, uint32_t nr, ++ hvmmem_access_t access) + { + struct p2m_domain *p2m = p2m_get_hostp2m(d); +- unsigned long pfn; + p2m_access_t a, _a; + p2m_type_t t; + mfn_t mfn; +- int rc = 0; ++ long rc; + + /* N.B. _not_ static: initializer depends on p2m->default_access */ + p2m_access_t memaccess[] = { +@@ -1364,14 +1363,17 @@ int p2m_set_mem_access(struct domain *d, + a = memaccess[access]; + + /* If request to set default access */ +- if ( start_pfn == ~0ull ) ++ if ( pfn == ~0ul ) + { + p2m->default_access = a; + return 0; + } + ++ if ( !nr ) ++ return 0; ++ + p2m_lock(p2m); +- for ( pfn = start_pfn; pfn < start_pfn + nr; pfn++ ) ++ for ( ; ; ++pfn ) + { + mfn = p2m->get_entry(p2m, pfn, &t, &_a, 0, NULL); + if ( p2m->set_entry(p2m, pfn, mfn, PAGE_ORDER_4K, t, a) == 0 ) +@@ -1379,6 +1381,13 @@ int p2m_set_mem_access(struct domain *d, + rc = -ENOMEM; + break; + } ++ ++ /* Check for continuation if it's not the last interation. */ ++ if ( !--nr || hypercall_preempt_check() ) ++ { ++ rc = nr; ++ break; ++ } + } + p2m_unlock(p2m); + return rc; +--- a/xen/include/asm-x86/p2m.h ++++ b/xen/include/asm-x86/p2m.h +@@ -576,8 +576,8 @@ void p2m_mem_access_resume(struct domain + + /* Set access type for a region of pfns. + * If start_pfn == -1ul, sets the default access type */ +-int p2m_set_mem_access(struct domain *d, unsigned long start_pfn, +- uint32_t nr, hvmmem_access_t access); ++long p2m_set_mem_access(struct domain *d, unsigned long start_pfn, ++ uint32_t nr, hvmmem_access_t access); + + /* Get access type for a pfn + * If pfn == -1ul, gets the default access type */