[xen] in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]
myoung
myoung at fedoraproject.org
Thu Jul 26 21:04:08 UTC 2012
commit b9d80d7762f32cd064fbcbcd716a105b716e21af
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Thu Jul 26 22:03:07 2012 +0100
in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]
xen-4.1-testing.23325.patch | 41 +++++++++++++++++++++++++++++++++++++++++
xen.spec | 7 ++++++-
2 files changed, 47 insertions(+), 1 deletions(-)
---
diff --git a/xen-4.1-testing.23325.patch b/xen-4.1-testing.23325.patch
new file mode 100644
index 0000000..e68897c
--- /dev/null
+++ b/xen-4.1-testing.23325.patch
@@ -0,0 +1,41 @@
+
+# HG changeset patch
+# User Jan Beulich <jbeulich at suse.com>
+# Date 1343318195 -3600
+# Node ID a43f5b4b03319117edba76ebca8f827119d4e9a8
+# Parent e89be0dedeb4e4a9556cf3e1b9a5295ba0b59edf
+x86/hvm: don't leave emulator in inconsistent state
+
+The fact that handle_mmio(), and thus the instruction emulator, is
+being run through twice for emulations that require involvement of the
+device model, allows for the second run to see a different guest state
+than the first one. Since only the MMIO-specific emulation routines
+update the vCPU's io_state, if they get invoked on the second pass,
+internal state (and particularly this variable) can be left in a state
+making successful emulation of a subsequent MMIO operation impossible.
+
+Consequently, whenever the emulator invocation returns without
+requesting a retry of the guest instruction, reset io_state.
+
+[ This is a security issue. XSA#10. -iwj ]
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Keir Fraser <keir at xen.org>
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+xen-unstable changeset: 25682:ffcb24876b4f
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r e89be0dedeb4 -r a43f5b4b0331 xen/arch/x86/hvm/io.c
+--- a/xen/arch/x86/hvm/io.c Sun Jul 22 16:39:00 2012 +0100
++++ b/xen/arch/x86/hvm/io.c Thu Jul 26 16:56:35 2012 +0100
+@@ -176,6 +176,8 @@ int handle_mmio(void)
+
+ rc = hvm_emulate_one(&ctxt);
+
++ if ( rc != X86EMUL_RETRY )
++ curr->arch.hvm_vcpu.io_state = HVMIO_none;
+ if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
+ curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion;
+ else
+
diff --git a/xen.spec b/xen.spec
index 0536ba7..b79cd08 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.1.2
-Release: 23%{?dist}
+Release: 24%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -80,6 +80,7 @@ Patch42: CVE-2012-0217.patch
Patch43: CVE-2012-0218.patch
Patch44: CVE-2012-2934.patch
Patch45: xen-no-pyxml.patch
+Patch46: xen-4.1-testing.23325.patch
Patch50: upstream-23936:cdb34816a40a-rework
Patch51: upstream-23937:5173834e8476
@@ -251,6 +252,7 @@ manage Xen virtual machines.
%patch43 -p1
%patch44 -p1
%patch45 -p1
+%patch46 -p1
%patch50 -p1
%patch51 -p1
@@ -715,6 +717,9 @@ rm -rf %{buildroot}
%endif
%changelog
+* Thu Jul 26 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-24
+- in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]
+
* Tue Jul 24 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-23
- add a patch to remove a dependency on PyXML and Require python-lxml
instead of PyXML (#842843)
More information about the scm-commits
mailing list