[xen] in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]

Thu Jul 26 21:04:08 UTC 2012

commit b9d80d7762f32cd064fbcbcd716a105b716e21af
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Thu Jul 26 22:03:07 2012 +0100

    in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]

 xen-4.1-testing.23325.patch |   41 +++++++++++++++++++++++++++++++++++++++++
 xen.spec                    |    7 ++++++-
 2 files changed, 47 insertions(+), 1 deletions(-)
---

diff --git a/xen-4.1-testing.23325.patch b/xen-4.1-testing.23325.patch
new file mode 100644
index 0000000..e68897c
--- /dev/null
+++ b/xen-4.1-testing.23325.patch
@@ -0,0 +1,41 @@
+
+# HG changeset patch
+# User Jan Beulich <jbeulich at suse.com>
+# Date 1343318195 -3600
+# Node ID a43f5b4b03319117edba76ebca8f827119d4e9a8
+# Parent  e89be0dedeb4e4a9556cf3e1b9a5295ba0b59edf
+x86/hvm: don't leave emulator in inconsistent state
+
+The fact that handle_mmio(), and thus the instruction emulator, is
+being run through twice for emulations that require involvement of the
+device model, allows for the second run to see a different guest state
+than the first one. Since only the MMIO-specific emulation routines
+update the vCPU's io_state, if they get invoked on the second pass,
+internal state (and particularly this variable) can be left in a state
+making successful emulation of a subsequent MMIO operation impossible.
+
+Consequently, whenever the emulator invocation returns without
+requesting a retry of the guest instruction, reset io_state.
+
+[ This is a security issue.  XSA#10. -iwj ]
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Keir Fraser <keir at xen.org>
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+xen-unstable changeset: 25682:ffcb24876b4f
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r e89be0dedeb4 -r a43f5b4b0331 xen/arch/x86/hvm/io.c
+--- a/xen/arch/x86/hvm/io.c	Sun Jul 22 16:39:00 2012 +0100
++++ b/xen/arch/x86/hvm/io.c	Thu Jul 26 16:56:35 2012 +0100
+@@ -176,6 +176,8 @@ int handle_mmio(void)
+ 
+     rc = hvm_emulate_one(&ctxt);
+ 
++    if ( rc != X86EMUL_RETRY )
++        curr->arch.hvm_vcpu.io_state = HVMIO_none;
+     if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
+         curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion;
+     else
+
diff --git a/xen.spec b/xen.spec
index 0536ba7..b79cd08 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.1.2
-Release: 23%{?dist}
+Release: 24%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -80,6 +80,7 @@ Patch42: CVE-2012-0217.patch
 Patch43: CVE-2012-0218.patch
 Patch44: CVE-2012-2934.patch
 Patch45: xen-no-pyxml.patch
+Patch46: xen-4.1-testing.23325.patch
 
 Patch50: upstream-23936:cdb34816a40a-rework
 Patch51: upstream-23937:5173834e8476
@@ -251,6 +252,7 @@ manage Xen virtual machines.
 %patch43 -p1
 %patch44 -p1
 %patch45 -p1
+%patch46 -p1
 
 %patch50 -p1
 %patch51 -p1
@@ -715,6 +717,9 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Thu Jul 26 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-24
+- in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]
+
 * Tue Jul 24 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-23
 - add a patch to remove a dependency on PyXML and Require python-lxml
   instead of PyXML (#842843)
