[xen/f16] in rare circumstances an unprivileged user can crash an HVM guest [XSA-10] (#843766)
myoung
myoung at fedoraproject.org
Fri Jul 27 10:42:18 UTC 2012
commit 22f816f8eb376576ae0c4d5ed469bb3fa1623702
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Fri Jul 27 11:41:09 2012 +0100
in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]
(#843766)
xen-4.1-testing.23325.patch | 41 +++++++++++++++++++++++++++++++++++++++++
xen.spec | 8 +++++++-
2 files changed, 48 insertions(+), 1 deletions(-)
---
diff --git a/xen-4.1-testing.23325.patch b/xen-4.1-testing.23325.patch
new file mode 100644
index 0000000..e68897c
--- /dev/null
+++ b/xen-4.1-testing.23325.patch
@@ -0,0 +1,41 @@
+
+# HG changeset patch
+# User Jan Beulich <jbeulich at suse.com>
+# Date 1343318195 -3600
+# Node ID a43f5b4b03319117edba76ebca8f827119d4e9a8
+# Parent e89be0dedeb4e4a9556cf3e1b9a5295ba0b59edf
+x86/hvm: don't leave emulator in inconsistent state
+
+The fact that handle_mmio(), and thus the instruction emulator, is
+being run through twice for emulations that require involvement of the
+device model, allows for the second run to see a different guest state
+than the first one. Since only the MMIO-specific emulation routines
+update the vCPU's io_state, if they get invoked on the second pass,
+internal state (and particularly this variable) can be left in a state
+making successful emulation of a subsequent MMIO operation impossible.
+
+Consequently, whenever the emulator invocation returns without
+requesting a retry of the guest instruction, reset io_state.
+
+[ This is a security issue. XSA#10. -iwj ]
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Keir Fraser <keir at xen.org>
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+xen-unstable changeset: 25682:ffcb24876b4f
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r e89be0dedeb4 -r a43f5b4b0331 xen/arch/x86/hvm/io.c
+--- a/xen/arch/x86/hvm/io.c Sun Jul 22 16:39:00 2012 +0100
++++ b/xen/arch/x86/hvm/io.c Thu Jul 26 16:56:35 2012 +0100
+@@ -176,6 +176,8 @@ int handle_mmio(void)
+
+ rc = hvm_emulate_one(&ctxt);
+
++ if ( rc != X86EMUL_RETRY )
++ curr->arch.hvm_vcpu.io_state = HVMIO_none;
+ if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
+ curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion;
+ else
+
diff --git a/xen.spec b/xen.spec
index c5d1ad3..7133faf 100644
--- a/xen.spec
+++ b/xen.spec
@@ -10,7 +10,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.1.2
-Release: 8%{?dist}
+Release: 9%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -62,6 +62,7 @@ Patch39: pygrub.size.limits.patch
Patch40: CVE-2012-0217.patch
Patch41: CVE-2012-0218.patch
Patch42: CVE-2012-2934.patch
+Patch43: xen-4.1-testing.23325.patch
Patch50: upstream-23936:cdb34816a40a-rework
Patch51: upstream-23937:5173834e8476
@@ -230,6 +231,7 @@ manage Xen virtual machines.
%patch40 -p1
%patch41 -p1
%patch42 -p1
+%patch43 -p1
%patch50 -p1
%patch51 -p1
@@ -642,6 +644,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Fri Jul 27 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-9
+- in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]
+ (#843766)
+
* Wed Jun 13 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-8
- make pygrub cope better with big files from guest (#818412 CVE-2012-2625)
- 64-bit PV guest privilege escalation vulnerability [CVE-2012-0217]
More information about the scm-commits
mailing list